UT CS 361 - Lecture 26: Role-Based Access Control

Unformatted text preview:

Foundations of Computer SecurityLecture 26: Role-Based Access ControlDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 26: 1 Role-Based Access ControlRole-Based Access ControlRole-based access control (RBAC) is a widely used securityframework claimed to be especially appropriate for commercialsettings.Unlike access control policies that assign permissions to subjects,RBAC associates permissions with functions/jobs/roles within anorganization.A role is a collection of job functions. Roles within a bank mightinclude: president, manager, trainer, teller, auditor,janitor, etc.Lecture 26: 2 Role-Based Access ControlRoles and TransactionsAn individual has:a set of authorized roles, which it is allowed to fill at varioustimes;a set of active roles, which it currently occupies.Roles have an associated set of transactions, which are theactivities that someone in that role is permitted to carry out.The set of transactions can be organization specific: open anaccount, cash a check, transfer funds, etc.Lecture 26: 3 Role-Based Access ControlPrimary RulesThe following are the three primary RBAC rules:Role assignment: A subject can execute a transaction only ifthe subject has an active role.Role authorization: A subject’s active role must be anauthorized role for that subject.Transaction authorization: A subject can execute atransaction only if the transaction is authorized for one of thesubject’s active roles.Note that a subject can have multiple roles. For example, in apinch a bank president might also act as a teller.Lecture 26: 4 Role-Based Access ControlSubsumption and Separation of DutyOne role may subsume another, meaning that anyone having rolerjcan do at least the functions of ri.Example: a trainer can perform all of the actions of a trainee,as well as some others.RBAC can also model separation of duty (one individual cannotassume both roles r1and r2).Example: if teller is among S’s authorized roles, auditorcannot be.Lecture 26: 5 Role-Based Access ControlRBAC AdvantagesRBAC is generally more flexible than standard access controlpolicies:RBAC is easy to administer. Everyone in role teller has thesame permissions.Permissions are appropriate to the organization—”open anaccount” rather than “read a file.”RBAC recognizes that a subject often has various functionswithin the organization.RBAC allows a subject to transition between roles withouthaving to change identities.Lecture 26: 6 Role-Based Access ControlLessonsRBAC associates access permissions with a job/function/rolerather than with individual subjects.This provides a flexible approach to modeling the dynamismof commercial organizations.Next lecture: Storing the ACMLecture 26: 7 Role-Based Access


View Full Document

UT CS 361 - Lecture 26: Role-Based Access Control

Documents in this Course
Load more
Download Lecture 26: Role-Based Access Control
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture 26: Role-Based Access Control and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture 26: Role-Based Access Control 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?