Upload
michelle-lane
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Role Activation Hierarchies
Ravi Sandhu
George Mason University
RBAC96
ROLES
USER-ROLEASSIGNMENT
PERMISSION-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
ROLE HIERARCHIES
Inheritance hierarchies permission inheritance user inheritance
Activation hierarchies role membership versus role activation
EXAMPLE ROLE HIERARCHYINTERPRETATIONS
Employee (E)
Engineering Department (ED)
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Director (DIR)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
ALTERNATIVES
separate inheritance and activation hierarchies this paper
single inheritance and activation hierarchy most common approach, including RBAC96
activation hierarchy only, no inheritance alternative identified in NIST RBAC model
inheritance hierarchy only, no activation hierarchy does not seem to be useful
LBAC: LIBERAL *-PROPERTY
H
L
M1 M2
Read Write- +
+ -
LBAC: LIBERAL *-PROPERTY DUAL ROLE SIMULATION
HR
LR
M1R M2R
LW
HW
M1W M2W
Read Write-
+
LBAC: STRICT *-PROPERTY
H
L
M1 M2
Read Write-
+
LBAC: STRICT *-PROPERTY DUAL ROLE SIMULATION
HR
LR
M1R M2R LW
HWM1W M2W
LBAC: STRICT *-PROPERTY SIMULATION BY PRIVATE ROLES
HR
LR
M1R M2R
LBAC: STRICT *-PROPERTY SIMULATION BY PRIVATE ROLES
HR
LR
M1R M2R
HW
LW
M1W M2W
LBAC: STRICT *-PROPERTY SIMULATION BY PRIVATE ROLES
HR
LR
M1R M2R
HW
LW
M1W M2W
DYNAMIC SEPARATION OF DUTIES
Roles in dynamic SOD cannot have common seniors in role
inheritance hierarchy, but can have common seniors in role
activation hierarchy
EXAMPLE ROLE HIERARCHYINTERPRETATIONS
Employee (E)
Engineering Department (ED)
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Director (DIR)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
ACTIVATION HIERARCHIES
A
B
D
C
E
A
B
D
C
E
CONCLUSION
separate inheritance and activation hierarchies this paper
single inheritance and activation hierarchy most common approach, including RBAC96
activation hierarchy only, no inheritance alternative identified in NIST RBAC model
inheritance hierarchy only, no activation hierarchy does not seem to be useful