Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology

Future Directions inRole-Based Access Control Models

Ravi Sandhu

Co-Founder and Chief Scientist

SingleSignOn.Net

&

Professor of Information Technology and Engineering

George Mason University

2© Ravi Sandhu 2001

ACCESS CONTROL

Also called Authorization Entitlement

Different from Authentication

Typically requires authentication as a prerequisite


AUTHORIZATION, TRUST AND RISK

Information security is fundamentally about managing authorization and trust

so as to manage risk We don’t know how to do this


ACCESS CONTROL PRINCIPLES

Least privilege Separation of duties Abstract permissions Decentralized administration Keep it simple stupid (KISS)


ACCESS CONTROL MODELS

RBACRole-based

access control

DACDiscretionary

access control

MACMandatory

access control


ACCESS CONTROL MODELS

RBACRole-based

Policy configured

DACIdentity based

Owner controlled

MACLattice based

Policy controlled


WHY DO WE NEED MODELS

Separate the questions of What How

Provide a framework for managing complexity Complex authorization Simple authorization

Allow us to guarantee and understand policy Prove safety theorems Capture policy in constraints








Objectives

Model

Architecture

Mechanism

What?

How?

Assurance


ADMINISTRATIVE RBAC

ROLES

USERS

PERMISSIONS

...

ADMINROLES

ADMINPERMISSIONS


EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1



Employee (E)


Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1



Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1



Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1



Objectives

Model

Architecture

Mechanism

What?

How?

Assurance


ACCESS-CONTROL ARCHITECTURESERVER-PULL

Client Server

AuthorizationServer

AuthenticationServer


ACCESS-CONTROL ARCHITECTUREUSER-PULL

Client Server

AuthorizationServer



ACCESS-CONTROL ARCHITECTUREPROXY-BASED

Client ServerProxy


AuthorizationServer



Objectives

Model

Architecture

Mechanism

What?

How?

Assurance


ACCESS-CONTROL MECHANISMSECURE COOKIES IN USER-PULL ARCHITECTURE


ACCESS-CONTROL MECHANISMX.509 CERTIFICATES

X.509 certificates can be used in User-pull architecture Server-pull architecture

Secure cookies inherently user pull








Objectives

Model

Architecture

Mechanism

What?

How?

Assurance


COMPLEX VERSUS SIMPLE AUTHORIZATION

Complex authorization Many roles: hundreds, thousands Dynamic policy and complex

administration Simple authorization

Few roles: tens Static policy and simple administration


COMPLEX AUTHORIZATION

Employee (E)


Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1


COMPLEX AUTHORIZATION

Senior Security Officer (SSO)

Department Security Officer (DSO)

Project SecurityOfficer 1 (PSO1)

Project SecurityOfficer 2 (PSO2)


SIMPLE AUTHORIZATION

External User

Internal User Senior Administrator

Junior Administrator


COMPLEX AUTHORIZATION VERSUS COMPLEX PERMISSIONS

A consumer has access to only his own account and to no other account

A branch manager has access to accounts of customers at his branch but no accounts at any other branch








Objectives

Model

Architecture

Mechanism

What?

How?

Assurance


RBAC POLICY

Policy in RBAC is determined by Hierarchies Constraints

MAC and DAC can be configured in RBAC by suitable design of hierarchies and constraints


ROLE-CENTRIC SEPARATION OF DUTIES

Static SOD: Conflicting roles cannot have common users

U = {u1,u2,…un} , R = {r1,r2,…rn},

CR = {cr1,cr2} : cr1 = {r1,r2,r3} , cr2 = {ra,rb,rc}

|roles(OE(U)) OE(CR)| 1


PERMISSION-CENTRIC SEPARATION OF DUTIES

SSOD-CP |permissions(roles(OE(U))) OE(CP)|

1

Variations of SSOD-CP SSOD-CP |permissions(OE(R)) OE(CP)| 1


CONSTRAINTS CHARACTERIZATION

CONSTRAINTS

PROHIBITION OBLIGATION


SIMPLE PROHIBITION CONSTRAINTS

Type 1 expr 1

Type 2 expr or expr 0

Type 3 expr1expr2


SIMPLE OBLIGATION CONSTRAINTS

Type 1 expr 0 or expr 0

Type 2 Set X Set Y

Type 3 obligation constraints obligation constraints

Type 4 expr 1

expr 1 expr 1 expr 0


LOOKING AHEAD

Do we need more models or should we focus on understanding how to make better use of existing models?

How do we know we have a good model?


LOOKING AHEAD

Engineering systems with complex authorizations

Deeper understanding of simple constraints and policy that can serve as building blocks

How to implement a model with different trust and performance tradeoffs

Documents

Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology