Embed Size (px)
DESCRIPTION
NIST Standard for Role-Based Access Control. Present by Wenyi Ni. The root of RBAC. The use of groups in UNIX and other operating systems Privilege grouping in DBMS Separation of duty concepts RBAC embodies these notions in a single access control model. RBAC includes:. - PowerPoint PPT Presentation
Citation preview
NIST Standard for Role-Based Access Control
Present by Wenyi Ni
The root of RBAC The use of groups in UNIX and other
operating systems Privilege grouping in DBMS Separation of duty concepts
RBAC embodies these notions in a single access control model.
RBAC includes: Roles and role hierarchies Role activation Constraints on user/role membership
and role set activation
RBAC is organized into two part RBAC reference model RBAC Functional Specification
RBAC reference model Define a common vocabulary of
terms for in consistently specifying requirements and to set the scope of the RBAC features included in the standard
RBAC Functional Specification
Define requirements over administrative operations for the creation and maintenance of RBAC element sets and relations
NIST RBAC model is defined in terms of four model components
Core RBAC Hierarchical RBAC Static separation of duty relations Dynamic Separation of duty
relations
Core RBAC Define a minimum collection of
RBAC elements, element sets, relations in order to completely achieved a role-based access control system
It includes:1.user-role assignment2.permission-role assignment
Definitions in core RBAC User: defined as a human being. It
can be extended to include machine, network,intelligent autonomous agent
Role: a job function within the context of an organization with some associated semantics regarding the authority and responsibility
Definition (continued) Permission: an approval to perform
an operation on one or more RBAC protected objects
Operation: an executable image of a program
Session: a mapping between a user and an activated subset of roles that are assigned to the user
Core RBAC model element sets and relations
Hierarchal RBAC It adds relations for supporting role
hierarchies Senior roles acquire the permissions
of their juniors A role’s set of authorized users and
authorized permission Role hierarchy can be 1)tree 2)inverted tree 3)lattice
Role hierarchy Tree
Role hierarchy inverted tree
Role hierarchy lattice
Example: accounting roles
Separation of duty relations
It is used to enforce conflict of interest policies that organizations may employ to prevent users from exceeding a reasonable level of authority for their position
Static Separation of Duty Relations Enforce constraints on the
assignment of users to roles Place restrictions on sets of roles. If
a user is assigned to one role, the user is prohibited from being a member of a second role.
Because of the conflict of role ‘billing’ and ‘Cashier’ , Frank is prohibited to be assigned both of them
Dynamic Separation of Duty Relations Place constraints on the roles that
can be activated within or across a users sessions.
It supports each user has different levels of permission at different time.
It is often referred as timely revocation of trust
Categories of functions in RBAC Used to meet the requirements for
each of the components1.Administrative Functions2.Supporting System Functions3.Review Functions
Administrative Functions in core RBAC Create and maintain element
sets(users,roles,OPS,OBS)1.AddUser, DeleteUser2.AddRole, DeleteRole3.AssignUser, DeassignUser4.GrantPermission, revokePermission
Supporting System Function in Core RBAC Session management and make
access control decisions1.CreateSession2.AddActiveRole, DropActiveRole3.CheckAccess
Review Function in Core RBAC View the contents of user-to-role
and permission-to-role assignment.1.AssignedRoles2.RolePermissions3.UserPermissions4.SessionPermisssions5.RoleOperationsOnObjects6.UserOperationsOnObjects
Administrative Function in Hierarchical RBAC Create and maintain the partial
order relation among roles1.AddInheritance, DeleteInheritance2.AddAscendant, AddDescendant
Supporting System Functions in Hierarchical RBAC
Same function as for Core RBAC, some function need to be redefined because of the role hierarchy.
Such as: createSession, addActiveRole.
Review Functions in Hierarchical RBAC All review functions specified for
Core RBAC is valid here Add the review functions to inherited
roles.1.AuthorizedUsers2.AuthorizedRoles
Functions in SSDAdministrative:1CreatSSDSet,DeleteSSDSet2AddSSDRoleMember, DeleteSSDRolemember3.SetSSDRoleMember4.SetSSDCardinalitySupporting System: same as those for core RBACReview:1.SSDRoleSets2.SSDRoleSetRoles3.SSDRoleSetCardinality
Functions in DSDAdministrative1.CreateDSDSet, DeleteDSDSet2.AddDSDRoleMember,DeleteDSDRoleMember3.SetDSDCardinalitySuport System:1.CreateSession2.AddActiveRole3.DropActiveRole Review:1.DSDRoleSets2.DSDRoleSetRoles3.DSDRoleSetCardinality
Conclusion RBAC is used to simplify security
policy administration RBAC is an open-ended
technology,which ranges from very simple to fairly sophisticated.
RBAC continues to be an evolving technology.
End Reference:http://csrc.nist.gov/rbac/rbacSTD-ACM.
