Role-Based Access Control

Download Report

Transcript Role-Based Access Control 

Role-Based Access Control
Prof. Ravi Sandhu
George Mason University and
NSD Security
SACMAT 2003
ACCESS CONTROL MODELS

DAC: Discretionary Access Control, 1971




MAC: Mandatory Access Control, 1971





Source: Academic theoreticians (including myself)
No real implementations
CW: Clark-Wilson, 1987



Source: By product of MAC
Still around in niche situations, mostly US military funded
CPM: Controlled Propagation Models, 1976


Source: Military and national security
Not widely used even by military
DTE: Domain and Type Enforcement, 1985


Source: Academia and research laboratories
Predominant in commercial systems in pre-RBAC era, in many flavors
Continues to influence modern RBAC systems
Source: Commercial sector
No real implementations
RBAC: Role-based Access Control, 1992



Source: Commercial sector
Becoming dominant
Needs additional work to keep it viable
© Ravi Sandhu 2003
2
ACCESS CONTROL MODELS
RBAC
Role-based
Policy neutral
DAC
Identity based
owner controlled
© Ravi Sandhu 2003
MAC
Lattice based
label controlled
3
THE OM-AM WAY
What?
Objectives
Model
Architecture
Mechanism
How?
© Ravi Sandhu 2003
A
s
s
u
r
a
n
c
e
4
OM-AM AND ROLE-BASED ACCESS
CONTROL (RBAC)
What?
Policy neutral
RBAC96
user-pull, server-pull, etc.
certificates, tickets, PACs, etc.
How?
© Ravi Sandhu 2003
A
s
s
u
r
a
n
c
e
5
The RBAC96 Model
ROLE-BASED ACCESS
CONTROL (RBAC)
A
user’s permissions are determined
by the user’s roles
 rather
than identity or clearance
 roles can encode arbitrary attributes
 multi-faceted
 ranges
from very simple to very
sophisticated
© Ravi Sandhu 2003
7
WHAT IS THE POLICY IN RBAC?
 RBAC
is a framework to help in
articulating policy
 The main point of RBAC is to
facilitate security management
© Ravi Sandhu 2003
8
RBAC SECURITY
PRINCIPLES
 least
privilege
 separation of duties
 separation of administration and
access
 abstract operations
© Ravi Sandhu 2003
9
RBAC96
IEEE Computer Feb. 1996
 Policy
neutral
 can be configured to do MAC
 roles
 can
be configured to do DAC
 roles
© Ravi Sandhu 2003
simulate clearances (ESORICS 96)
simulate identity (RBAC98)
10
WHAT IS RBAC?
 multidimensional
 open
ended
 ranges from simple to sophisticated
© Ravi Sandhu 2003
11
RBAC CONUNDRUM
 turn
on all roles all the time
 turn on one role only at a time
 turn on a user-specified subset of
roles
© Ravi Sandhu 2003
12
RBAC96 FAMILY OF
MODELS
RBAC3
ROLE HIERARCHIES +
CONSTRAINTS
RBAC1
ROLE
HIERARCHIES
RBAC2
CONSTRAINTS
RBAC0
BASIC RBAC
© Ravi Sandhu 2003
13
RBAC0
USER-ROLE
ASSIGNMENT
USERS
ROLES
...
© Ravi Sandhu 2003
PERMISSION-ROLE
ASSIGNMENT
PERMISSIONS
SESSIONS
14
PERMISSIONS
 Primitive
 read,
write, append, execute
 Abstract
 credit,
© Ravi Sandhu 2003
permissions
permissions
debit, inquiry
15
PERMISSIONS
 System
permissions
 Auditor
 Object
permissions
 read,
write, append, execute, credit,
debit, inquiry
© Ravi Sandhu 2003
16
PERMISSIONS
 Permissions
are positive
 No negative permissions or denials
 negative
permissions and denials can
be handled by constraints
 No

© Ravi Sandhu 2003
duties or obligations
outside scope of access control
17
ROLES AS POLICY
A
role brings together
a
collection of users and
 a collection of permissions
 These
collections will vary over time
A
role has significance and meaning
beyond the particular users and
permissions brought together at any
moment
© Ravi Sandhu 2003
18
ROLES VERSUS GROUPS
 Groups
a
A
are often defined as
collection of users
role is
a
collection of users and
 a collection of permissions
 Some
a
© Ravi Sandhu 2003
authors define role as
collection of permissions
19
USERS
 Users
are
 human
beings or
 other active agents
 Each
individual should be known as
exactly one user
© Ravi Sandhu 2003
20
USER-ROLE ASSIGNMENT
A
user can be a member of many
roles
 Each role can have many users as
members
© Ravi Sandhu 2003
21
SESSIONS
A
user can invoke multiple sessions
 In each session a user can invoke
any subset of roles that the user is a
member of
© Ravi Sandhu 2003
22
PERMISSION-ROLE ASSIGNMENT
A
permission can be assigned to
many roles
 Each role can have many
permissions
© Ravi Sandhu 2003
23
MANAGEMENT OF RBAC
 Option
1:
USER-ROLE-ASSIGNMENT and
PERMISSION-ROLE ASSIGNMENT
can be changed only by the chief
security officer
 Option 2:
Use RBAC to manage RBAC
© Ravi Sandhu 2003
24
RBAC1
ROLE HIERARCHIES
USER-ROLE
ASSIGNMENT
USERS
ROLES
...
© Ravi Sandhu 2003
PERMISSION-ROLE
ASSIGNMENT
PERMISSIONS
SESSIONS
25
HIERARCHICAL ROLES
Primary-Care
Physician
Specialist
Physician
Physician
Health-Care Provider
© Ravi Sandhu 2003
26
HIERARCHICAL ROLES
Supervising
Engineer
Hardware
Engineer
Software
Engineer
Engineer
© Ravi Sandhu 2003
27
PRIVATE ROLES
Hardware
Engineer’
Supervising
Engineer
Hardware
Engineer
Software
Engineer’
Software
Engineer
Engineer
© Ravi Sandhu 2003
28
EXAMPLE ROLE HIERARCHY
Director (DIR)
Project Lead 1
(PL1)
Production 1
(P1)
Project Lead 2
(PL2)
Quality 1
(Q1)
Production 2
(P2)
Engineer 1
(E1)
PROJECT 1
© Ravi Sandhu 2003
Quality 2
(Q2)
Engineer 2
(E2)
Engineering Department (ED)
Employee (E)
PROJECT 2
29
EXAMPLE ROLE HIERARCHY
Project Lead 1
(PL1)
Production 1
(P1)
Project Lead 2
(PL2)
Quality 1
(Q1)
Production 2
(P2)
Engineer 1
(E1)
PROJECT 1
© Ravi Sandhu 2003
Quality 2
(Q2)
Engineer 2
(E2)
Engineering Department (ED)
Employee (E)
PROJECT 2
30
EXAMPLE ROLE HIERARCHY
Director (DIR)
Project Lead 1
(PL1)
Production 1
(P1)
Quality 1
(Q1)
Engineer 1
(E1)
PROJECT 1
© Ravi Sandhu 2003
Project Lead 2
(PL2)
Production 2
(P2)
Quality 2
(Q2)
Engineer 2
(E2)
PROJECT 2
31
EXAMPLE ROLE HIERARCHY
Project Lead 1
(PL1)
Production 1
(P1)
Quality 1
(Q1)
Engineer 1
(E1)
PROJECT 1
© Ravi Sandhu 2003
Project Lead 2
(PL2)
Production 2
(P2)
Quality 2
(Q2)
Engineer 2
(E2)
PROJECT 2
32
RBAC3
ROLE HIERARCHIES
USER-ROLE
ASSIGNMENT
USERS
ROLES
...
© Ravi Sandhu 2003
PERMISSIONS-ROLE
ASSIGNMENT
SESSIONS
PERMISSIONS
CONSTRAINTS
33
CONSTRAINTS
 Mutually
Exclusive Roles
 Static
Exclusion: The same individual
can never hold both roles
 Dynamic Exclusion: The same
individual can never hold both roles in
the same context
© Ravi Sandhu 2003
34
CONSTRAINTS
 Mutually
Exclusive Permissions
 Static
Exclusion: The same role should
never be assigned both permissions
 Dynamic Exclusion: The same role can
never hold both permissions in the
same context
© Ravi Sandhu 2003
35
CONSTRAINTS
 Cardinality
Constraints on User-Role
Assignment
 At
most k users can belong to the role
 At least k users must belong to the role
 Exactly k users must belong to the role
© Ravi Sandhu 2003
36
CONSTRAINTS
 Cardinality
Constraints on
Permissions-Role Assignment
 At
most k roles can get the permission
 At least k roles must get the permission
 Exactly k roles must get the permission
© Ravi Sandhu 2003
37
RBAC-MAC-DAC
RBAC96
ROLE HIERARCHIES
USER-ROLE
ASSIGNMENT
USERS
ROLES
...
© Ravi Sandhu 2003
PERMISSIONS-ROLE
ASSIGNMENT
PERMISSIONS
SESSIONS
CONSTRAINTS
39
LBAC: LIBERAL *-PROPERTY
H
M1
-
-
+
Read
Write
M2
L
© Ravi Sandhu 2003
+
40
RBAC96: LIBERAL *-PROPERTY
+
HR
M1R
M2R
M1W
-
LR
Read
© Ravi Sandhu 2003
LW
M2W
HW
Write
41
RBAC96: LIBERAL *-PROPERTY
 xR, user has clearance x
user  LW, independent of clearance
 Need constraints
 user
 xR iff session  xW
 read can be assigned only to xR roles
 write can be assigned only to xW roles
 (O,read) assigned to xR iff
(O,write) assigned to xW
 session
© Ravi Sandhu 2003
42
DAC IN RBAC
 Each
user can create discretionary
roles for assigning grantable
permissions
 For true DAC need grantable
permissions for each object owned
by the user
© Ravi Sandhu 2003
43
Administrative RBAC
ARBAC97
SCALE AND RATE OF
CHANGE
 roles:
100s or 1000s
 users: 1000s or 10,000s or more
 Frequent changes to
 user-role
assignment
 permission-role assignment
 Less
frequent changes for
 role
© Ravi Sandhu 2003
hierarchy
45
ADMINISTRATIVE RBAC
ROLES
USERS
CANMANAGE
...
ADMIN
ROLES
© Ravi Sandhu 2003
PERMISSIONS
ADMIN
PERMISSIONS
46
ARBAC97 DECENTRALIZES
 user-role
assignment (URA97)
 permission-role assignment (PRA97)
 role-role hierarchy
•
•
•
groups or user-only roles (extend URA97)
abilities or permission-only roles (extend PRA97)
UP-roles or user-and-permission roles (RRA97)
© Ravi Sandhu 2003
47
ADMINISTRATIVE RBAC
RBAC3
RBAC1
RBAC2
RBAC0
© Ravi Sandhu 2003
ARBAC3
ARBAC1
ARBAC2
ARBAC0
48
EXAMPLE ROLE HIERARCHY
Director (DIR)
Project Lead 1
(PL1)
Production 1
(P1)
Project Lead 2
(PL2)
Quality 1
(Q1)
Production 2
(P2)
Engineer 1
(E1)
PROJECT 1
© Ravi Sandhu 2003
Quality 2
(Q2)
Engineer 2
(E2)
Engineering Department (ED)
