Transcript Document
Induced Role Hierarchies with Attribute-Based RBAC
Mohammad A. Al-Kahtani Ravi Sandhu George Mason University NSD Security, Inc. & [email protected]
George Mason University [email protected]
SACMAT 03 © Mohammad Al-Kahtani 1
Introduction
• Role-Based Access Control (RBAC): A proven alternative to DAC and MAC
Role Hierarchy
Users
(UA) User Assignment
Roles
(PA) Permission Assignment
Permiss ions
• RBAC basic components: 1.
2.
3.
Users Roles Permissions SACMAT 03 © Mohammad Al-Kahtani 2
Introduction
• In RBAC, user-to-role assignment is done manually. • Many enterprises have huge customer bases: Banks Utilities companies Popular web sites In this environment, manual assignment becomes a formidable task.
• RBAC is modified to allow automatic user-role assignment based on
authorization rules.
SACMAT 03 © Mohammad Al-Kahtani 3
Introduction
• The modified RBAC is called RB-RBAC: Rule-Based RBAC.
• Authorization rule structure:
Constraints Attributes Expression
• RB-RBAC rules are in BNF notation.
Roles
SACMAT 03 © Mohammad Al-Kahtani 4
RB-RBAC Model
•
Attributes Expressions:
1. Expressed in RB-RBAC language 2. Constitute LHS of authorization rules •
Attributes Values:
1.
Stored locally 2.
Provided by attribute 3.
servers Other means
Attributes Expressions Attributes values Users
SACMAT 03 © Mohammad Al-Kahtani
Roles Permissions
5
Analysis of RB-RBAC
Seniority Relations among authorization rules
•
Rule i
: •
Rule j
:
Attributes Expression ae i
Logically implies
Attributes Expression ae j ae i
ae j
Rule i
Rule j Roles Roles
SACMAT 03 © Mohammad Al-Kahtani 6
Analysis of RB-RBAC
Example:
Attribute Expressions
ae 1 = Salary > 1000
Λ
age > 50 ae 2 = Salary > 1000
Λ
ae 3 ae ae SACMAT 03 4 5 age > 40 = ┐( Salary ≤ 1000 V age ≤ 40) = Salary > 400 = Age > 60 © Mohammad Al-Kahtani
Roles
r r r 1 2 3
Seniority
ae 1 ae 1 ae 1 → ae 2 , → ae 3 , → ae 4 ae 2 ae 2 → ae 4 ae 3 ae 3 ae 3 → ae 4 ae 2 r 4 r 5 Not related to any attribute expression 7
Analysis of RB-RBAC
Example: (Continued)
• The seniority relations among the rules is reflected as a hierarchy among the attribute expressions of the rules.
• These relations induced a role hierarchy (IRH) among the roles produced by these rules. ae 2 ae 1 ae 3 ae 5 ae 4 SACMAT 03 © Mohammad Al-Kahtani 8
Analysis of RB-RBAC
Example: (Continued)
To assemble the IRH, we say r i is senior to r j if the following holds: ( ae g ) [r i
RHS
(ae g ) ( ae h ) [(ae g ae h ) Λ r j
RHS
(ae h )]] where
RHS
(ae g ) is a function that returns the role set produced by attribute expression ae g .
r 1 r 2 r 4 r 3 r 5 SACMAT 03 © Mohammad Al-Kahtani 9
Analysis of RB-RBAC
Example: (Continued)
• In assembling the IRH, roles produced by equivalent attributes expressions may be: a. Grouped under one rule (Figure a): No impact on functionality.
b. Consolidated into one role (Figure b): May not always be preferred from a functional perspective.
r 1 r 1 r 2 ,r 3 r 4 r 5 (a) r 6 r 4 (b) r 5 SACMAT 03 © Mohammad Al-Kahtani 10
Analysis of RB-RBAC
Given Role Hierarchy (GRH) vs. IRH
• • • GRH reflects the current business practice of an enterprise.
Inheritance of permissions flows upward in the GRH.
Users’ inheritance flows downward in the IRH.
Flow of user-role inheritance: r 2 inherits r 1 r
r 2
r 6 r 12
r 11 Flow of permission-role inheritance: r 1 inherits r 2
r 13 r 5 r 2
r 6 r 12 r 11
r 5 IRH GRH SACMAT 03 © Mohammad Al-Kahtani 11
Analysis of RB-RBAC
Discrepancies between IRH and GRH
• • Ideally, IRH and GRH should be mirror images of each other.
In reality, discrepancies may occur.
• Types of discrepancies (
using IRH as the reference
): 1. Missing Nodes 2. Additional Nodes 3. Missing Edges 4. Additional Edges 5. Inconsistency SACMAT 03 © Mohammad Al-Kahtani 12
Analysis of RB-RBAC
Discrepancies between IRH and GRH
1. Missing Nodes
7
Functional Impact: None Reconciliation Measure: Delete the node and assign its permissions to its parents in GRH.
