Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason...

transcript

Ravi Sandhu

Venkata Bhamidipati

Laboratory for Information Security Technology (LIST)

George Mason University

Role-Based Administration of User-Role Assignment:

The URA97 Model and its Oracle Implementation

2© Ravi Sandhu 1997

OUTLINE

RBAC96 review URA97 model URA97 Oracle implementation Closing remarks

RBAC96

PERMISSIONS

ADMINROLES

ADMINPERMISSIONS

CONSTRAINTS

SESSIONS

RBAC96: RBAC0

PERMISSIONS

SESSIONS

RBAC96: RBAC1

PERMISSIONS

SESSIONS

RBAC96 : RBAC2

PERMISSIONS

... CONSTRAINTS

SESSIONS

RBAC96 : RBAC3

PERMISSIONS

... CONSTRAINTS

SESSIONS

RBAC96

PERMISSIONS

ADMINROLES

ADMINPERMISSIONS

CONSTRAINTS

SESSIONS

RBAC96

RBAC2RBAC1

ARBAC2ARBAC1

ARBAC0

ARBAC3

SCALE AND RATE OF CHANGE

roles: 100s or 1000s users: 1000s or 10,000s or more Frequent changes to

user-role assignment permission-role assignment

Less frequent changes for role hierarchy

ADMINISTRATIVE RBAC

user-role assignment permission-role assignment role-role hierarchy

EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

EXAMPLE ADMINISTRATIVE ROLE HIERARCHY

Senior Security Officer (SSO)

Department Security Officer (DSO)

Project SecurityOfficer 1 (PSO1)

Project SecurityOfficer 2 (PSO2)

URA97 GRANT MODEL:can-assign

ARole Prereq Role Role Range

PSO1 ED [E1,PL1)

PSO2 ED [E2,PL2)

DSO ED (ED,DIR)

SSO E [ED,ED]

SSO ED (ED,DIR]

URA97 GRANT MODEL :can-assign

ARole Prereq Cond Role Range

PSO1 ED [E1,E1]

PSO1 ED & ¬ P1 [Q1,Q1]

PSO1 ED & ¬ Q1 [P1,P1]

PSO2 ED [E2,E2]

PSO2 ED & ¬ P2 [Q2,Q2]

PSO2 ED & ¬ Q2 [P2,P2]

URA97 GRANT MODEL

“redundant” assignments to senior and junior roles are allowed are useful

URA97 REVOKE MODEL

WEAK REVOCATION revokes explicit membership in a role independent of who did the assignment

URA97 REVOKE MODEL

STRONG REVOCATION revokes explicit membership in a role and its

seniors authorized only if corresponding weak

revokes are authorized alternatives

all-or-nothing revoke within range

URA97 REVOKE MODEL :can-revoke

ARole Role Range

PSO1 [E1,PL1)

PSO2 [E2,PL2)

DSO (ED,DIR)

SSO [ED,DIR]

ORACLE ROLES

support RBAC1 administrative model has strong

discretionary flavor administrative authority on role implies

can grant role to any user or role can grant role to any role

anyone with grant option on a permission can grant it to any role

URA97 IN ORACLE

administrative option for all roles is retained solely with DBA never given to any user

use generic stored procedures with URA97 can-assign and can-revoke implemented as relations

URA97 IN ORACLE

Oracle primitives for traversing role hierarchy need to be extended

can-assign in dnfER DIAGRAM

Admin RolePreConditionMin_IntMin RoleMax RoleMax_Int

CAN_ASSIGN

PreConditionAND set nameNOT set name

CAN_ASSIGN2

NOT set nameNOT roles

CAN_ASSIGN4

AND set nameAND roles

CAN_ASSIGN3

can-revokeRELATION

Admin RoleMin_IntMin RoleMax RoleMax_Int

CAN_REVOKE

ORACLE STORED PROCEDURES

can extend Oracle access control model

limitation stored procedure can determine who

the user is BUT cannot determine active roles of the

URA97 STORED PROCEDURES

ASSIGN(user, trole, arole) WEAK_REVOKE(user, trole, arole) STRONG_REVOKE(user, trole, arole)

user: user being added to trole trole: target role arole: administrative role used for this

operation due to Oracle limitations

CLOSING REMARKS:PREVIEW OF WORK IN PROGRESS

user-role assignment URA97 and Oracle, this paper other platforms

permission-role assignment PRA97, dual of URA97 Oracle implementation

CLOSING REMARKS:PREVIEW OF WORK IN PROGRESS

role-role hierarchy user-only roles (groups): like URA97 permission-only roles: like PRA97 user and permission roles: RRA97

Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason...

Documents