+ All Categories
Home > Documents > 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad...

1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad...

Date post: 26-Mar-2015
Category:

Documents
Upload: amelia-dean
View: 213 times
Download: 1 times
Download Report this document
Share this document with a friend
Popular Tags:
rule j rule
rule j role
permissions slide
mac slide
redundancy rule i
inconsistency rule i
suggested solution constraints
exclusive slide
24
1 2 © Mohammad al-Kahtani 2002 l for Attribute-Based User-Role Assignm hammad A. Al-Kahtani Ravi Sand eorge Mason University SingleSignOn.net [email protected] George Mason Universit sandhu@gmu
Transcript
Page 1: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

1ACSAC 2002 © Mohammad al-Kahtani 2002

A Model for Attribute-Based User-Role Assignment

Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net, Inc. & [email protected] George Mason University

[email protected]

Page 2: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

2ACSAC 2002 © Mohammad al-Kahtani 2002

Presentation Roadmap

1. Introduction2. Problem Description3. Suggested Solution 4. Case Study 5. Expressing MAC

Page 3: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

3ACSAC 2002 © Mohammad al-Kahtani 2002

Introduction

• Role-Based Access Control (RBAC): A proven alternative to DAC and MAC

• RBAC basic components:1. Users2. Roles3. Permissions

Page 4: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

4ACSAC 2002 © Mohammad al-Kahtani 2002

Introduction

• Simplified RBAC Model

RoleHierarchy

Users

(UA) User

Assignment

(PA) Permission Assignment

RolesPermiss-ions

Page 5: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

5ACSAC 2002 © Mohammad al-Kahtani 2002

Presentation Roadmap

1. Introduction2. Problem Description3. Suggested Solution4. Case Study 5. Expressing MAC

Page 6: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

6ACSAC 2002 © Mohammad al-Kahtani 2002

Problem Description

• In RBAC, user-to-role assignment is done manually

• Many enterprises have huge customer bases: Banks Utilities companies Popular web sties

• Manual assignment becomes a formidable task

Page 7: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

7ACSAC 2002 © Mohammad al-Kahtani 2002

Presentation Roadmap

1. Introduction2. Problem Description3. Suggested Solution4. Case Study 5. Expressing MAC

Page 8: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

8ACSAC 2002 © Mohammad al-Kahtani 2002

Suggested Solution

• Modify RBAC to allow automatic user-role assignment

Introducing Authorization Rules

• Authorization rule structure:

Constraints

AttributesExpression

Roles

Page 9: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

9ACSAC 2002 © Mohammad al-Kahtani 2002

Suggested Solution

• Rule-Based RBAC (RB-RBAC)

AttributesExpressions

Users

Roles

Permissions

Constraints

Attributesvalues

Page 10: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

10ACSAC 2002 © Mohammad al-Kahtani 2002

Suggested Solution

• Attributes Values:

1. Stored locally

2. Provided by users

3. Other means

AttributesExpressions

Users

Roles

Permissions

Constraints

Attributesvalues

Page 11: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

11ACSAC 2002 © Mohammad al-Kahtani 2002

Suggested Solution

• Attributes Expressions:

1. Expressed in RB-RBAC language

2. Constitute LHS of authorization rules

• RB-RBAC production rules are in BNF notation.

AttributesExpressions

Users

Roles

Permissions

Constraints

Attributesvalues

Page 12: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

12ACSAC 2002 © Mohammad al-Kahtani 2002

Suggested Solution

• Constraints:

Future work

AttributesExpressions

Users

Roles

Permissions

Constraints

Attributesvalues

Page 13: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

13ACSAC 2002 © Mohammad al-Kahtani 2002

Suggested Solution

• Seniority Levels Relations among authorization rules

• Rule i:

• Rule j:

