Role-Based Access Control
Download
Report
Transcript Role-Based Access Control
Role-Based Access Control
Prof. Ravi Sandhu
Laboratory for Information Security Technology
George Mason University
www.list.gmu.edu
[email protected]
© 2004 Ravi Sandhu
www.list.gmu.edu
Access Control Models:
A perspective
© 2004 Ravi Sandhu
www.list.gmu.edu
Access Matrix Model (Lampson 1971)
Objects (and Subjects)
G
F
S
u
b
j
e
c
t
s
U
rw
r
rights
V
rw
© 2004 Ravi Sandhu
www.list.gmu.edu
3
Access Matrix Model
• Separates authentication from authorization
• Rights are persistent
These items have come into question in recent times,
but that is a topic for another talk.
• Separates model from implementation
• Policy versus mechanism
This separation continues to be valuable and will be
discussed and refined later in this talk.
© 2004 Ravi Sandhu
www.list.gmu.edu
4
MAC, DAC and RBAC
• For 25 years (1971-96) access control was divided into
• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Since the early-mid 1990’s Role-Based Access Control
(RBAC) has become a dominant force
• RBAC subsumes MAC and DAC
• RBAC is not the “final” answer BUT is a critical piece
of the “final” answer
© 2004 Ravi Sandhu
www.list.gmu.edu
5
Mandatory Access Control (MAC)
TS
Lattice of
security
labels
S
C
Information
Flow
Dominance
U
© 2004 Ravi Sandhu
www.list.gmu.edu
6
Rights are determined by security
labels (Bell-LaPadula 1971)
Mandatory Access Control (MAC)
Objects (and Subjects)
G
F
S
u
b
j
e
c
t
s
U
V
rw
r
rw
© 2004 Ravi Sandhu
www.list.gmu.edu
7
security label of F must dominate
or equal security label of G
Discretionary Access Control (DAC)
• The owner of a resource determines access to
that resource
• The owner is often the creator of the resource
• Fails to distinguish read from copy
• This distinction has re-emerged recently under the
name Dissemination Control (DCON)
© 2004 Ravi Sandhu
www.list.gmu.edu
8
Discretionary Access Control (DAC)
Objects (and Subjects)
G
F
S
u
b
j
e
c
t
s
U
V
rw
r
rw
© 2004 Ravi Sandhu
www.list.gmu.edu
9
Discretionary Access Control (DAC)
Objects (and Subjects)
G
F
S
u
b
j
e
c
t
s
U
V
rw
own
r
rw
own
© 2004 Ravi Sandhu
www.list.gmu.edu
10
Rights are determined by the owners
Beyond DAC and MAC
• Many attempts were made
•
•
•
•
•
•
•
Domain-Type enforcement (Boebert-Kain 1985)
Clark-Wilson (1987)
Chinese Walls (Brewer-Nash 1989)
Harrison-Ruzzo-Ullman (1976)
Schematic Protection Model (Sandhu 1985)
Typed Access Matrix Model (Sandhu 1992)
…………………
• RBAC solves this problem
© 2004 Ravi Sandhu
www.list.gmu.edu
11
Role-Based Access Control:
The RBAC96 Model
•
Ravi Sandhu, Edward Coyne, Hal Feinstein
and Charles Youman, “Role-Based Access
Control Models.” IEEE Computer, Volume
29, Number 2, February 1996, pages 38-47.
© 2004 Ravi Sandhu
www.list.gmu.edu
ROLE-BASED ACCESS CONTROL (RBAC)
• A user’s permissions are determined by the
user’s roles
• rather than identity or clearance
• roles can encode arbitrary attributes
• multi-faceted
• ranges from very simple to very sophisticated
© 2004 Ravi Sandhu
www.list.gmu.edu
13
Central concept of RBAC
USER-ROLE
ASSIGNMENT
USERS
PERMISSION-ROLE
ASSIGNMENT
ROLES
PERMISSIONS
© 2004 Ravi Sandhu
www.list.gmu.edu
14
WHAT IS THE POLICY IN RBAC?
