Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.
-
Upload
amy-jenkins -
Category
Documents
-
view
216 -
download
3
Transcript of Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.
Role Based Access Control Models
Presented By
Ankit Shah
2nd Year Master’s Student
Problems
Mandatory Access Control (MAC) Central authority determines access control
Discretionary Access Control (DAC) Decentralized Access control decisions lie with the owner of an object
Access control on a per user basis
Access control needs are unique
Existing products lack flexibility
Solution
Role Based Access Control Permission associated with roles and users assigned to
appropriate roles
Motivation Organization style
Competency Authority and responsibility Duty assignments
- Security administration and review
- Simple role-permission relationship
- Ability to meet the changing needs of an organization
Role related concepts
What is the difference between roles and groups? User – permission distinction Eg. Unix operating system
RBAC is policy neutral but supports Least privilege Separation of duties Data Abstraction
Four Reference Models
Base Model (RBAC0)
User Typically a human being
Role Job title
Permission Approval of a mode of access to some object Variety of permissions from coarse grain to fine grain Depends on implementation details of the system
Session Mapping of one user to many roles Multiple sessions Each session may map single or multiple roles of the users subset
RBAC Models
Role Hierarchies (RBAC1)
Reflects an organization’s role structure
Supports inheritance of permissions
Hierarchies are a partial order
Useful to limit scope of inheritance Private roles
Role Hierarchy Examples
Role Hierarchy Examples Continued
Constraints (RBAC2)
Argued to be the principal motivation
Is a convenience when RBAC is centralized
When decentralized becomes a mechanism for restriction
Types of Constraints Mutually exclusive roles/ permissions Cardinality constraints Prerequisite roles
Effective only if suitable discipline is observed Mapping one user to more than one u-id Mapping one permission to more than one p-id
Role Hierarchies can be considered a constraint
Consolidated Model (RBAC3)
Combines Constraints and Role Hierarchies
Issues raised Constraints can apply to the role hierarchy itself Violation of mutual exclusion constraint may be
acceptable Specify mutual exclusion of private roles without
any conflict
Management Model
Till now, we assumed the presence of a single security officer
Normally have a small administrative team to mange RBAC
Propagation of rights
Management Model
Management Model Proposed Administrative roles and permissions are disjoint from regular
roles and permissions
Administrative authority can be viewed as the ability to modify user assignments, permissions, assignment and role hierarchy relations.
Mirror copy of the top half with ARBAC0-3 for different levels of sophistication
Issues How to scope administrative authority in administrative roles Scope permissions and users of an administrative role
Management Model Continued
Critique
Was published in 1996 and a lot of improvements have been proposed to these models
Issues are raised in the consolidated and management models but no solution is proposed
Lacked a related work section giving us an overview of similar work done and how the proposed model is superior
Questions