Discretionary and Mandatory Controls for Role-Based Administration - - PowerPoint PPT Presentation

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Discretionary and Mandatory Controls for Role-Based Administration

Jason Crampton

Royal Holloway, University of London

20th Annual IFIP WG 11.3 Working Conference

• n Data and Applications Security

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Outline

1

Introduction

2

Fundamental concepts

3

Discretionary and mandatory controls

4

Concluding remarks

5

Questions

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Administration in the context of access control

Administration The management of the data structures that an define access control policy Administrative model A set of rules that control changes to those data structures Changes to the data structures are effected by executing administrative commands Rules determine which commands succeed Examples Harrison-Ruzzo-Ullman model for the protection matrix Take-grant model

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Role-based administration

ANSI RBAC standard defines set of administrative functions that must be supported by compliant systems No administrative model No suggested implementation Less well understood than role-based access control More challenging problem No consensus on the best approach Two main approaches in literature Permission-based Structural

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Permission-based approaches

Basic idea Administrative roles are given administrative (control) permissions Mimics HRU approach to protection matrix Examples RBAC96 (Sandhu et al) X-GTRBAC Admin (Bhatti et al) Disadvantages Little control over propagation of permissions

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Structural approaches

Basic idea Administrative roles are given control over sub-hierarchies Role parameters of administrative command must belong to a sub-hierarchy controlled by the requester Examples ARBAC97 defines sub-hierarchies using relations (Sandhu et al) RHA family of models defines sub-hierarchies using administrative scope (Crampton) Disadvantages Sensitive to changes in the role hierarchy

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

This work

Motivation To provide a comprehensive, expressive, flexible and simple model for role-based administration Goals To address the limitations of existing approaches The model should limit the propagation of permissions The model should be resilient to changes to the role hierarchy Approach Use domains to limit permission propagation Use administrative permissions to support fine-grained administrative control and separation of administrative duties

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

RBAC model

Role hierarchy A partially ordered set of roles (R, ) User-role assignment relation UA ⊆ U × R Permission-role assignment relation PA ⊆ P × R

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Administrative concepts

Administrative permissions Assigned to roles and authorize a role to either add or delete an element from one of U, P, R, , UA or PA Objects are RBAC sets and relations Operations are add and delete

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Administrative concepts

Administrative permissions Assigned to roles and authorize a role to either add or delete an element from one of U, P, R, , UA or PA Objects are RBAC sets and relations Operations are add and delete Administrative commands A request to invoke an administrative permission addUA(a, u, r) command takes three parameters: administrative role a, user u and role r

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Administrative concepts

Administrative partitions A collection of subsets of R Each subset is called a domain Each pair of domains is either disjoint or nested

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Administrative concepts

Administrative partitions A collection of subsets of R Each subset is called a domain Each pair of domains is either disjoint or nested Domain-role assignment relation DA ⊆ D × R, where D is an administrative partition If (D, r) ∈ DA we say r has administrative control over D

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Example

DIR PL1 PE1 QE1 PE2 PL2 QE2 ENG2 ENG1 ED E Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Example

DIR PL1 PE1 QE1 PE2 PL2 QE2 ENG2 ENG1 ED E

D1 = [ENG1, PL1] D2 = [ENG2, PL2] D3 = D1 ∪ D2 D4 = [E, DIR]

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Example

DIR PL1 PE1 QE1 PE2 PL2 QE2 ENG2 ENG1 ED E

D1 = [ENG1, PL1] D2 = [ENG2, PL2] D3 = D1 ∪ D2 D4 = [E, DIR] DA D1 PSO1 D2 PSO2 D3 DSO D4 SSO

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Basic security properties

The discretionary administrative property A command can only succeed if the requested permission is assigned to a role activated by the requester

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Basic security properties

The discretionary administrative property A command can only succeed if the requested permission is assigned to a role activated by the requester The mandatory administrative property A command can only succeed if the role parameters belong to a domain over which the requester has control

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

The mandatory UA property

Motivation The assignment of a user u to a role r results in u being implicitly assigned to all roles less than r

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

The mandatory UA property

Motivation The assignment of a user u to a role r results in u being implicitly assigned to all roles less than r Formal statement The command addUA(a, u, r) satisfies the mandatory UA property if there exists a domain D over which a has control such that r ∈ D and u is already assigned to all roles {s ∈ R : s r, s ∈ D}