• RBAC is a framework to help in articulating
policy
• The main point of RBAC is to facilitate
security management
© 2004 Ravi Sandhu
www.list.gmu.edu
15
RBAC SECURITY PRINCIPLES
•
•
•
•
least privilege
separation of duties
separation of administration and access
abstract operations
© 2004 Ravi Sandhu
www.list.gmu.edu
16
RBAC96 IEEE Computer Feb. 1996
•
•
Policy neutral
can be configured to do MAC
•
•
roles simulate clearances (ESORICS 96)
can be configured to do DAC
•
roles simulate identity (RBAC98)
© 2004 Ravi Sandhu
www.list.gmu.edu
17
WHAT IS RBAC?
• multidimensional
• open ended
• ranges from simple to sophisticated
© 2004 Ravi Sandhu
www.list.gmu.edu
18
RBAC CONUNDRUM
• turn on all roles all the time
• turn on one role only at a time
• turn on a user-specified subset of roles
© 2004 Ravi Sandhu
www.list.gmu.edu
19
RBAC96 FAMILY OF MODELS
RBAC3
ROLE HIERARCHIES +
CONSTRAINTS
RBAC1
ROLE
HIERARCHIES
RBAC2
CONSTRAINTS
RBAC0
BASIC RBAC
20
© 2004 Ravi Sandhu
www.list.gmu.edu
RBAC0
USER-ROLE
ASSIGNMENT
USERS
ROLES
...
21
PERMISSION-ROLE
ASSIGNMENT
SESSIONS
PERMISSIONS
© 2004 Ravi Sandhu
www.list.gmu.edu
PERMISSIONS
• Primitive permissions
• read, write, append, execute
• Abstract permissions
• credit, debit, inquiry
© 2004 Ravi Sandhu
www.list.gmu.edu
22
PERMISSIONS
• System permissions
• Auditor
• Object permissions
• read, write, append, execute, credit, debit, inquiry
© 2004 Ravi Sandhu
www.list.gmu.edu
23
PERMISSIONS
• Permissions are positive
• No negative permissions or denials
• negative permissions and denials can be handled
by constraints
• No duties or obligations
• outside scope of access control
© 2004 Ravi Sandhu
www.list.gmu.edu
24
ROLES AS POLICY
• A role brings together
• a collection of users and
• a collection of permissions
• These collections will vary over time
• A role has significance and meaning beyond the
particular users and permissions brought together
at any moment
© 2004 Ravi Sandhu
www.list.gmu.edu
25
ROLES VERSUS GROUPS
• Groups are often defined as
• a collection of users
• A role is
• a collection of users and
• a collection of permissions
• Some authors define role as
• a collection of permissions
© 2004 Ravi Sandhu
www.list.gmu.edu
26
USERS
• Users are
• human beings or
• other active agents
• Each individual should be known as exactly
one user
© 2004 Ravi Sandhu
www.list.gmu.edu
27
USER-ROLE ASSIGNMENT
• A user can be a member of many roles
• Each role can have many users as members
© 2004 Ravi Sandhu
www.list.gmu.edu
28
SESSIONS
• A user can invoke multiple sessions
• In each session a user can invoke any subset
of roles that the user is a member of
© 2004 Ravi Sandhu
www.list.gmu.edu
29
PERMISSION-ROLE ASSIGNMENT
• A permission can be assigned to many roles
• Each role can have many permissions
© 2004 Ravi Sandhu
www.list.gmu.edu
30
MANAGEMENT OF RBAC
• Option 1:
• USER-ROLE-ASSIGNMENT and
PERMISSION-ROLE ASSIGNMENT can
be changed only by the chief security
officer
• Option 2:
• Use RBAC to manage RBAC
© 2004 Ravi Sandhu
www.list.gmu.edu
31
RBAC1
ROLE HIERARCHIES
USER-ROLE
ASSIGNMENT
USERS
ROLES
...
