Ravi Sandhu
Venkata Bhamidipati
Laboratory for Information Security Technology (LIST)
George Mason University
Role-Based Administration of User-Role Assignment:
The URA97 Model and its Oracle Implementation
2© Ravi Sandhu 1997
OUTLINE
RBAC96 review URA97 model URA97 Oracle implementation Closing remarks
3© Ravi Sandhu 1997
RBAC96
ROLES
USERS
PERMISSIONS
...
ADMINROLES
ADMINPERMISSIONS
CONSTRAINTS
SESSIONS
4© Ravi Sandhu 1997
RBAC96: RBAC0
ROLES
USERS
PERMISSIONS
...
SESSIONS
5© Ravi Sandhu 1997
RBAC96: RBAC1
ROLES
USERS
PERMISSIONS
...
SESSIONS
6© Ravi Sandhu 1997
RBAC96 : RBAC2
ROLES
USERS
PERMISSIONS
... CONSTRAINTS
SESSIONS
7© Ravi Sandhu 1997
RBAC96 : RBAC3
ROLES
USERS
PERMISSIONS
... CONSTRAINTS
SESSIONS
8© Ravi Sandhu 1997
RBAC96
ROLES
USERS
PERMISSIONS
...
ADMINROLES
ADMINPERMISSIONS
CONSTRAINTS
SESSIONS
9© Ravi Sandhu 1997
RBAC96
RBAC2RBAC1
RBAC0
RBAC3
ARBAC2ARBAC1
ARBAC0
ARBAC3
10© Ravi Sandhu 1997
SCALE AND RATE OF CHANGE
roles: 100s or 1000s users: 1000s or 10,000s or more Frequent changes to
user-role assignment permission-role assignment
Less frequent changes for role hierarchy
11© Ravi Sandhu 1997
ADMINISTRATIVE RBAC
user-role assignment permission-role assignment role-role hierarchy
12© Ravi Sandhu 1997
EXAMPLE ROLE HIERARCHY
Employee (E)
Engineering Department (ED)
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Director (DIR)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
13© Ravi Sandhu 1997
EXAMPLE ADMINISTRATIVE ROLE HIERARCHY
Senior Security Officer (SSO)
Department Security Officer (DSO)
Project SecurityOfficer 1 (PSO1)
Project SecurityOfficer 2 (PSO2)
14© Ravi Sandhu 1997
URA97 GRANT MODEL:can-assign
ARole Prereq Role Role Range
PSO1 ED [E1,PL1)
PSO2 ED [E2,PL2)
DSO ED (ED,DIR)
SSO E [ED,ED]
SSO ED (ED,DIR]
15© Ravi Sandhu 1997
URA97 GRANT MODEL :can-assign
ARole Prereq Cond Role Range
PSO1 ED [E1,E1]
PSO1 ED & ¬ P1 [Q1,Q1]
PSO1 ED & ¬ Q1 [P1,P1]
PSO2 ED [E2,E2]
PSO2 ED & ¬ P2 [Q2,Q2]
PSO2 ED & ¬ Q2 [P2,P2]
16© Ravi Sandhu 1997
URA97 GRANT MODEL
“redundant” assignments to senior and junior roles are allowed are useful
17© Ravi Sandhu 1997
URA97 REVOKE MODEL
WEAK REVOCATION revokes explicit membership in a role independent of who did the assignment
18© Ravi Sandhu 1997
URA97 REVOKE MODEL
STRONG REVOCATION revokes explicit membership in a role and its
seniors authorized only if corresponding weak
revokes are authorized alternatives
all-or-nothing revoke within range
19© Ravi Sandhu 1997
URA97 REVOKE MODEL :can-revoke
ARole Role Range
PSO1 [E1,PL1)
PSO2 [E2,PL2)
DSO (ED,DIR)
SSO [ED,DIR]
20© Ravi Sandhu 1997
ORACLE ROLES
support RBAC1 administrative model has strong
discretionary flavor administrative authority on role implies
can grant role to any user or role can grant role to any role
anyone with grant option on a permission can grant it to any role
21© Ravi Sandhu 1997
URA97 IN ORACLE
administrative option for all roles is retained solely with DBA never given to any user
use generic stored procedures with URA97 can-assign and can-revoke implemented as relations
22© Ravi Sandhu 1997
URA97 IN ORACLE
Oracle primitives for traversing role hierarchy need to be extended
23© Ravi Sandhu 1997
can-assign in dnfER DIAGRAM
Admin RolePreConditionMin_IntMin RoleMax RoleMax_Int
CAN_ASSIGN
PreConditionAND set nameNOT set name
CAN_ASSIGN2
NOT set nameNOT roles
CAN_ASSIGN4
AND set nameAND roles
CAN_ASSIGN3
24© Ravi Sandhu 1997
can-revokeRELATION
Admin RoleMin_IntMin RoleMax RoleMax_Int
CAN_REVOKE
25© Ravi Sandhu 1997
ORACLE STORED PROCEDURES
can extend Oracle access control model
limitation stored procedure can determine who
the user is BUT cannot determine active roles of the
user
26© Ravi Sandhu 1997
URA97 STORED PROCEDURES
ASSIGN(user, trole, arole) WEAK_REVOKE(user, trole, arole) STRONG_REVOKE(user, trole, arole)
user: user being added to trole trole: target role arole: administrative role used for this
operation due to Oracle limitations
27© Ravi Sandhu 1997
CLOSING REMARKS:PREVIEW OF WORK IN PROGRESS
user-role assignment URA97 and Oracle, this paper other platforms
permission-role assignment PRA97, dual of URA97 Oracle implementation
28© Ravi Sandhu 1997
CLOSING REMARKS:PREVIEW OF WORK IN PROGRESS
role-role hierarchy user-only roles (groups): like URA97 permission-only roles: like PRA97 user and permission roles: RRA97
Top Related