11Computer ScienceCSC 474/574Information Systems SecurityTopic 4.4Role-Based Access Control (RBAC)2Computer ScienceOUTLINE• Role-based Access Control– Motivation– Features– Models– Issues23Computer ScienceOWNER-BASED DAC• owner has all-or-nothing power– superuser fallacy• spaghetti of intent• negative permissions make for messierspaghetti• Trojan horses can subvert intent4Computer ScienceMAC/Lattice-Based AC/BLP• enforce one-directional information flow in alattice of security labels• can be used for– confidentiality– integrity– aggregation (Chinese Wall)– combinations of these35Computer ScienceRBAC• A user’s permissions are determined by theuser’s roles– rather than identity (DAC) or clearance (MAC)– roles can encode arbitrary attributes• Facilitates– administration of permissions– articulation of policy• ranges from very simple to very sophisticated6Computer ScienceRBAC• Policy neutral• Policy oriented– least privilege– separation of duties– encapsulation of primitive permissions– Roles are a semantic construct around which tobuild policy47Computer ScienceRBACTwo traditionsSupport system-wideadministrativefunctionsProgrammed intoindividualapplications8Computer ScienceRBAC: WHAT’S NEW• Extend system support into application domain• Use RBAC to manage RBAC59Computer ScienceINTERACTION OF RBAC, MAC AND DACRBACMAC DACpermitted accesses10Computer ScienceRBAC MODELS• RBAC96 Family– RBAC0: Basic Model– RBAC1: Hierarchical Roles– RBAC2: Constrained Roles– RBAC3: RBAC1 + RBAC2611Computer ScienceRBAC96 FAMILYRBAC0VANILLA RBACRBAC3ROLE HIERARCHIES +CONSTRAINTSRBAC1ROLEHIERARCHIESRBAC2CONSTRAINTS12Computer ScienceRBAC3ROLESUSER-ROLEASSIGNMENTPERMISSIONS-ROLEASSIGNMENTUSERS PERMISSIONS...SESSIONSROLE HIERARCHIESCONSTRAINTS713Computer ScienceUSERS• Users are– human beings or– other active agents• Each individual should be known as exactlyone user14Computer ScienceROLES AS POLICY• A role brings together– a collection of users and– a collection of permissions• These collections will vary over time– A role has significance and meaning beyond theparticular users and permissions brought togetherat any moment815Computer ScienceROLES VERSUS GROUPS• Groups are often defined as– a collection of users• A role is– a collection of users and– a collection of permissions• Some authors define role as– a collection of permissions16Computer ScienceHIERARCHICAL ROLESEmployee (E)Engineering Department (ED)Project Lead 1(PL1)Engineer 1(E1)Production 1(P1)Quality 1(Q1)Director (DIR)Project Lead 2(PL2)Engineer 2(E2)Production 2(P2)Quality 2(Q2)PROJECT 2PROJECT 1917Computer SciencePERMISSIONS• Primitive permissions– read, write, append, execute• Abstract permissions– credit, debit, inquiry18Computer SciencePERMISSIONS• System permissions– auditorObject permissions– read, write, append, execute, credit, debit, inquiry1019Computer SciencePERMISSIONS• Permissions are positive• No negative permissions or denials– negative permissions and denials can be handledby constraints• No duties or obligations– outside scope of access control20Computer ScienceUSER-ROLE ASSIGNMENT• A user can be a member of many roles• Each role can have many users as members1121Computer ScienceIMPLICIT USER ASSIGNMENTUSERROLEHIERARCHYimplicit assignmentsexplicit assignment22Computer ScienceEXPLICIT USER ASSIGNMENTUSERNO ROLEHIERARCHYexplicit assignmentsexplicit assignment1223Computer SciencePERMISSION-ROLE ASSIGNMENT• A permission can be assigned to many roles• Each role can have many permissions24Computer ScienceSESSIONS• A user can invoke multiple sessions• In each session a user can invoke any subsetof roles that the user is a member of1325Computer ScienceCONSTRAINTS• Applied to all components in RBAC• Example : Mutually Exclusive Roles– Static Exclusion: The same individual can neverhold both roles– Dynamic Exclusion: The same individual cannever hold both roles in the same context26Computer ScienceExercise 1• Consider an on-line grading system.– TAs can view (V) and add (A) everybody’s grade;– Instructors can add (A), update (U), and view (V)everybody’s grade.1427Computer ScienceExercise 1 (Cont’d)• Assume a generic framework of RBAC0.– Customize it for the following class:• Instructor: Peng Ning (PN);• TA: Kun Sun (KS)• Students: John Smith (JS), Jane Davis (JD), Bret Moore (BM)– Users = {____, ____, ____, ____, ____}– Roles = {______, ______}– Permissions = {______, ______, ______}– PermissionAssignments = {(___, ___), (___, ___), (___, ___), (___,___), (___, ___)}– UserAssignments = {(____, ____), (____, ____)}– Sessions = {____, ____} (Assume two sessions. No unique solution.)– Session-Users (SU): ____ ____, ________– Session-Roles (S2R): ____{____}, ____{____}28Computer ScienceExercise 1 (Cont’d)• How about RBAC1?– Customize it for the following class:• Instructor: Peng Ning (PN);• TA: Kun Sun (KS)• Students: John Smith (JS), Jane Davis (JD), Bret Moore (BM)– What can be changed?Role hierarchy:1529Computer ScienceExercise 2• Consider an on-line grading system.– Each student can only view his/her own grade;– TAs can view and add everybody’s grade;– Instructors can add, update (i.e., modify), andview everybody’s grade.30Computer ScienceExercise 2 (Cont’d)• Assume a generic framework of RBAC0.– Customize it for the following class:• Instructor: Peng Ning (PN)• TA: Kun Sun (KS)• Students: John Smith (JS), Jane Davis (JD), Bret Moore (BM)– Users = {____, ____, ____, ____, ____}– Roles = ?– Permissions = ?– PermissionAssignments = ?– UserAssignments = ?– …• What are the difficulties?1631Computer ScienceExercise 2 (Cont’d)• How about RBAC2?– Customize it for the following class:• Instructor: Peng Ning (PN)• TA: Kun Sun (KS)• Students: John Smith (JS), Jane Davis (JD), Bret Moore (BM)– Assume there exists a global variable user-name that stores the nameof the activated user.– Users = {____, ____, ____, ____, ____}– Roles = {______, ______, ______}– Permissions = {V(student-name), ______, ______}– PermissionAssignments = {(___, ___), (___, ___), (___, ___), (___,___) , (___, ___) , (___, ___)}– PA constraint: ______________________– UserAssignments = { }–