Employee (E)
PROJECT 2
49
EXAMPLE ADMINISTRATIVE
ROLE HIERARCHY
Senior Security Officer (SSO)
Department Security Officer (DSO)
Project Security
Officer 1 (PSO1)
© Ravi Sandhu 2003
Project Security
Officer 2 (PSO2)
50
URA97 GRANT MODEL:
can-assign
ARole
PSO1
PSO2
DSO
SSO
SSO
© Ravi Sandhu 2003
Prereq Role
ED
ED
ED
E
ED
Role Range
[E1,PL1)
[E2,PL2)
(ED,DIR)
[ED,ED]
(ED,DIR]
51
URA97 GRANT MODEL :
can-assign
ARole
PSO1
PSO1
PSO1
PSO2
PSO2
PSO2
© Ravi Sandhu 2003
Prereq Cond
ED
ED & ¬ P1
ED & ¬ Q1
ED
ED & ¬ P2
ED & ¬ Q2
Role Range
[E1,E1]
[Q1,Q1]
[P1,P1]
[E2,E2]
[Q2,Q2]
[P2,P2]
52
URA97 GRANT MODEL
 “redundant”
assignments to senior
and junior roles
 are
allowed
 are useful
© Ravi Sandhu 2003
53
URA97 REVOKE MODEL
 WEAK
REVOCATION
 revokes
explicit membership in a role
 independent of who did the assignment
© Ravi Sandhu 2003
54
URA97 REVOKE MODEL
 STRONG
 revokes
REVOCATION
explicit membership in a role and its
seniors
 authorized only if corresponding weak
revokes are authorized
 alternatives
•
•
all-or-nothing
revoke within range
© Ravi Sandhu 2003
55
URA97 REVOKE MODEL :
can-revoke
ARole
PSO1
PSO2
DSO
SSO
© Ravi Sandhu 2003
Role Range
[E1,PL1)
[E2,PL2)
(ED,DIR)
[ED,DIR]
56
PERMISSION-ROLE
ASSIGNMENT
 dual
of user-role assignment
 can-assign-permission
can-revoke-permission
 weak revoke
strong revoke (propagates down)
© Ravi Sandhu 2003
57
PERMISSION-ROLE ASSIGNMENT
CAN-ASSIGN-PERMISSION
ARole
PSO1
PSO2
DSO
SSO
SSO
© Ravi Sandhu 2003
Prereq Cond
PL1
PL2
E1  E2
PL1  PL2
ED
Role Range
[E1,PL1)
[E2,PL2)
[ED,ED]
[ED,ED]
[E,E]
58
PERMISSION-ROLE ASSIGNMENT
CAN-REVOKE-PERMISSION
ARole
PSO1
PSO2
DSO
SSO
© Ravi Sandhu 2003
Role Range
[E1,PL1]
[E2,PL2]
(ED,DIR)
[ED,DIR]
59
ARBAC97 DECENTRALIZES
 user-role
assignment (URA97)
 permission-role assignment (PRA97)
 role-role hierarchy
•
•
•
groups or user-only roles (extend URA97)
abilities or permission-only roles (extend PRA97)
UP-roles or user-and-permission roles (RRA97)
© Ravi Sandhu 2003
60
Range Definitions
Rang
e
Create Range
Encap. Range
Authority
Range
© Ravi Sandhu 2003
61
RBAC Architectures and Mechanisms
OM-AM AND ROLE-BASED ACCESS
CONTROL (RBAC)
What?
Objective neutral
RBAC96, ARBAC97, etc.
user-pull, server-pull, etc.
certificates, tickets, PACs, etc.
How?
© Ravi Sandhu 2003
A
s
s
u
r
a
n
c
e
63
SERVER MIRROR
Client
Server
User-role
Authorization
Server
© Ravi Sandhu 2003
64
SERVER-PULL
Client
Server
User-role
Authorization
Server
© Ravi Sandhu 2003
65
USER-PULL
Client
Server
User-role
Authorization
Server
© Ravi Sandhu 2003
66
PROXY-BASED
Client
Proxy
Server
Server
User-role
Authorization
Server
© Ravi Sandhu 2003
67
THE OM-AM WAY
What?
Objectives
Model
Architecture
Mechanism
How?
© Ravi Sandhu 2003
A
s
s
u
r
a
n
c
e
68