CONTACT INFORMATION

Transcript CONTACT INFORMATION

PhD Dissertation
Architectures and Models for
Administration of User-Role
Assignment in
Role Based Access Control
Venkata Bhamidipati
Presentation Outline
•
•
•
•
•
•
•
•
Introduction
Decentralized user-role assignment (URA97)
ASCAA principles
Self service role assignment (SSRBAC08)
Conclusions
Contributions
Future work
Publications
2
Venkata Bhamidipati
Introduction
• Principal motivation of RBAC is to simplify
administration.
• Using RBAC to manage itself is an appealing
possibility
• Three components in administration of RBAC
• user–role, permission–role, role-role
• Focus of this work is on user-role administration
3
Venkata Bhamidipati
Introduction: Problem Statement
• In large systems administration is a big task.
• Frequent changes to
• user-role assignment
– roles: 100s or 1000s
– users: 1000s or 10,000s or more
• Less frequent changes for
• role hierarchy
• Need for decentralization and automation of userrole assignment
• Early Part of this work focuses on decentralization
(URA97). Later part on automation (SSRBAC08)
4
Venkata Bhamidipati
Introduction: Contributions
 URA97 model for user role assignment
– Related work: Munawer 99, Oh 2002
• PRA97 for permission role assignment
• URA97 proof of concept implementation in Oracle
– Related work: Ahn & Sandhu 98,01 Sandhu & Park 98
• Push model for user assignment in distributed
systems
– Related work: Dekker 2008
 ASCAA principles for next generation RBAC
 Framework for self service assignment (SSRBAC08)
– Related work: Khatani 2004
5
Venkata Bhamidipati
Introduction: RBAC96
SSRBAC08
ROLES
USERS
PERMISSIONS
Constraints
...
Sessions
ADMIN
ROLES
6
URA97
Venkata Bhamidipati
ADMIN
PERMISSIONS
Introduction: OM-AM
What?
Objectives
Decentralization and Automation
Model
URA97, PRA97,
SSRBAC08
Architecture
Push Model for URA97
Mechanism
Oracle Stored Procedures
How?
7
Venkata Bhamidipati
A
s
s
u
r
a
n
c
e
User Role Assignment (URA97)
• Model to administer user-role assignment
• Decentralizes user-role administration
• Members of administrative roles perform assignment
and revocation operations
8
Venkata Bhamidipati
Example Role Hierarchy
Director (DIR)
Project Lead 1
(PL1)
Production 1
(P1)
Project Lead 2
(PL2)
Quality 1
(Q1)
Production 2
(P2)
Engineer 1
(E1)
PROJECT 1
Quality 2
(Q2)
Engineer 2
(E2)
Engineering Department (ED)
Employee (E)
9
Venkata Bhamidipati
PROJECT 2
Example Administrative Role
Hierarchy
Senior Security Officer (SSO)
Department Security Officer (DSO)
Project Security
Officer 1 (PSO1)
Project Security
Officer 2 (PSO2)
10
Venkata Bhamidipati
URA97 Grant Model: can-assign
• Imposes restrictions on which users can be added to a
role by whom
• The can-assign relation
• can-assign (x,y,{a,b,c})
– a member of administrative role x (or senior to x) can assign a user
whose current membership, or non-membership, in regular roles
satisfies the prerequisite condition y to be a member of regular
roles a, b or c
• The prerequisite condition is a boolean expression on
terms of the form z(u) where z(u) is a boolean
function with the same name as role z which
evaluates to true if user u is a member of role z and
evaluates to false otherwise
11
Venkata Bhamidipati
URA97 Grant Model : can-assign
• Alice is a member of admin role PSO1
– She can assign a user regular role E1, if the user satisfies condition
of having membership in role ED
– She can assign a user regular role Q1, if the user satisfies condition
of having membership in ED and not having P1
– She can assign a user regular role PL1, if the user satisfies
condition of having membership in P1 and Q1
• Bob is a member of admin role DSO
– He can assign a user regular roles in the range (ED, DIR), if the
user satisfies condition of having membership in role ED
12
Venkata Bhamidipati
URA97 Grant Model
• “redundant” assignments to senior and junior roles
• are allowed
• are useful
13
Venkata Bhamidipati
URA97 Revoke Model : can-revoke
• The can-revoke relation
• can-revoke (x,Y), when Y: range of revocation. a member
of the administrative role x (or senior to x) can revoke
membership of a user from any regular role yY.
• Weak revocation
• revokes explicit membership in a role
• independent of who did the assignment
• Strong Revocation
• revokes explicit membership in a role and its seniors
• authorized only if corresponding weak revokes are
authorized
• alternatives
– all-or-nothing, revoke within range
14
Venkata Bhamidipati
URA97 Revoke Model : can-revoke
ARole
PSO1
PSO2
DSO
SSO
Role Range
[E1,PL1)
[E2,PL2)
(ED,DIR)
[ED,DIR]
15
Venkata Bhamidipati
Introduction: Contributions
 URA97 model for user role assignment
– Related work: Munawer 99, Oh 2002
• PRA97 for permission role assignment
• URA97 proof of concept implementation in Oracle
– Related work: Ahn & Sandhu 98,01 Sandhu & Park 98
• Push model for user assignment in distributed
systems
– Related work: Dekker 2008
 ASCAA principles for next generation RBAC
 Framework for self service assignment
(SSRBAC08)
– Related work: Al-Khatani 2004
16
Venkata Bhamidipati
ASCAA Principles
• RBAC96 based on four foundation principles
•
•
•
•
Abstraction of privileges
Separation of administrative functions
Least privilege
Separation of duty
• Manual intervention in RBAC administration is
cumbersome
• New concepts like usage control, rate limits have
gained traction
• Accountability is receiving renewed interest
17
Venkata Bhamidipati
ASCAA Principles
Abstraction
•
Remains unchanged from RBAC96
Separation of Administrative functions
• Remains unchanged from RBAC96
Containment
•
•
Subsumes least privilege, separation of duties
Includes usage control, rate limits
Automation
•
Assignment, revocation
Accountability
•
Re-authentication, obligations, notification and alerts
18
Venkata Bhamidipati
Self Service User Assignment
(SSRBAC08)
•
•
•
•
URA97 requires administrative effort
Simplify administration
A framework for self service user assignment
Based on ASCAA principles
19
Venkata Bhamidipati
SSRBAC08 contd..
• Modifies RBAC96
• Constraints are classified into four categories
•
•
•
•
Assignment Criteria
Administrative Criteria
Usage Criteria
Revocation Criteria
• Role attributes hold criteria
20
Venkata Bhamidipati
SSRBAC08 contd..
SSRBAC08 Framework
Revocation Criteria
Role Hierarchy (RH)
Assignment Criteria
Roles
(R)
User
Assignment (UA)
roles
Usage Criteria
Users
(U)
users
Sessions
(S)
21
Venkata Bhamidipati
Administrative
Criteria
SSRBAC08 contd..
• Assignment Criteria (AC)
• Defines criteria that need to be satisfied by assignee for
role assignment
• Example criteria include
– membership or non membership in roles, approvals,
obligations, cardinality limits, rate limits
• Administrative Criteria (ADC)
• Defines criteria that control administrative functions
• Example criteria include
– people who are allowed to grant the role, specify if self
assignment is allowed, rate limits, approvals, obligations
22
Venkata Bhamidipati
SSRBAC08 contd..
• Usage Criteria (UC)
• Defines criteria that control role usage
• Example criteria include
– environmental conditions, temporal limits, rate limits, dynamic
separation of duties, cardinality limits, approvals , obligations
• Revocation Criteria (RC)
• Defines criteria that control role revocation
• Example criteria include
– role expiration and time limits, approvals, obligations
23
Venkata Bhamidipati
Example Hierarchy
Sales VP
Support VP
ENG VP
HR VP
Vice
President(VP)
Sales
Director(SD)
Director(Dir)
Manager(M)
Sales Rep
(SREP)
Support Director
(SUD)
HR Manager
(HRM)
Project
Lead 2(PL2)
Project
Lead 1(PL1)
Consultant (C)
Quality
Engineer 1 (QE1)
Production
Engineer 1 (PE1)
Production
Engineer 2 (PE2)
Quality
Engineer 2 (QE2)
Support
Lead 1(SL1)
Support
Engineer
(SE1)
Support
Lead 2 (SL2)
Support
Analyst
(SA1)
Support
Engineer
(SE2)
Engineer2(E2)
Engineer1(E1)
Engineering
Department (ED)
EMP(E)
24
Venkata Bhamidipati
Support
Department (SD)
Support
Analyst
(SA2)
SSRBAC08 Example
ADC for Role E1
1. Users who have consultant role can perform self assignment.
2. Members with PL1 or higher role can assign E1 role to others.
3. Only 2 assignments in a day can be made by members of roles junior to
Eng VP role.
4. No more than 20 assignments of this role per week.
5. There is a cardinality limit of 30 members for users with consultant role.
6. To override cardinality rule need an approval from Eng VP.
7. Members with Dir or higher can perform revocation.
AC for Role E1
1. Assignee should have role EMP and not belong to E2.
2. Approval of Dir or higher needed to override prerequisite condition.
3. Assignee should not have exceeded 5 self assignment operations in the
current month.
4. Obligation to complete mandatory system training 5 days from assignment.
25
Venkata Bhamidipati
SSRBAC08 Example
UC for Role E1
1. Cannot activate if E2 is active.
2. Extranet activation allowed if role C is active.
3. Activation of role allowed from extranet only during 9 AM-5 PM
Mon-Fri.
RC for Role E1
1. Revoke if assignment obligations are not met.
2. Revoked 1 year from assignment date.
3. Need extension approval from Dir or above to override 1 year rule.
4. Revocation if no activation in 3 months period.
5. Self revoke requires Dir approval.
26
Venkata Bhamidipati
URA97 in SSRBAC08
Prerequisite Conditions
Role
ADC
AC
ED
Assignor needs to have SSO
Assignee needs to have E
E1
Assignor needs to have PSO1 or senior
Assignee needs to have ED
PE1
Assignor needs to have PSO1 or senior
QE1
Assignor needs to have PSO1 or senior
PL1
Assignor needs to have PSO1 or senior
If assignor is PSO1 then assignee should
have ED and not have QE1. If assignor is
DSO or higher then assignee should have
ED.
If assignor is PSO1 then assignee should
have ED and not have PE1. If assignor is
DSO or higher then assignee should have
ED.
If assignor is PSO1 then assignee should
have QE1 and PE1. If assignor is DSO or
higher then assignee should have ED.
DIR
Assignor needs to have SSO
Assignee needs to have ED
27
Venkata Bhamidipati
URA97 in SSRBAC08
Revocation
Role
ADC
ED
SSO or higher can revoke
E1
PSO1 or higher can revoke
PE1
PSO1 or higher can revoke
QE1
PSO1 or higher can revoke
E2
PSO2 or Higher can revoke
PE2
PSO2 or higher can revoke
QE2
PSO2 or higher can revoke
PL1
DSO or higher can revoke
PL2
DSO or higher can revoke
DIR
SSO or higher can revoke
28
Venkata Bhamidipati
Conclusions
• RBAC can be used to manage itself
• URA97 model allows to decentralize user-role assignment
• URA97 is viable
• Proof of concept implementation in Oracle
• SSRBAC08 framework allows to realize self service
assignment
• Related Work
• URA97 Implementations on other platforms (Nt, Unix, and Web)
• URA02
• Attributed Based RBAC
29
Venkata Bhamidipati
Contributions
• URA97
• One of the earliest RBAC administrative model
• Decentralizes User-Roles Assignment
• Needs Administrative roles.
• PRA97
• Dual of URA97
• Decentralizes permission-Role Assignment
• Implemented URA97 in Oracle
• Proof of concept implementation
30
Venkata Bhamidipati
Contributions
• Push Model
• Deals with User-role assignment in distributed systems.
• Global hierarchy is maintained in a centralized location
• Pushes assignment and revocation information to local
systems
• ASCAA Principles
• Extend RBAC foundation principles
• Containment includes SOD, least privilege and usage
control
• Automation and accountability are introduced
31
Venkata Bhamidipati
Contributions
• SSRBAC08
• Framework for self service user-role assignment built on
ASCAA principles.
• Modifies RBAC96 by classifying constraints into four
categories
• Assignment and Administrative Criteria determine
assignment policy
• Usage Criteria determines usage policy
• Revocation and Administrative Criteria determine
Revocation policy
32
Venkata Bhamidipati
Future Work
• Policy Language for SSRBAC08 criteria
• Extend Attribute based RBAC to use
• How to model RORBAC in SSRBAC08 framework
33
Venkata Bhamidipati
Publications
 Ravi Sandhu and Venkata Bhamidipati, "The URA97 Model for Role-Based
User-Role Assignment", IFIP11.3 1997.
 Ravi Sandhu, Venkata Bhamidipati, Edward Coyne, Srinivas Ganta and
Charles Youman, "The ARBAC97 Model for Role-Based Administration of
Roles: Preliminary Description and Outline", ACM RBAC 1997
 Ravi Sandhu and Venkata Bhamidipati, "An Oracle Implementation of the
PRA97 Model for Permission-Role Assignment", ACM RBAC 1998.
 Ravi Sandhu, Venkata Bhamidipati and Qamar Munawer, "The ARBAC97
Model for Role-Based Administration of Roles", ACM Transactions on
Information and Systems Security (TISSEC), Volume 2, Number, February
1999.
 Ravi Sandhu and Venkata Bhamidipati, "Role-Based Administration of UserRole Assignment: The URA97 Model and its Oracle Implementation", Journal
of Computer Security, Volume 7, 1999.
 Venkata Bhamidipati and Ravi Sandhu, "Push Architectures for User-Role
Assignment", NISSC 2000.
 Ravi Sandhu and Venkata Bhamidipati, "The ASCAA Principles for NextGeneration Role-Based Access Control". Proc. 3rd International Conference
on Availability, Reliability and Security (ARES), 2008
34
Venkata Bhamidipati

CONTACT INFORMATION

Transcript CONTACT INFORMATION

Directory