32
PERMISSION-ROLE
ASSIGNMENT
SESSIONS
PERMISSIONS
© 2004 Ravi Sandhu
www.list.gmu.edu
HIERARCHICAL ROLES
Primary-Care
Physician
Specialist
Physician
Physician
Health-Care Provider
33
© 2004 Ravi Sandhu
www.list.gmu.edu
HIERARCHICAL ROLES
Supervising
Engineer
Hardware
Engineer
Software
Engineer
Engineer
34
© 2004 Ravi Sandhu
www.list.gmu.edu
PRIVATE ROLES
Hardware
Engineer’
Supervising
Engineer
Hardware
Engineer
Software
Engineer
Engineer
35
Software
Engineer’
© 2004 Ravi Sandhu
www.list.gmu.edu
EXAMPLE ROLE HIERARCHY
Director (DIR)
Project Lead 1
(PL1)
Production 1
(P1)
Project Lead 2
(PL2)
Quality 1
(Q1)
Production 2
(P2)
Engineer 1
(E1)
PROJECT 1
Quality 2
(Q2)
Engineer 2
(E2)
Engineering Department (ED)
PROJECT 2
© 2004 Ravi Sandhu
www.list.gmu.edu
Employee (E)
36
EXAMPLE ROLE HIERARCHY
Project Lead 1
(PL1)
Production 1
(P1)
Project Lead 2
(PL2)
Quality 1
(Q1)
Production 2
(P2)
Engineer 1
(E1)
PROJECT 1
Quality 2
(Q2)
Engineer 2
(E2)
Engineering Department (ED)
PROJECT 2
© 2004 Ravi Sandhu
www.list.gmu.edu
Employee (E)
37
EXAMPLE ROLE HIERARCHY
Director (DIR)
Project Lead 1
(PL1)
Production 1
(P1)
Quality 1
(Q1)
Engineer 1
(E1)
PROJECT 1
Project Lead 2
(PL2)
Production 2
(P2)
Quality 2
(Q2)
Engineer 2
(E2)
PROJECT 2
© 2004 Ravi Sandhu
www.list.gmu.edu
38
EXAMPLE ROLE HIERARCHY
Project Lead 1
(PL1)
Production 1
(P1)
Quality 1
(Q1)
Engineer 1
(E1)
PROJECT 1
Project Lead 2
(PL2)
Production 2
(P2)
Quality 2
(Q2)
Engineer 2
(E2)
PROJECT 2
© 2004 Ravi Sandhu
www.list.gmu.edu
39
RBAC3
ROLE HIERARCHIES
USER-ROLE
ASSIGNMENT
USERS
PERMISSIONS-ROLE
ASSIGNMENT
ROLES
PERMISSIONS
CONSTRAINTS
...
40
SESSIONS
© 2004 Ravi Sandhu
www.list.gmu.edu
CONSTRAINTS
Mutually Exclusive Roles
• Static Exclusion: The same individual can never
hold both roles
• Dynamic Exclusion: The same individual can
never hold both roles in the same context
© 2004 Ravi Sandhu
www.list.gmu.edu
41
CONSTRAINTS
• Mutually Exclusive Permissions
• Static Exclusion: The same role should never be
assigned both permissions
• Dynamic Exclusion: The same role can never hold
both permissions in the same context
© 2004 Ravi Sandhu
www.list.gmu.edu
42
CONSTRAINTS
• Cardinality Constraints on User-Role
Assignment
• At most k users can belong to the role
• At least k users must belong to the role
• Exactly k users must belong to the role
© 2004 Ravi Sandhu
www.list.gmu.edu
43
CONSTRAINTS
• Cardinality Constraints on Permissions-Role
Assignment
• At most k roles can get the permission
• At least k roles must get the permission
• Exactly k roles must get the permission
© 2004 Ravi Sandhu
www.list.gmu.edu
44
The NIST-ANSI and (hopefully) soonto-be ISO RBAC Standard Model
•
David F. Ferraiolo, Ravi Sandhu, Serban Gavrila, D.
Richard Kuhn and Ramaswamy Chandramouli.
“Proposed NIST Standard for Role-Based Access
Control.” ACM Transactions on Information and
System Security, Volume 4, Number 3, August 2001,
pages 224-274.
