Ravi Sandhu

Venkata Bhamidipati

Laboratory for Information Security Technology (LIST)

George Mason University

Role-Based Administration of User-Role Assignment:

The URA97 Model and its Oracle Implementation

2© Ravi Sandhu 1997

OUTLINE

RBAC96 review URA97 model URA97 Oracle implementation Closing remarks

3© Ravi Sandhu 1997

RBAC96

ROLES

USERS

PERMISSIONS

...

ADMINROLES

ADMINPERMISSIONS

CONSTRAINTS

SESSIONS

4© Ravi Sandhu 1997

RBAC96: RBAC0

ROLES

USERS

PERMISSIONS

...

SESSIONS

5© Ravi Sandhu 1997

RBAC96: RBAC1

ROLES

USERS

PERMISSIONS

...

SESSIONS

6© Ravi Sandhu 1997

RBAC96 : RBAC2

ROLES

USERS

PERMISSIONS

... CONSTRAINTS

SESSIONS

7© Ravi Sandhu 1997

RBAC96 : RBAC3

ROLES

USERS

PERMISSIONS

... CONSTRAINTS

SESSIONS

8© Ravi Sandhu 1997

RBAC96

ROLES

USERS

PERMISSIONS

...

ADMINROLES

ADMINPERMISSIONS

CONSTRAINTS

SESSIONS

9© Ravi Sandhu 1997

RBAC96

RBAC2RBAC1

RBAC0

RBAC3

ARBAC2ARBAC1

ARBAC0

ARBAC3

10© Ravi Sandhu 1997

SCALE AND RATE OF CHANGE

roles: 100s or 1000s users: 1000s or 10,000s or more Frequent changes to

user-role assignment permission-role assignment

Less frequent changes for role hierarchy

11© Ravi Sandhu 1997

ADMINISTRATIVE RBAC

user-role assignment permission-role assignment role-role hierarchy

12© Ravi Sandhu 1997

EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

13© Ravi Sandhu 1997

EXAMPLE ADMINISTRATIVE ROLE HIERARCHY

Senior Security Officer (SSO)

Department Security Officer (DSO)

Project SecurityOfficer 1 (PSO1)

Project SecurityOfficer 2 (PSO2)

14© Ravi Sandhu 1997

URA97 GRANT MODEL:can-assign

ARole Prereq Role Role Range

PSO1 ED [E1,PL1)

PSO2 ED [E2,PL2)

DSO ED (ED,DIR)

SSO E [ED,ED]

SSO ED (ED,DIR]

15© Ravi Sandhu 1997

URA97 GRANT MODEL :can-assign

ARole Prereq Cond Role Range

PSO1 ED [E1,E1]

PSO1 ED & ¬ P1 [Q1,Q1]

PSO1 ED & ¬ Q1 [P1,P1]

PSO2 ED [E2,E2]

PSO2 ED & ¬ P2 [Q2,Q2]

PSO2 ED & ¬ Q2 [P2,P2]

16© Ravi Sandhu 1997

URA97 GRANT MODEL

“redundant” assignments to senior and junior roles are allowed are useful

17© Ravi Sandhu 1997

URA97 REVOKE MODEL

WEAK REVOCATION revokes explicit membership in a role independent of who did the assignment

18© Ravi Sandhu 1997

URA97 REVOKE MODEL

STRONG REVOCATION revokes explicit membership in a role and its

seniors authorized only if corresponding weak

revokes are authorized alternatives

all-or-nothing revoke within range

19© Ravi Sandhu 1997

URA97 REVOKE MODEL :can-revoke

ARole Role Range

PSO1 [E1,PL1)

PSO2 [E2,PL2)

DSO (ED,DIR)

SSO [ED,DIR]

20© Ravi Sandhu 1997

ORACLE ROLES

support RBAC1 administrative model has strong

discretionary flavor administrative authority on role implies

can grant role to any user or role can grant role to any role

anyone with grant option on a permission can grant it to any role

21© Ravi Sandhu 1997

URA97 IN ORACLE

administrative option for all roles is retained solely with DBA never given to any user

use generic stored procedures with URA97 can-assign and can-revoke implemented as relations

22© Ravi Sandhu 1997

URA97 IN ORACLE

Oracle primitives for traversing role hierarchy need to be extended

23© Ravi Sandhu 1997

can-assign in dnfER DIAGRAM

Admin RolePreConditionMin_IntMin RoleMax RoleMax_Int

CAN_ASSIGN

PreConditionAND set nameNOT set name

CAN_ASSIGN2

NOT set nameNOT roles

CAN_ASSIGN4

AND set nameAND roles

CAN_ASSIGN3

24© Ravi Sandhu 1997

can-revokeRELATION

Admin RoleMin_IntMin RoleMax RoleMax_Int

CAN_REVOKE

25© Ravi Sandhu 1997

ORACLE STORED PROCEDURES

can extend Oracle access control model

limitation stored procedure can determine who

the user is BUT cannot determine active roles of the

user

26© Ravi Sandhu 1997

URA97 STORED PROCEDURES

ASSIGN(user, trole, arole) WEAK_REVOKE(user, trole, arole) STRONG_REVOKE(user, trole, arole)

user: user being added to trole trole: target role arole: administrative role used for this

operation due to Oracle limitations

27© Ravi Sandhu 1997

CLOSING REMARKS:PREVIEW OF WORK IN PROGRESS

user-role assignment URA97 and Oracle, this paper other platforms

permission-role assignment PRA97, dual of URA97 Oracle implementation

28© Ravi Sandhu 1997

CLOSING REMARKS:PREVIEW OF WORK IN PROGRESS

role-role hierarchy user-only roles (groups): like URA97 permission-only roles: like PRA97 user and permission roles: RRA97