ISA 662 The RBAC 96 Model Prof Ravi

ISA 662 The RBAC 96 Model Prof. Ravi Sandhu George Mason University

AUTHORIZATION, TRUST AND RISK v Information security is fundamentally about managing Ø authorization and Ø trust so as to manage risk © Ravi Sandhu 2

SOLUTIONS v PEI v RBAC v PKI v and © Ravi Sandhu others 3

THE PEI WAY A s Objectives s Policy Model u Enforcement Model r Implementation Model a Implementation n c How? e What? © Ravi Sandhu 4

LAYERS AND LAYERS v Multics rings v Layered abstractions v Waterfall model v Network protocol stacks v PEI © Ravi Sandhu 5

PEI AND MANDATORY ACCESS CONTROL (MAC) What? No information leakage Lattices (Bell-La. Padula) Security kernel Security labels How? © Ravi Sandhu A s s u r a n c e 6

PEI AND DISCRETIONARY ACCESS CONTROL (DAC) What? Owner-based discretion numerous ACLs, Capabilities, etc How? © Ravi Sandhu A s s u r a n c e 7

PEI AND ROLE-BASED ACCESS CONTROL (RBAC) What? Policy neutral RBAC 96 user-pull, server-pull, etc. certificates, tickets, PACs, etc. How? © Ravi Sandhu A s s u r a n c e 8

ROLE-BASED ACCESS CONTROL (RBAC) v. A user’s permissions are determined by the user’s roles Ø rather than identity or clearance Ø roles can encode arbitrary attributes v multi-faceted v ranges from very simple to very sophisticated © Ravi Sandhu 9

WHAT IS THE POLICY IN RBAC? v RBAC is a framework to help in articulating policy v The main point of RBAC is to facilitate security management © Ravi Sandhu 10

RBAC SECURITY PRINCIPLES v least privilege v separation of duties v separation of administration and access v abstract operations © Ravi Sandhu 11

RBAC 96 IEEE Computer Feb. 1996 v Policy neutral v can be configured to do MAC Ø roles v can be configured to do DAC Ø roles © Ravi Sandhu simulate clearances (ESORICS 96) simulate identity (RBAC 98) 12

WHAT IS RBAC? v multidimensional v open ended v ranges from simple to sophisticated © Ravi Sandhu 13

RBAC CONUNDRUM v turn on all roles all the time v turn on one role only at a time v turn on a user-specified subset of roles © Ravi Sandhu 14

RBAC 96 FAMILY OF MODELS RBAC 3 ROLE HIERARCHIES + CONSTRAINTS RBAC 1 ROLE HIERARCHIES RBAC 2 CONSTRAINTS RBAC 0 BASIC RBAC © Ravi Sandhu 15

RBAC 0 USER-ROLE ASSIGNMENT USERS ROLES . . . © Ravi Sandhu PERMISSION-ROLE ASSIGNMENT PERMISSIONS SESSIONS 16

PERMISSIONS v Primitive Ø read, write, append, execute v Abstract Ø credit, © Ravi Sandhu permissions debit, inquiry 17

PERMISSIONS v System permissions Ø Auditor v Object permissions Ø read, write, append, execute, credit, debit, inquiry © Ravi Sandhu 18

PERMISSIONS v Permissions are positive v No negative permissions or denials Ø negative permissions and denials can be handled by constraints v No Ø © Ravi Sandhu duties or obligations outside scope of access control 19

ROLES AS POLICY v. A role brings together Øa collection of users and Ø a collection of permissions v These collections will vary over time ØA role has significance and meaning beyond the particular users and permissions brought together at any moment © Ravi Sandhu 20

ROLES VERSUS GROUPS v Groups Øa v. A are often defined as collection of users role is Øa collection of users and Ø a collection of permissions v Some Øa © Ravi Sandhu authors define role as collection of permissions 21