© 2004 Ravi Sandhu
www.list.gmu.edu
The NIST-ANSI-ISO RBAC Model
• Adds much needed detail and consensus agreement
to the RBAC96 model and other contemporary
models
• Focuses on areas where consensus agreement exists
and commercial implementations have been
demonstrated
• Leaves many important areas for future work
• Eventual goal is much more ambitious
• Test suite for conformance testing
© 2004 Ravi Sandhu
www.list.gmu.edu
46
RBAC96 FAMILY OF MODELS
RBAC3
ROLE HIERARCHIES +
CONSTRAINTS
RBAC1
ROLE
HIERARCHIES
RBAC2
CONSTRAINTS
RBAC0
BASIC RBAC
47
© 2004 Ravi Sandhu
www.list.gmu.edu
The NIST-ANSI-ISO RBAC Model
© 2004 Ravi Sandhu
www.list.gmu.edu
48
The NIST-ANSI-ISO RBAC Model
• Additional details
• Administrative Functions
• Supporting System Functions
• Review Functions
© 2004 Ravi Sandhu
www.list.gmu.edu
49
Core RBAC
© 2004 Ravi Sandhu
www.list.gmu.edu
50
Core RBAC: Administrative Functions
•
•
•
•
•
•
•
•
AddUser
DeleteUser
AddRole
DeleteRole
AssignUser
DeassignUser
Grant-Permission
Revoke-Permission
© 2004 Ravi Sandhu
www.list.gmu.edu
51
Core RBAC: Supporting System Functions
•
•
•
•
CreateSession
AddActiveRole
DropActiveRole
CheckAccess
© 2004 Ravi Sandhu
www.list.gmu.edu
52
Core RBAC: Review Functions
• Required
• AssignedUsers
• AssignedRoles
• Optional
•
•
•
•
•
•
RolePermissions
UserPermissions
SessionRoles
SessionPermissions
RoleOperationsOnObject
SessionOperationsOnObject
Role-user review is
required
Role-permission
review is optional
© 2004 Ravi Sandhu
www.list.gmu.edu
53
Hierarchical RBAC
© 2004 Ravi Sandhu
www.list.gmu.edu
54
Limited Hierarchies
© 2004 Ravi Sandhu
www.list.gmu.edu
55
Limited Hierarchies
© 2004 Ravi Sandhu
www.list.gmu.edu
56
General Hierarchies
© 2004 Ravi Sandhu
www.list.gmu.edu
57
Inheritance versus Activation Hierarchy
© 2004 Ravi Sandhu
www.list.gmu.edu
58
Inheritance versus Activation Hierarchy
• Inheritance hierarchy
• Activating Director Role also activates all junior roles (by
inheritance of permissions)
• Violates least privilege
• Activation hierarchy
• Activating Director Role does not activate junior roles
(there is no inheritance of permissions)
• Junior roles must be explicitly activated
• Preserves least privilege but is less automated
© 2004 Ravi Sandhu
www.list.gmu.edu
59
Constrained RBAC: Static Separation of Duties
© 2004 Ravi Sandhu
www.list.gmu.edu
60
Constrained RBAC: Dynamic Separation of Duties
© 2004 Ravi Sandhu
www.list.gmu.edu
61
MAC and DAC in RBAC
•
Sylvia Osborn, Ravi Sandhu and Qamar Munawer.
“Configuring Role-Based Access Control to Enforce
Mandatory and Discretionary Access Control
Policies.” ACM Transactions on Information and
System Security, Volume 3, Number 2, May 2000,
pages 85-106.