SACMAT 03 © Mohammad Al-Kahtani 13
Analysis of RB-RBAC
Discrepancies between IRH and GRH
1. Missing Nodes a. Leaf Node
3
Functional Impact: None Reconciliation Measure : Delete the node from GRH and assign its permissions to its parents SACMAT 03 © Mohammad Al-Kahtani 14
Analysis of RB-RBAC
Discrepancies between IRH and GRH
1. Missing Nodes a. Leaf Node b. Internal Node
4
Functional Impact: Loss of functionality
may
occur. Reconciliation Measure: Modify the authorization rules via modifying the security policy.
SACMAT 03 © Mohammad Al-Kahtani 15
Analysis of RB-RBAC
Discrepancies between IRH and GRH
1. Missing Nodes a. Leaf Node b. Internal Node c. Stand-alone Node
(assume r 1 is missing in IRH)
r 1
Functional Impact: Loss of r 1 functionality.
Reconciliation: Modify the authorization rules via modifying the security policy.
SACMAT 03 © Mohammad Al-Kahtani 16
Analysis of RB-RBAC
Discrepancies between IRH and GRH
2. Additional Nodes
8
Functional Impact: None Reconciliation: Delete the node from IRH or modify GRH by adding r 8 . IRH provides an insight: r8 permissions its parent’s permission SACMAT 03 © Mohammad Al-Kahtani 17
Analysis of RB-RBAC
Discrepancies between IRH and GRH
2. Additional Nodes a. Leaf Node
10
Functional Impact: If r 10 has one child, then it is redundant. Reconciliation Measure: Delete r 10 from IRH and modify the policy to produce its child e.g. r 5 Or add r 10 to GRH such that: r5 permission r10 permission r2 permission If r 10 has more than one child, then add to GRH with: r 10 permissions = its children’s permissions SACMAT 03 © Mohammad Al-Kahtani 18
Analysis of RB-RBAC
Discrepancies between IRH and GRH
2. Additional Nodes a. Leaf Node b. Internal Node
9
Functional Impact: None Reconciliation: Delete the node and modify the security policy so that authorization rules do not produce this role.
SACMAT 03 © Mohammad Al-Kahtani 19
Analysis of RB-RBAC
Discrepancies between IRH and GRH
2. Additional Nodes a. Leaf Node b. Internal Node: c. Stand-alone Node
13
Functional Impact: If r 13 Reconciliation: Delete r 13 has a single child, r 13 is redundant.
from IRH, and the policy must be modified to produced its child instead. If r 13 has more than one child, then add it to GRH: r 13 permission = r 13 child nodes permissions SACMAT 03 © Mohammad Al-Kahtani 20
Analysis of RB-RBAC
Discrepancies between IRH and GRH
r 1 - r 11
Functional Impact: None Reconciliation: The enterprise business practice sees a functional relation between r 1 and r 11 .
However, the security policy does not capture this so it must be modified.
SACMAT 03 © Mohammad Al-Kahtani 21
Analysis of RB-RBAC
Discrepancies between IRH and GRH
r 1 - r 12
Functional Impact: None Reconciliation: Modify the permissions of r 1 of r 12 to include that if the two hierarchies must be compatible. SACMAT 03 © Mohammad Al-Kahtani 22
Analysis of RB-RBAC
Discrepancies between IRH and GRH
5. Inconsistency: Normally, user-role assignment inheritance and permission-role inheritance flow in opposite directions. Figure (a): (r 2 r 3 ) r 2 users have (r 2 permissions r 3 permissions) r 1 r 2 r 3 (a) IRH SACMAT 03 r 1 r 1 r 2 r 3 r 3 r 2 (b) GRH (c) Consolidated IRH and GRH © Mohammad Al-Kahtani 23
Analysis of RB-RBAC
Discrepancies between IRH and GRH
5. Inconsistency: Figure (b): (r 2 r 3 ) r 3 users have (r 2 permissions r 3 permissions) r 1 r 2 r 3 (a) IRH SACMAT 03 r 1 r 1 r 2 r 3 r 3 r 2 (b) GRH (c) Consolidated IRH and GRH © Mohammad Al-Kahtani 24
Analysis of RB-RBAC
Discrepancies between IRH and GRH
5. Inconsistency: Figure (c): The inconsistency manifests itself in the form of double arrows heading in the same direction between r 2 and r 3 .
The enterprise business practice must be modified to remove this inconsistency. r 1 r 1 r 1 r 2 r 2 r 3 r 3 r 3 (a) IRH r 2 (b) GRH (c) Consolidated IRH and GRH SACMAT 03 © Mohammad Al-Kahtani 25
Conclusion
Seniority relations among authorization rules induce a role hierarchy (IRH).
IRH is a useful tool to check the compliance of current business practices to a given security policy.
IRH allows insight into what permissions to give to a specific role which, in turn, assists in drawing lines of responsibility and authority.
SACMAT 03 © Mohammad Al-Kahtani 26