Rulei is senior to Rulej

AttributesExpression

Roles

AttributesExpression

Roles

Logically implies

Page 14: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

14ACSAC 2002 © Mohammad al-Kahtani 2002

Suggested Solution

• Seniority Levels Anomalies

1. Redundancy

Rule i is senior to Rule j

Rule i

Rule j

Role 1

Role 1 & Role 2

Page 15: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

15ACSAC 2002 © Mohammad al-Kahtani 2002

Suggested Solution

• Seniority Levels anomalies

1. Redundancy

Rule i is senior to Rule j

Rule i

Rule j

Role 1

Role 2

Role 1 is senior to Role 2

Page 16: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

16ACSAC 2002 © Mohammad al-Kahtani 2002

Suggested Solution

• Seniority Levels anomalies

2. Inconsistency

Rule i is senior to Rule j

Rule i

Rule j

Role 1

Role 2

Role 1 and 2 are mutually exclusive

Page 17: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

17ACSAC 2002 © Mohammad al-Kahtani 2002

Presentation Roadmap

1. Introduction2. Problem Description3. Suggested Solution4. Case Study 5. Expressing MAC

Page 18: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

18ACSAC 2002 © Mohammad al-Kahtani 2002

Case Study

• Online Entertainment Store

• Suggested rating system

• Attributes Age Country

Rating Levels Roles

Strict Child

Less Strict Juvenile

Liberal Adolescent

Graphic Adult

Page 19: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

19ACSAC 2002 © Mohammad al-Kahtani 2002

Case Study

• Attributes: Age

1. Rule 1:: (Age 3) Child2. Rule 2:: (Age 11) Juvenile3. Rule 3:: (Age 16) Adolescent

4. Rule 4:: (Age 18) Adult

Age Role

3 Child

11 Juvenile

16 Adolescent

18 Adult

Page 20: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

20ACSAC 2002 © Mohammad al-Kahtani 2002

Case Study

• Attributes: Country

1. Rule 1:: (Country IN {A..Z}) Juvenile 2. Rule 2:: (Country IN {{A..Z} – {Saudi, Sudan}}) Adolescent 3. Rule 3:: (Country IN {{A..Z} – {China, India, Saudi, Sudan, Egypt, Indonesia, Malaysia, Singapore}}) Adult

Country Role

Country in {A..Z} Juvenile

Country in {{A..Z} – {Saudi, Sudan}}

Adolescent

Country in {{A..Z}

– {China, India, Saudi, Sudan, Egypt, Indonesia, Malaysia, Singapore}}

Adult

Page 21: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

21ACSAC 2002 © Mohammad al-Kahtani 2002

Case Study

• Authorization rules for the 2 attributes:

1. Rule 1:: (Age 3) AND (country IN {A..Z}) Child 2. Rule 2:: (Age 11) AND (country IN {A..Z}) Juvenile3. Rule 3:: (Age 16) AND (country IN {{A..Z} –   {Saudi, Sudan}}) Adolescent4. Rule 4:: (Age 18) AND (Country IN {{A..Z} – {China, India, Saudi, Sudan, Egypt, Indonesia, Malaysia, Singapore }}) Adult

Page 22: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

22ACSAC 2002 © Mohammad al-Kahtani 2002

Presentation Roadmap

1. Introduction2. Problem Description3. Suggested Solution4. Case Study 5. Expressing MAC

Page 23: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

23ACSAC 2002 © Mohammad al-Kahtani 2002

Expressing MAC

Adult

Adolescent

Juvenile

Child

Adult Write(AW)

Adolescent Write(DW)

Juvenile Write(JW)

Child Write(CW)

Security Lattice

Role Hierarchies

Adolescent Read (DR)

Juvenile Read (JR)

Child Read (CR)

Adult Read (AR)

Page 24: 1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

24ACSAC 2002 © Mohammad al-Kahtani 2002

Expressing MAC

Authorization Rules:

Rule 1:: (Age 3) AND (country IN {A..Z}) CR AND CW

Rule 2:: (Age 11) AND (country IN {A..Z}) JR AND JW

Rule 3:: (Age 16) AND (country IN {{A..Z} – {Saudi, Sudan}})

DR AND DW

Rule 4:: (Age 18) AND (Country IN {{A..Z} –{China, India,

Saudi, Sudan, Egypt, Indonesia, Malaysia, Singapore}})

AR AND AW


Recommended
Ajmal Mohammad Resume 2018ajmalmohammad.com/assets/ajmal-mohammad-resume-2018.pdf · AJMAL MOHAMMAD Ajmal Mohammad Creative Consultancy 2017 - Present BBH India 2015 - 2017 Famous

Ajmal Mohammad Resume 2018ajmalmohammad.com/assets/ajmal-mohammad-resume-2018.pdf · AJMAL MOHAMMAD Ajmal Mohammad Creative Consultancy 2017 - Present BBH India 2015 - 2017 Famous

Documents

Miss. Mona AL-Kahtani Testing Writing. Miss. Mona AL-Kahtani We have to : have representative sample of the tasks that we expect the students to perform.

Miss. Mona AL-Kahtani Testing Writing. Miss. Mona AL-Kahtani We have to : have representative sample of the tasks that we expect the students to perform.

