© 2005 Ravi Sandhuwww.list.gmu.edu

Access Control Hierarchies(best viewed in slide show mode)

Ravi SandhuLaboratory for Information Security Technology

George Mason Universitywww.list.gmu.edusandhu@gmu.edu

2

© 2005 Ravi Sandhuwww.list.gmu.edu

RBAC96 Model

3

© 2005 Ravi Sandhuwww.list.gmu.edu

ARBAC97

• User-Role Assignment: URA97

• Permission-Role Assignment: PRA97

• Role-Role Assignment: RRA97

Ravi Sandhu, Venkata Bhamidipati and Qamar Munawer. “The ARBAC97 Model for Role-Based Administration of Roles.” ACM Transactions on Information and System Security, Volume 2, Number 1, February 1999, pages 105-135.

4

© 2005 Ravi Sandhuwww.list.gmu.edu

Example Role Hierarchy

5

© 2005 Ravi Sandhuwww.list.gmu.edu

Example Administrative Role Hierarchy

6

© 2005 Ravi Sandhuwww.list.gmu.edu

Abilities, Groups and UP-Roles

7

© 2005 Ravi Sandhuwww.list.gmu.edu

Four operations

• Create role• Delete role• Insert edge• Delete edge

• Authorized by a single relation can-modify• More complex operations can be built from these• Chief Security Officer can bypass all these controls

8

© 2005 Ravi Sandhuwww.list.gmu.edu

can-modify

not a typo

• Authority range must be encapsulated• To be discussed later

9

© 2005 Ravi Sandhuwww.list.gmu.edu

Example Role Hierarchy

DSOPSO1 PSO1

10

© 2005 Ravi Sandhuwww.list.gmu.edu

Semantics of create role

• Specify immediate parent and child• These must be within the can-modify range or be one

of the endpoints of the range• Immediate parent must be senior to immediate child

• If junior will introduce cycle• If incomparable will introduce a new edge (so introduce

the new edge first and then create the new role)• Immediate parent and immediate child must

constitute a create range (prior to creation)• To be discussed later

11

© 2005 Ravi Sandhuwww.list.gmu.edu

Semantics of delete role

• Deletion of a role preserves all transitive edges• Deletion that causes dangling references is prohibited

• Prohibit deletion of roles used in can_assign, can_revoke, can_modify OR

• Deactivate these roles when they are deleted. Inactive roles cannot be activated in a session and new users and permissions cannot be added.

• Preserve permissions and users in a deleted role• Only empty roles can be deleted OR• Users pushed down to immediately junior roles and permissions are

pushed up to immediately senior roles

12

© 2005 Ravi Sandhuwww.list.gmu.edu

Semantics of insert edge

• Edges can be inserted only between incomparable roles

• Edge insertion must preserve encapsulation of authority ranges• To be discussed

13

© 2005 Ravi Sandhuwww.list.gmu.edu

Semantics of delete edge

• Edges can be deleted only if they are not transitively implied

• Deleting an edge preserves transitive edges• Some of which will become visible in the Hasse

diagram

• Cannot delete an edge between the endpoints of an authority range• To be discussed

14

© 2005 Ravi Sandhuwww.list.gmu.edu

Edge insertion anomaly

DSOPSO1 PSO1

15

© 2005 Ravi Sandhuwww.list.gmu.edu

Edge insertion anomaly

• Edge insertion by PSO1 in range (E1,PL1) impacts relationship between X and Y outside the PSO1 range

16

© 2005 Ravi Sandhuwww.list.gmu.edu

Edge insertion anomaly

• Let it happen

• Do not allow X and Y to be introduced (by DSO)

• Do not allow PSO1 to insert edge from QE1 to PE1

17

© 2005 Ravi Sandhuwww.list.gmu.edu

Role Ranges

typo

© 2005 Ravi Sandhuwww.list.gmu.edu

Range Definitions

Range

Create Range

EncapsulatedRange

AuthorityRange

19

© 2005 Ravi Sandhuwww.list.gmu.edu

Encapsulated Role Ranges

typo

20

© 2005 Ravi Sandhuwww.list.gmu.edu

Encapsulated Role Ranges

DSOPSO1 PSO1

Encapsulated• (E1,PL1)• (E2,PL2)• (ED,DIR)• (E,DIR)Non-encapsulated• (E,PL1)• (E,PL2)• (E,E1)• (E,E2)

21

© 2005 Ravi Sandhuwww.list.gmu.edu

Encapsulated Role Ranges

Encapsulated• (x,y)• (r2,y)• (B,A)Non-encapsulated• (x’,y’)• (B,y’)

22

© 2005 Ravi Sandhuwww.list.gmu.edu

Encapsulated Role Ranges

Encapsulated• (r2,y)• (B,A)•(Non-encapsulated• (x,y)• (x’,y’)• (B,y’)

23

© 2005 Ravi Sandhuwww.list.gmu.edu

Create Ranges

24

© 2005 Ravi Sandhuwww.list.gmu.edu

Create Ranges

Authority ranges• (B,A)• (x,y)

Create ranges• dashed lines ---

B is end point of ARimmediate(y)

A is end point of ARimmediate(r3)

A is end point of ARimmediate(x)

these are not create ranges

25

© 2005 Ravi Sandhuwww.list.gmu.edu

Preserving encapsulation on edge insertion

26

© 2005 Ravi Sandhuwww.list.gmu.edu

Preserving encapsulation on edge insertion

Authority ranges• (B,A)• (x,y)

• Insertion of (y,r3) is ok but will prevent future insertion of (r3,x)• Likewise insertion of (r3,x) is ok but will prevent future insertion of (y,r3)

27

© 2005 Ravi Sandhuwww.list.gmu.edu

Edge deletion example

28

© 2005 Ravi Sandhuwww.list.gmu.edu

Next class

• Read• Jason Crampton and George Loizou. “Administrative

scope: A foundation for role-based administrative models.” ACM Transactions on Information and System Security, Volume 6, Number 2, May 2003, pages 201-231. Available in ACM digital library through GMU.

and come prepared to discuss

29

© 2005 Ravi Sandhuwww.list.gmu.edu

Assignment

1. Prove or give counterexample • An authority range is always a create range?

• If x is an immediate child of y then (x,y) is a create range?

2. Prove or give counterexample• If x is an immediate child of y then (x,y) can always be

introduced into can-modify as an authority range that is guaranteed to be encapsulated?