© 2004 Ravi Sandhu
www.list.gmu.edu
MAC
H
M1
-
-
+
Read
Write
M2
L
63
+
© 2004 Ravi Sandhu
www.list.gmu.edu
MAC in RBAC96
+
HR
M1R
M2R
M1W
-
LR
Read
64
LW
M2W
HW
Write
© 2004 Ravi Sandhu
www.list.gmu.edu
MAC in RBAC96
• user xR, user has clearance x
• user LW, independent of clearance
• Need constraints
• session xR iff session xW
• in a session exactly one read role must be activated, and
this cannot be changed
• read can be assigned only to xR roles
• write can be assigned only to xW roles
• (O,read) assigned to xR iff
• (O,write) assigned to xW
© 2004 Ravi Sandhu
www.list.gmu.edu
65
DAC in RBAC96
• Construction is more complex
• Requires multiple roles for every object
• Revocation
• Grant-dependent revocation is harder to handle
• Grant-independent revocation is easier to handle
© 2004 Ravi Sandhu
www.list.gmu.edu
66
MAC and DAC in the NIST-ANSI-ISO Model
• RBAC96 constructions use cardinality constraints in
addition to Static and Dynamic separation of duties
• These constructions are not applicable to NISTANSI-ISO RBAC model
• Can NIST-ANSI-ISO RBAC model do MAC and
DAC?
• With extensions: yes
• Without extensions: probably not
© 2004 Ravi Sandhu
www.list.gmu.edu
67
Administrative RBAC: ARBAC97
•
Ravi Sandhu, Venkata Bhamidipati and
Qamar Munawer. “The ARBAC97 Model for
Role-Based Administration of Roles.” ACM
Transactions on Information and System
Security, Volume 2, Number 1, February
1999, pages 105-135.
© 2004 Ravi Sandhu
www.list.gmu.edu
EXAMPLE ROLE HIERARCHY
Director (DIR)
Project Lead 1
(PL1)
Production 1
(P1)
Project Lead 2
(PL2)
Quality 1
(Q1)
Production 2
(P2)
Engineer 1
(E1)
PROJECT 1
Quality 2
(Q2)
Engineer 2
(E2)
Engineering Department (ED)
PROJECT 2
© 2004 Ravi Sandhu
www.list.gmu.edu
Employee (E)
EXAMPLE ADMINISTRATIVE ROLE HIERARCHY
Senior Security Officer (SSO)
Department Security Officer (DSO)
Project Security
Officer 1 (PSO1)
Project Security
Officer 2 (PSO2)
© 2004 Ravi Sandhu
www.list.gmu.edu
URA97 GRANT MODEL: can-assign
ARole
PSO1
PSO2
DSO
SSO
SSO
Prereq Role
ED
ED
ED
E
ED
Role Range
[E1,PL1)
[E2,PL2)
(ED,DIR)
[ED,ED]
(ED,DIR]
© 2004 Ravi Sandhu
www.list.gmu.edu
71
URA97 GRANT MODEL
• “redundant” assignments to senior and junior
roles
• are allowed
• are useful
© 2004 Ravi Sandhu
www.list.gmu.edu
72
URA97 REVOKE MODEL
WEAK REVOCATION
• revokes explicit membership in a role
• independent of who did the assignment
© 2004 Ravi Sandhu
www.list.gmu.edu
73
URA97 REVOKE MODEL
STRONG REVOCATION
• revokes explicit membership in a role and its seniors
• authorized only if corresponding weak revokes are
authorized
• alternatives
– all-or-nothing
– revoke within range
© 2004 Ravi Sandhu
www.list.gmu.edu
74
URA97 REVOKE MODEL : can-revoke
ARole
PSO1
PSO2
DSO
SSO
Role Range
[E1,PL1)
[E2,PL2)
(ED,DIR)
[ED,DIR]
© 2004 Ravi Sandhu
www.list.gmu.edu
75
PERMISSION-ROLE ASSIGNMENT
• dual of user-role assignment
•
•
•
•
can-assign-permission
can-revoke-permission
weak revoke
strong revoke (propagates down)
© 2004 Ravi Sandhu
www.list.gmu.edu
76
PERMISSION-ROLE ASSIGNMENT CAN-ASSIGNPERMISSION
ARole
PSO1
PSO2
DSO
SSO
SSO
Prereq Cond
PL1
PL2
E1 E2
PL1 PL2
ED
Role Range
[E1,PL1)
[E2,PL2)
[ED,ED]
[ED,ED]
[E,E]
© 2004 Ravi Sandhu
www.list.gmu.edu
77
PERMISSION-ROLE ASSIGNMENT CAN-REVOKEPERMISSION
ARole
PSO1
PSO2
DSO
SSO
Role Range
[E1,PL1]
[E2,PL2]
(ED,DIR)
[ED,DIR]
© 2004 Ravi Sandhu
www.list.gmu.edu
78
OM-AM and RBAC
© 2004 Ravi Sandhu
www.list.gmu.edu
THE OM-AM WAY
What?
Objectives
Model
Architecture
Mechanism
How?
80
A
s
s
u
r
a
n
c
e
© 2004 Ravi Sandhu
www.list.gmu.edu
LAYERS AND LAYERS
•
•
•
•
•
•
•
•
Multics rings
Layered abstractions
Waterfall model
Network protocol stacks
Napolean layers
RoFi layers
OM-AM
etcetera
© 2004 Ravi Sandhu
www.list.gmu.edu
81
OM-AM AND MANDATORY ACCESS
CONTROL (MAC)
What?
No information leakage
Lattices (Bell-LaPadula)
Security kernel
Security labels
How?
A
s
s
u
r
a
n
c
e
© 2004 Ravi Sandhu
www.list.gmu.edu
82
OM-AM AND DISCRETIONARY
ACCESS CONTROL (DAC)
What?
Owner-based discretion
numerous
numerous
ACLs, Capabilities, etc
How?
A
s
s
u
r
a
n
c
e
© 2004 Ravi Sandhu
www.list.gmu.edu
83
OM-AM AND ROLE-BASED ACCESS
CONTROL (RBAC)
What?
Objective neutral
RBAC96, ARBAC97, etc.
user-pull, server-pull, etc.
certificates, tickets, PACs, etc.
How?
A
s
s
u
r
a
n
c
e
© 2004 Ravi Sandhu
www.list.gmu.edu
84
Server-Pull Architecture
Client
Server
User-role
Authorization
Server
85
© 2004 Ravi Sandhu
www.list.gmu.edu
User-Pull Architecture
Client
Server
User-role
Authorization
Server
86
© 2004 Ravi Sandhu
www.list.gmu.edu
Proxy-Based Architecture
Client
Proxy
Server
User-role
Authorization
Server
87
Server
© 2004 Ravi Sandhu
www.list.gmu.edu
RBAC Mechanisms
• RBAC can be implemented using
• Secure cookies: user-pull architecture
• X.509 certificates: user-pull or server-pull
architectures
© 2004 Ravi Sandhu
www.list.gmu.edu
88
Other RBAC Research and Results
© 2004 Ravi Sandhu
www.list.gmu.edu
RBAC Research (dates are approximate)
•
•
•
•
•
•
•
•
•
•
•
•
•
The early NIST model: Ferraiolo et al 1992 onwards
Role-Graph Model: Osborn et al 1994 onwards
OASIS model and architecture: Moody et al 1994 onwards
Trust Management: Herzberg, Li, Winsborough, et al 1996 onwards
Temporal RBAC: Bertino et al 1998 onwards
Constraint languages: Ahn and Sandhu, 2000
Delegation in RBAC: Barka, Sandhu, Ahn et al 2000 onwards
RBAC and workflow systems: Atluri, Sandhu, Ahn, Park et al 1998 onwards
RBAC administration: Kern, Sandhu, Oh, Moffett et al 1998 onwards
RBAC engineering: Thomsen, Kern, Epstein, Sandhu et al 2000 onwards
Context-aware RBAC: Covington et al, 2000 onwards
Rule-based RBAC: Al-Khatani and Sandhu, 2002 onwards
………………….
© 2004 Ravi Sandhu
www.list.gmu.edu
90
Ongoing and Future Work in RBAC
© 2004 Ravi Sandhu
www.list.gmu.edu
Research Challenges
•
•
•
•
•
•
•
•
Automated RBAC
RBAC engineering
Formal models for RBAC
Analysis of RBAC policies
Integration with attribute-based access control
RBAC in pervasive and ad hoc environments
Cross-domain RBAC
………….
© 2004 Ravi Sandhu
www.list.gmu.edu
92