Professional Documents
Culture Documents
and
so as to manage risk
Ravi Sandhu
SOLUTIONS
v OM-AM v RBAC v PKI v and
others
Ravi Sandhu
A s s u r a n c e
4
Ravi Sandhu
A s s u r a n c e
6
A s s u r a n c e
7
A s s u r a n c e
8
Ravi Sandhu
is a framework to help in articulating policy v The main point of RBAC is to facilitate security management
Ravi Sandhu
10
Ravi Sandhu
11
v can
be configured to do DAC
roles
Ravi Sandhu
12
WHAT IS RBAC?
v multidimensional v open
Ravi Sandhu
13
RBAC CONUNDRUM
v turn
on all roles all the time v turn on one role only at a time v turn on a user-specified subset of roles
Ravi Sandhu
14
RBAC2 CONSTRAINTS
15
RBAC0
USER-ROLE ASSIGNMENT USERS PERMISSION-ROLE ASSIGNMENT ROLES PERMISSIONS
...
Ravi Sandhu
SESSIONS
16
PERMISSIONS
v Primitive
read,
permissions permissions
v Abstract
credit,
Ravi Sandhu
17
PERMISSIONS
v System v Object
read,
permissions
Auditor
permissions
Ravi Sandhu
18
PERMISSIONS
v Permissions
v No
duties or obligations
outside scope of access control
Ravi Sandhu
19
ROLES AS POLICY
vA
role has significance and meaning beyond the particular users and permissions brought together at any moment
20
Ravi Sandhu
collection of users
vA
role is
collection of permissions
21
Ravi Sandhu
USERS
v Users
are
human
Ravi Sandhu
22
USER-ROLE ASSIGNMENT
vA
user can be a member of many roles v Each role can have many users as members
Ravi Sandhu
23
SESSIONS
vA
user can invoke multiple sessions v In each session a user can invoke any subset of roles that the user is a member of
Ravi Sandhu
24
PERMISSION-ROLE ASSIGNMENT
vA
permission can be assigned to many roles v Each role can have many permissions
Ravi Sandhu
25
MANAGEMENT OF RBAC
v Option
1: USER-ROLE-ASSIGNMENT and PERMISSION-ROLE ASSIGNMENT can be changed only by the chief security officer v Option 2: Use RBAC to manage RBAC
Ravi Sandhu
26
RBAC1
ROLE HIERARCHIES USER-ROLE ASSIGNMENT USERS ROLES PERMISSION-ROLE ASSIGNMENT PERMISSIONS
...
Ravi Sandhu
SESSIONS 27
HIERARCHICAL ROLES
Primary-Care Physician Specialist Physician
Physician
Health-Care Provider
Ravi Sandhu
28
HIERARCHICAL ROLES
Supervising Engineer
Hardware Engineer
Software Engineer
Engineer
Ravi Sandhu
29
PRIVATE ROLES
Hardware Engineer Supervising Engineer Software Engineer
Hardware Engineer
Software Engineer
Engineer
Ravi Sandhu
30
Engineer 1 (E1)
PROJECT 1
PROJECT 2
Ravi Sandhu
Employee (E)
31
Engineer 1 (E1)
PROJECT 1
PROJECT 2
Ravi Sandhu
Employee (E)
32
Engineer 1 (E1)
Engineer 2 (E2)
PROJECT 1
PROJECT 2
Ravi Sandhu
33
Engineer 1 (E1)
Engineer 2 (E2)
PROJECT 1
PROJECT 2
Ravi Sandhu
34
RBAC3
ROLE HIERARCHIES USER-ROLE ASSIGNMENT USERS ROLES PERMISSIONS-ROLE ASSIGNMENT PERMISSIONS
...
Ravi Sandhu
SESSIONS CONSTRAINTS 35
CONSTRAINTS
v Mutually
Static
Exclusive Roles
Exclusion: The same individual can never hold both roles Dynamic Exclusion: The same individual can never hold both roles in the same context
Ravi Sandhu
36
CONSTRAINTS
v Mutually
Static
Exclusive Permissions
Exclusion: The same role should never be assigned both permissions Dynamic Exclusion: The same role can never hold both permissions in the same context
Ravi Sandhu
37
CONSTRAINTS
v Cardinality
At
Ravi Sandhu
38
CONSTRAINTS
v Cardinality
At
Ravi Sandhu
39