USERS v Users are Ø human beings or Ø other active agents v Each individual should be known as exactly one user © Ravi Sandhu 22

USER-ROLE ASSIGNMENT v. A user can be a member of many roles v Each role can have many users as members © Ravi Sandhu 23

SESSIONS v. A user can invoke multiple sessions v In each session a user can invoke any subset of roles that the user is a member of © Ravi Sandhu 24

PERMISSION-ROLE ASSIGNMENT v. A permission can be assigned to many roles v Each role can have many permissions © Ravi Sandhu 25

MANAGEMENT OF RBAC v Option 1: USER-ROLE-ASSIGNMENT and PERMISSION-ROLE ASSIGNMENT can be changed only by the chief security officer v Option 2: Use RBAC to manage RBAC © Ravi Sandhu 26

RBAC 1 ROLE HIERARCHIES USER-ROLE ASSIGNMENT USERS ROLES . . . © Ravi Sandhu PERMISSION-ROLE ASSIGNMENT PERMISSIONS SESSIONS 27

HIERARCHICAL ROLES Primary-Care Physician Specialist Physician Health-Care Provider © Ravi Sandhu 28

HIERARCHICAL ROLES Supervising Engineer Hardware Engineer Software Engineer © Ravi Sandhu 29

PRIVATE ROLES Hardware Engineer’ Supervising Engineer Hardware Engineer Software Engineer’ Software Engineer © Ravi Sandhu 30

EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL 1) Production 1 (P 1) Project Lead 2 (PL 2) Quality 1 (Q 1) Production 2 (P 2) Engineer 1 (E 1) PROJECT 1 © Ravi Sandhu Quality 2 (Q 2) Engineer 2 (E 2) Engineering Department (ED) Employee (E) PROJECT 2 31

EXAMPLE ROLE HIERARCHY Project Lead 1 (PL 1) Production 1 (P 1) Project Lead 2 (PL 2) Quality 1 (Q 1) Production 2 (P 2) Engineer 1 (E 1) PROJECT 1 © Ravi Sandhu Quality 2 (Q 2) Engineer 2 (E 2) Engineering Department (ED) Employee (E) PROJECT 2 32

EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL 1) Production 1 (P 1) Quality 1 (Q 1) Engineer 1 (E 1) PROJECT 1 © Ravi Sandhu Project Lead 2 (PL 2) Production 2 (P 2) Quality 2 (Q 2) Engineer 2 (E 2) PROJECT 2 33

EXAMPLE ROLE HIERARCHY Project Lead 1 (PL 1) Production 1 (P 1) Quality 1 (Q 1) Engineer 1 (E 1) PROJECT 1 © Ravi Sandhu Project Lead 2 (PL 2) Production 2 (P 2) Quality 2 (Q 2) Engineer 2 (E 2) PROJECT 2 34

RBAC 3 ROLE HIERARCHIES USER-ROLE ASSIGNMENT USERS ROLES . . . © Ravi Sandhu PERMISSIONS-ROLE ASSIGNMENT SESSIONS PERMISSIONS CONSTRAINTS 35

CONSTRAINTS v Mutually Exclusive Roles Ø Static Exclusion: The same individual can never hold both roles Ø Dynamic Exclusion: The same individual can never hold both roles in the same context © Ravi Sandhu 36

CONSTRAINTS v Mutually Exclusive Permissions Ø Static Exclusion: The same role should never be assigned both permissions Ø Dynamic Exclusion: The same role can never hold both permissions in the same context © Ravi Sandhu 37

CONSTRAINTS v Cardinality Constraints on User-Role Assignment Ø At most k users can belong to the role Ø At least k users must belong to the role Ø Exactly k users must belong to the role © Ravi Sandhu 38

CONSTRAINTS v Cardinality Constraints on Permissions-Role Assignment Ø At most k roles can get the permission Ø At least k roles must get the permission Ø Exactly k roles must get the permission © Ravi Sandhu 39