8/13/2019 Burke (1)

1/30

Presented by Dustin Burke

8/13/2019 Burke (1)

2/30

Senior in Computer Science (4thYear) Specializing in Graphics and Visualization

Graduating in May, 2008

Lived in Atlanta area my entire life Travel for roller coasters

8/13/2019 Burke (1)

3/30

What are roles and why are they important? Model Elements

Mappings & Relations

Static and Dynamic Properties Role Hierarchies

Implications

8/13/2019 Burke (1)

4/30

Role - is an organizational identity thatdefines a set of allowable actions for anauthorized user

RBAC mechanisms rely on role constructs tomediate a users access to computationalresources

Role hierarchy overall set of capability

relationships which can be represented as adirected acyclic graph

8/13/2019 Burke (1)

5/30

Properties of this model fall into either astatic or a dynamic category Static deals mainly with constraints on role

membership

Dynamic deals with constraints on role activation

8/13/2019 Burke (1)

6/30

Userpeople who use the systemSubjectactive entities of the system

operating within roles on behalf of users

Rolenamed duties within an organizationOperationset of access modes permittedObjectpassive entities protected from

unauthorized use

Permissionset of ordered operation/objectpairs

8/13/2019 Burke (1)

7/30

8/13/2019 Burke (1)

8/30

Ternary relationshipbetween Role,Operation, andObject is broken

down

Conforms withprivileges found inpresent dayinformation systems

8/13/2019 Burke (1)

9/30

Can represent a broad range of accesscontrols Basic read/write/execute rights on a file

Administrative rights for OS commands

Depends on context

8/13/2019 Burke (1)

10/30

More specific mappings refine the generalrelationships in the previous diagrams authorized-roles[u]

Roles authorized for user u

authorized-permissions[i] Permissions authorized for role i

active-user[x]

User u associated with subject x

active-roles[x] Roles in which a subject x is active

8/13/2019 Burke (1)

11/30

Properties of the model that do not involveeither the Subject component or mappingsfrom Subject to other basic components

Apply early, at role authorization, andthrough role activation

Very strong

Include cardinality, separation of duty, and

operational separation of duty

8/13/2019 Burke (1)

12/30

membership-limit[i] Maximum number of users that can be authorized

to a role

authorized-members[i] Number of users authorized a given role

8/13/2019 Burke (1)

13/30

Responsibilities split to prevent collusion Group of roles are mutually exclusive of one

another with regard to authorization

User may only be authorized to one

A B C D

Not in SSD Member of SSD

8/13/2019 Burke (1)

14/30

Business tasks are composed of multipleoperations

No single user can be authorized one or moreroles having permissions involved in an SOSD

User 01010

A B C

D not in SOSD not in SOSD

in SOSD

8/13/2019 Burke (1)

15/30

Complement static properties Weaker than static

Applied at role activation and not checked atauthentication

Also offers degrees of flexibility

Often used in conjunction with staticproperties

Include role activation, cardinality, separationof duty, and operational separation of duty

8/13/2019 Burke (1)

16/30

exec: Subject Operation Object True iff subject can perform operation on object

active-membership-limit[i]

active-members[i]

Permitted action subject can perform anoperation on an object iff the subject isacting within an active role authorized that

permission

8/13/2019 Burke (1)

17/30

A subject cannot be active in a role it doesnot have authorization for

Active roles must be a subset of authorizedroles

Roles: A, B, C, D, EFor Subject z to have A or B in its active roles, they must firstbe included in its authorized roles

8/13/2019 Burke (1)

18/30

Number of users active in a role can neverexceed the dynamic capacity

More desirable than static because it ismaintained at activation as opposed toauthorization

For example: a role with capacity of onewould ensure consecutive use of capabilities

8/13/2019 Burke (1)

19/30

Very similar to Static Separation of Duty Memory-less property

Has no history of activation kept for user

Prevents simultaneous activations by a user but

does not safeguard against consecutive activation Not appropriate in some environments

User u requests to be active in A and B while is in DSD; rejectedUser u requests to be active in A; allowedUser u requests to be active in B; allowed

8/13/2019 Burke (1)

20/30

Group of permissions may be designated asmutually exclusive with regard to rolesactivated by a subject

As with DSD, memory-less

8/13/2019 Burke (1)

21/30

A role may be defined in terms of one ormore other roles And can include additional characteristics

Automatically takes on or inherits the collective

characteristics of roles Containment is recursive

8/13/2019 Burke (1)

22/30

Substitution of role instances

8/13/2019 Burke (1)

23/30

Include given role plus set of roles containedby that role

Can also be related to role authorization A user is authorized to perform tasks based on its

roles as well as its roles roles andits roles roles roles anditsroles roles roles roles and

Containment is not reflexive but is transitive Role i is not in the subset of i

If j is a subset of i and k is a subset of j, then j is asubset of i

8/13/2019 Burke (1)

24/30

Containing roles accumulate not only thecapabilities of contained roles, butconstraints and separations of dutyrelationships

Permitted Actions are expanded to includethose privileges associated with effectiveroles

8/13/2019 Burke (1)

25/30

Cardinality Inheritance: a containing rolemust be assigned a membership limit lessthan or equal to that of anycontained role

Role AMax: ?

B: 15

C: 7

D: 25

Role A would be given acapacity of the minimum of itscontained roles. 7 from C.

8/13/2019 Burke (1)

26/30

Separation of duty relationship cannot existbetween roles that have a containmentrelation between them or are contained byanother role in common (common heir)

A B

is a member of SSDC

But since C inherits both Aand B, is no longer amember of SSD

8/13/2019 Burke (1)

27/30

If one role contains another role that has anSD relationship with a third role, then thecontaining role also has an SD relationshipwith the third role

A

B C

If is a member of SSD,and A inherits B, then is also a member of SSD

8/13/2019 Burke (1)

28/30

Property Static ynamicRole Activation

Permitted Action

Cardinality

Separation of Duty

Operational Separation of Duty

Role Hierarchy

Permitted Action on Modified Hierarchies

Cardinality Inheritance

Separation of Duty Hierarchy

Separation of Duty Inheritance

8/13/2019 Burke (1)

29/30

Inheritance Properties of Role Hierarchies W. A. Jansen

National Institute of Standards and Technology

8/13/2019 Burke (1)

30/30