Documents

Mohammad Mosaddegh

Mohammad Mosaddegh

Documents

Management: Arab World Edition Robbins, Coulter, Sidani, Jamali Chapter 7: Foundations of Planning Lecturer: Amani B AL-Kahtani.

Management: Arab World Edition Robbins, Coulter, Sidani, Jamali Chapter 7: Foundations of Planning Lecturer: Amani B AL-Kahtani.

Documents

SUBJECT: URDU (FINAL) FEMALE Roll No: Name … 2015/اردو URDU...RAZZAQ HAJI MOHAMMAD - - - - MOHAMMAD MOHAMMAD

SUBJECT: URDU (FINAL) FEMALE Roll No: Name … 2015/اردو URDU...RAZZAQ HAJI MOHAMMAD - - - - MOHAMMAD MOHAMMAD

Documents

Prof. Mohammad Abduljabbar Prof. Mohammad Abduljabbar MEDICAL HISTORY.

Prof. Mohammad Abduljabbar Prof. Mohammad Abduljabbar MEDICAL HISTORY.

Documents

Sharon Ehlers, ONDI/CIO - ACSAC

Sharon Ehlers, ONDI/CIO - ACSAC

Documents

Mohammad Saraireh

Mohammad Saraireh

Documents

Hypertension Ahmed Al-Malki Bilal Marwa Zaid Al-Kahtani Hassan Al-Dossari 1Hypertension.

Hypertension Ahmed Al-Malki Bilal Marwa Zaid Al-Kahtani Hassan Al-Dossari 1Hypertension.

Documents

Embedded Systems Mohammad A. Gowayyed (c) 2012 Mohammad A. Gowayyed1.

Embedded Systems Mohammad A. Gowayyed (c) 2012 Mohammad A. Gowayyed1.

Documents

L2 learning context The Sociocultural perspective Miss. Mona AL-Kahtani.

L2 learning context The Sociocultural perspective Miss. Mona AL-Kahtani.

Documents

Bacterial Causes of Gastroenteritis P. Omayma Mohammad P. Omayma Mohammad.

Bacterial Causes of Gastroenteritis P. Omayma Mohammad P. Omayma Mohammad.

Documents

Mohammad pbuh

Mohammad pbuh

Documents

Mohammad Akhtaruzzaman

Mohammad Akhtaruzzaman

Documents

Mohammad Hossein Yassaee, Mohammad Reza Aref and · PDF fileAchievability Proof via Output Statistics of Random Binning Mohammad Hossein Yassaee, Mohammad Reza Aref and Amin Gohari

Mohammad Hossein Yassaee, Mohammad Reza Aref and · PDF fileAchievability Proof via Output Statistics of Random Binning Mohammad Hossein Yassaee, Mohammad Reza Aref and Amin Gohari

Documents

DR MOHAMMAD NAJAFIDR. MOHAMMAD NAJAFI · DR MOHAMMAD NAJAFIDR. MOHAMMAD NAJAFI Director and Assistant Professor Center of Underground Infrastructure Research and Education

DR MOHAMMAD NAJAFIDR. MOHAMMAD NAJAFI · DR MOHAMMAD NAJAFIDR. MOHAMMAD NAJAFI Director and Assistant Professor Center of Underground Infrastructure Research and Education

Documents

SHER MOHAMMAD GAREWAL COLLECTION SHER MOHAMMAD GAREWAL ...library.gcu.edu.pk/Collections/SMG.pdf · SHER MOHAMMAD GAREWAL COLLECTIONSHER MOHAMMAD GAREWAL COLLECTIONCOLLECTION ...

SHER MOHAMMAD GAREWAL COLLECTION SHER MOHAMMAD GAREWAL ...library.gcu.edu.pk/Collections/SMG.pdf · SHER MOHAMMAD GAREWAL COLLECTIONSHER MOHAMMAD GAREWAL COLLECTIONCOLLECTION ...

Documents

12th International Congress of the Jordanian Society of ... Version 28-8_15pm.pdfKhalil Barbarawi Mohammad Al-Zoubi Mohammad Jabary Mohammad Hiasat Mohammad Qudah Musa Abu-Mthane Narjas

12th International Congress of the Jordanian Society of ... Version 28-8_15pm.pdfKhalil Barbarawi Mohammad Al-Zoubi Mohammad Jabary Mohammad Hiasat Mohammad Qudah Musa Abu-Mthane Narjas

Documents