hapter 4
Access Control
Rolebased models
RBAC
Agenda
Rolebased models
Administrative rolebased access control model
/>id=_O7xBwAAQBAJ&pg=PA171&lpg=PA171
&dq=Open/close+policy+in+database+security
&source=bl&ots=4cH6efHzHp&sig=eO6djffm
piyvB0L6hmWAbPPeZow&hl=vi&sa=X&ei=
F2PVb
YOcaJuATyvIHQAw&redir_esc=y#v=onepage
&q&f=false
Rolebased models
Many organizations base access control decisions on “the roles that
individual users take on as part of the organization”.
They prefer to centrally control and maintain access rights that reflect
the organization’s protection guidelines.
With RBAC, rolepermission relationships can be predefined, which
makes it simple to assign users to the predefined roles.
The combination of users and permissions tend to change over time,
the permissions associated with a role are more stable.
RBAC concept supports three wellknown security principles:
–
Least privilege
–
Separation of duties
–
Data abstraction
Role Based Access Control
(RBAC)
Access control in
organizations is
based on “roles
that individual
users take on as
part of the
organization”
A role is “is a
collection of
permissions”
Roles Hierarchies
Users
User Role
Assignment
Roles
Constraints
Role Permission
Assignment
Permissions
Role Based Access Control
(RBAC)
RBAC
Access depends on role/function, not
identity
–
Example: Allison is bookkeeper for Math
Dept. She has access to financial records. If she
leaves and Betty is hired as the new
bookkeeper, Betty now has access to those
records. The role of “bookkeeper” dictates
access, not the identity of the individual.
RBAC
Users
Permission
Users
Permissions
u1
o1
u1
o1
o2
u2
o2
om
un
om
Manager
Senior
Administrator
Senior
Engineer
Administrator
Engineer
Employee
u2
Role
r
un
n + m
assignments
n m
assignments
(a)
(b)
RBAC (cont’d)
Is RBAC a discretionary or mandatory access control?
– RBAC is policy neutral; however individual RBAC configurations
can support a mandatory policy, while others can support a
discretionary policy.
Role Hierarcies
Role Administration
Project Supervisor
Test engineer
Programmer
Project Member
RBAC (NIST Standard)
PA
UA
Users
Roles
Operations
Objects
Permissions
user_sessions
(one-to-many)
role_sessions
(many-to-many)
Sessions
An important difference from classical models is that
Subject in other models corresponds to a Session in RBAC
Core RBAC (relations)
Permissions = 2Operations x Objects
UA ⊆ Users x Roles
PA ⊆ Permissions x Roles
assigned_users: Roles 2Users
assigned_permissions: Roles 2Permissions
Op(p): set of operations associated with permission p
Ob(p): set of objects associated with permission p
user_sessions: Users 2Sessions
session_user: Sessions Users
session_roles: Sessions 2Roles
– session_roles(s) = {r | (session_user(s), r) UA)}
avail_session_perms: Sessions 2Permissions
RBAC with General Role Hierarchy
RH
(role hierarchy)
PA
UA
Users
Roles
user_sessions
(one-to-many)
Sessions
Operations
Objects
Permissions
role_sessions
(many-to-many)
RBAC with General Role Hierarchy
authorized_users: Roles 2Users
authorized_users(r) = {u | r’ ≥ r &(r’, u) UA)
authorized_permissions: Roles 2Permissions
authorized_users(r) = {p | r’ ≥ r &(p, r’) PA)
RH Roles x Roles is a partial order
–
–
called the inheritance relation
written as ≥.
(r1 ≥ r2) authorized_users(r1) ⊆ authorized_users(r2) &
authorized_permisssions(r2) ⊆ authorized_permisssions(r1)
Example
px,
e10
py
e8,
px, e9
py
Manager
px,
e5py
Senior
Administrator
pa, pb
Administrator
px, py
e3,
px, e4
py
e1,
px, e2
py
Employee
p1, p2
pp
Senior
Engineer
e6,
px, e7
py
po
Engineer
pm, pn
authorized_users(Employee)?
authorized_users(Administrator)?
authorized_permissions(Employee)?
authorized_permissions(Administrator)?
Constrained RBAC
RH
(role hierarchy)
Static
Separation
of Duty
PA
UA
Users
Roles
Operations
Objects
Permissions
user_sessions
(one-to-many)
Sessions
Dynamic
Separation
of Duty
Separation of Duties
§
No user should be given enough privileges to misuse
the system on their own.
§
Statically: defining the conflicting roles
§
Dynamically: Enforcing the control at access time
Role vs. Types Data Structures
RBAC
–
–
–
U: set of users
P: set of permissions
R: set of roles
Type Enforcement
–
–
E: set of subjects or objects
Permission Assignment
ST: set of subject types
OT: set of object types
O: set of operations
Role vs. Types Data Structures
Users: U
Permissions: P
Roles: R
Assignments: Userrole, permrole, role
role
Sessions: S
Function: user(S), roles(S)
Constraints: C
RBAC Family of Models
RBAC0 contains all but hierarchies and
constraints
RBAC1 contains RBAC0 and hierarchies
RBAC2 contains RBAC0 and constraints
RBAC3 contains all
The RBAC family idea has always been more a
NIST initiative
The RBAC families are present in the NIST
RBAC standard [NIST2001] with slight
modifications:
–
RBAC0, RBAC1 (options), RBAC3 (SSD) , RBAC3
(DSD)
Advantages of RBAC
Allows Efficient Security Management
–
Administrative roles, Role hierarchy
Principle of least privilege allows minimizing
damage
Separation of Duties constraints to prevent fraud
Allows grouping of objects
Policyneutral Provides generality
Encompasses DAC and MAC policies
RBAC’s Benefits
Cost Benefits
Saves about 7.01 minutes per employee, per year in
administrative functions
–
–
Average IT admin salary $59.27 per hour
The annual cost saving is:
•
$6,924/1000; $692,471/100,000
Reduced Employee downtime
–
–
–
if new transitioning employees receive their system privileges
faster, their productivity is increased
26.4 hours for nonRBAC; 14.7 hours for RBAC
For average employee wage of $39.29/hour, the annual
productivity cost savings yielded by an RBAC system:
•
$75000/1000; $7.4M/100,000
RBAC Products
SUN Solaris
Sybase SQL Server
BMC INCONTROL for Security Management
Systor Security Administration Manager
Tivoli TME Security Management
Computer Associates Protect IT
Siemens rbacDirX