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

The mandatory UA property

Motivation The assignment of a user u to a role r results in u being implicitly assigned to all roles less than r Formal statement The command addUA(a, u, r) satisfies the mandatory UA property if there exists a domain D over which a has control such that r ∈ D and u is already assigned to all roles {s ∈ R : s r, s ∈ D} Consequences It is impossible for an administrative role to assign users to roles

• ver which it has no control

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Example

DIR PL1 PE1 QE1 PE2 PL2 QE2 ENG2 ENG1 ED E Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Example

DIR PL1 PE1 QE1 PE2 PL2 QE2 ENG2 ENG1 ED E

addUA(PSO1, u, QE1) succeeds only if

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Example

DIR PL1 PE1 QE1 PE2 PL2 QE2 ENG2 ENG1 ED E

addUA(PSO1, u, QE1) succeeds only if u is assigned to ED

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Example

DIR PL1 PE1 QE1 PE2 PL2 QE2 ENG2 ENG1 ED E

addUA(PSO1, u, QE1) succeeds only if u is assigned to ED addUA(DSO, u, QE1) succeeds only if

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Example

DIR PL1 PE1 QE1 PE2 PL2 QE2 ENG2 ENG1 ED E

addUA(PSO1, u, QE1) succeeds only if u is assigned to ED addUA(DSO, u, QE1) succeeds only if u is assigned to E

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Example

DIR PL1 PE1 QE1 PE2 PL2 QE2 ENG2 ENG1 ED E

addUA(PSO1, u, QE1) succeeds only if u is assigned to ED addUA(DSO, u, QE1) succeeds only if u is assigned to E Only the SSO role can add new users to a role

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

The mandatory PA property

Motivation The assignment of a permission p to a role r where r′ > r and r and r′ belong to different domains has the effect of leaking p to a new domain Formal statement The command addPA(a, p, r) satisfies the mandatory PA property if there exists a domain D over which a has control such that r ∈ D and p is already assigned to all roles {s ∈ R : s r, s ∈ D} Consequences An administrative user cannot downgrade permissions beyond a certain level, and never to a role outside the domains he controls

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Separation of administrative duties

Motivating example No single user should be able to create new user accounts and assign roles to those accounts IT administrator creates user accounts HR administrator decides which roles should be assigned to a user

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Separation of administrative duties

Separation of duty constraints Modelled as a set of administrative permissions {p1, . . . , pk} No user may be assigned to all the permissions in the constraint

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Separation of administrative duties

Separation of duty constraints Modelled as a set of administrative permissions {p1, . . . , pk} No user may be assigned to all the permissions in the constraint Enforced by ensuring that each permission pi is assigned to a different role ri no user may be assigned to any pair of roles ri and rj

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Contributions

Administrative model Incorporates ideas from structural and permission-based approaches Structural models and permission-based models can be realized by appropriate choices of domains and permission assignment

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Contributions

Administrative model Incorporates ideas from structural and permission-based approaches Structural models and permission-based models can be realized by appropriate choices of domains and permission assignment Administrative security properties Define which administrative operations succeed Limit the propagation of permissions

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Contributions

Administrative model Incorporates ideas from structural and permission-based approaches Structural models and permission-based models can be realized by appropriate choices of domains and permission assignment Administrative security properties Define which administrative operations succeed Limit the propagation of permissions Administrative separation of duty Provides further control over propagation of permissions

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Additional contributions

Automatic assignment of domains A new role can be assigned to the smallest domain controlled by the administrative user that contains the parents of r

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Additional contributions

Automatic assignment of domains A new role can be assigned to the smallest domain controlled by the administrative user that contains the parents of r Choosing domains It can be shown that administrative scope defines an administrative partition of R

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Additional contributions

Automatic assignment of domains A new role can be assigned to the smallest domain controlled by the administrative user that contains the parents of r Choosing domains It can be shown that administrative scope defines an administrative partition of R Checking administrative requests It can be shown that the set of domains forms a tree, which means that administrative requests can be answered efficiently

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Extensions and future work

Theoretical Delegation – lightweight user-controlled administration (ESORICS 2006) Mandatory security properties to further control hierarchy

• perations?

Is it useful to define separation of duty constraints at the domain level? Safety analysis Practical Prototype implementation

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions

Questions

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton