1 Role-Based Access Control Standard ANSI INCITS 359-2004 James Joshi, Associate Professor University of Pittsburgh
Dec 22, 2015
1
Role-Based Access ControlStandard
ANSI INCITS 359-2004
James Joshi, Associate Professor
University of Pittsburgh
Access Control Access Control refers to
Ensuring principals are allowed or denied privileges to access resources
Basic Access Control Matrix model
Subjects: Active entities (rows) E.g., user processes
Objects: Passive entities (columns) E.g., files
Rights: refers to access mode entries in each matrix cell representing what
action a subject can perform on the corresponding object
2
Confidentiality
Authorized to read
IntegrityAuthorized to modify
Access Control Matrix
3
s3 r
s1
f1 f2 f3 f4 f5 f6
s2
s3
o, r, w
o, r, w
o, r, w o, r, w
o, r, w
o, r, w
r
r
r r
w
f1
f2
f3
f4
f6
s2
s1 o, r, w s2 r
s1 o, r, w s3 r
s3 o, r, w
f5 s2 o, r, w s3 r s1 w
s3 o, r, w
f5 w s1 f2 o, r, w f3 o, r, w
f2 r s2 f1 o, r, w f5 o, r, w
f3 r s3 f4 o, r, wf2 r
f5 r f6 o, r, w
o: ownr: readw:write
Access Matrix
Access Control ListCapabilities
o, r, w
Access Control Models Several models exist
Discretionary Access Control (DAC) Model Users can give rights to other users
Mandatory Access Control (MAC) model System enforces mandatory rules
Some modelsBell LaPadula model Biba model of integrityClark-wilson model Chinese wall model
DAC is too flexible and MAC is often too restrictive
Researchers have looked for more flexible and more expressive models
RBAC has been considered a better 4
5
Access control in organizations is based on “roles that individual users take on as part of the organization”
Access depends on function, not identity
Example: Allison is bookkeeper for Math Dept. She has access to financial records. She leaves and Betty is hired as bookkeeper The role of “bookkeeper” dictates access, not the identity of the individual.
A role is “is a collection of permissions”
RBAC: Role Based Access Control
BK
A
Accessprivileges
B
6
RBAC – two key advantages
u1
u2
un
o1
o2
om
u1
u2
un
o1
o2
om
Roler
n + massignments
n massignments
Users Permission Users Permissions
(a) (b)
Total number Of assignments
n + m
Total number Of assignments
n x m
Administrator
Employee
Engineer
SeniorEngineer
SeniorAdministrator
Manager
Role hierarchy
7
RBAC standard Standards efforts
Annual ACM RBAC Workshop – in 1990s NIST Standard proposed in 2001 (TISSEC) XACML Profile for RBAC ANSI INCITS 359-2004 RBAC standard in
2004 The ANSI standard consists of two parts
Reference Model System and Administrative Functional
Specification
8
ANSI RBAC standard – Reference Model
Reference Model Basic elements of the model
Users, Roles, Permissions, Relationships
Four model components Core RBAC Hierarchical RBAC Static Separation of Duty RBAC Dynamic Separation of Duty RBAC
9
Permissions
Core RBAC
Users Roles Operations Objects
Sessions
UA
user_sessions(one-to-many)
role_sessions(many-to-many)
PA
10
Core RBAC (relations) Permissions = 2Operations x
Objects
UA ⊆ Users x Roles
PA ⊆ Permissions x Roles
assigned_users: Roles 2Users
assigned_permissions: Roles 2Permissions
Op(p): set of operations associated with permission p
Ob(p): set of objects associated with permission p
user_sessions: Users 2Sessions
session_user: Sessions Users
session_roles: Sessions 2Roles
session_roles(s) = {r | (session_user(s), r) UA)}
avail_session_perms: Sessions 2Permissions
11
Permissions
Hierarchical RBAC
Users Roles Operations Objects
Sessions
UA
user_sessions(one-to-many)
role_sessions(many-to-many)
PA
RH(role hierarchy)
12
Role Hierarchy
General Role Hierarchy Inheritance from multiple roles
allowed Limited Role hierarchy
No multiple inheritances Single immediate descendant
13
General Role Hierarchy A role can inherit from multiple roles
RH ⊆ Roles x Roles is a partial order called the inheritance relation written as ≥.
(r1 ≥ r2) authorized_users(r1) ⊆ authorized_users(r2) &
authorized_permisssions(r2) ⊆ authorized_permisssions(r1)
authorized_users: Roles 2Users
authorized_users(r) = {u | r’ ≥ r &(r’, u) UA}
authorized_permissions: Roles 2Permissions
authorized_permissions(r) = {p | r ≥ r’ &(p, r’) PA}
14
Limited Role Hierarchy Imposes restriction on the immediate
descendents of the general role hierarchy
That is, Limited role hierarchy is a General role hierarchy with the following limitation
r, r1, r2 , r2 Roles, r ≥ r1 r ≥ r2 r1 r ≥ r2
In Limited Role hierarchy, a role can have only one descendent
15
Example
Administrator
Employee
Engineer
SeniorEngineer
SeniorAdministrator
Manager
px, py
p1, p2
pa, pb
e1, e2
e3, e4
e5
e6, e7
e8, e9
e10
pm, pn
po
pp
authorized_users(Employee)?authorized_users(Administrator)?authorized_permissions(Employee)? authorized_permissions(Administrator)?
authorized_users(Employee)?authorized_users(Administrator)?authorized_permissions(Employee)? authorized_permissions(Administrator)?
16
Constrained RBAC:SSD RBAC & DSD RBAC
Permissions
Users Roles Operations Objects
Sessions
UA
user_sessions(one-to-many)
PA
RH(role hierarchy)Static
Separation of Duty
DynamicSeparation
of Duty
17
Separation of Duty
SoD Security principle Widely recognized Captures conflict of interest policies
to restrict authority of a single authority
Prevent Fraud
Example, A single person should not be allowed
to “approve a check” & “cash it”
18
Static Separation of Duty
SSD ⊆2Roles x N In absence of hierarchy
Collection of pairs (RS, n) where RS is a role set, n ≥ 2for all (RS, n) SSD, for all t ⊆RS:
|t| ≥ n ∩rt assigned_users(r)=
Example Assume u1, u2, u3 are assigned to r1 Assume u2, u4 are assigned to r2 Is ({r1, r2}, 2) SSD valid?
Example: ({r1, r2}, 2) SSD
19
Static Separation of Duty
SSD ⊆2Roles x N In presence of hierarchy
Collection of pairs (RS, n) where RS is a role set, n ≥ 2;
for all (RS, n) SSD, for all t ⊆RS: |t| ≥ n ∩rt authorized_uers(r)=
Example Assume u1, u2, u3 are assigned to r1 Assume u4 are assigned to r2 Is ({r1, r2}, 2) DSD valid? What if u2 is assigned to r3 and r3 ≥ r2
Example: ({r1, r2, r3}, 2) SSD
20
Dynamic Separation of Duty DSD ⊆2Roles x N
Collection of pairs (RS, n) where RS is a role set, n ≥ 2;
A user cannot activate n or more roles from RS What is the difference between SSD or DSD
containing:(RS, n)?
Consider (RS, n) = ({r1, r2, r3}, 2)? If SSD – can r1, r2 and r3 be assigned to u? If DSD – can r1, r2 and r3 be assigned to u?
21
ANSI RBAC standard – Functional specification
Administrative operations Creation and maintenance of sets and
relations Administrative review functions
To perform administrative queries System level functionality
Creating and managing RBAC attributes on user sessions and making access decisions
22
Functional components for CORE RBAC Administrative commands
AddUser Delete User AddRole Delete Role GrantPermissions RevokePermissions AssignUser DeassignUser CreateSession DeleteSession AddActiveRole DropActiveRole
Supporting System functins CreateSession, DeleteSession, AddActiveRole,
DropActive Role, CheckAccess
23
Functional components for CORE RBAC Review functions
AssignedUSers AssignedRoles RolePermissions UserPermissions SessionRoles SessionPermissions RoleOperationsOnObject UserOperationOnObject
For other RBAC Extended/redefined set with regards to
inheritance Extended/redefined with regards to
SSD/DSD
24
Functional Specification Package
Methodology for Creating functional packages
CoreRBAC
Hierarchical RBAC
(a) General
(b) Limited
DSD Relations
SSD Relations(a) w/Hierachy(b)wo/Hierarchy
25
Advantages of RBAC Allows Efficient Security Management
Administrative roles, Role hierarchy Principle of least privilege allows
minimizing damage Separation of Duty constraints to
prevent fraud Allows grouping of objects / users Policy-neutral - Provides generality Encompasses DAC and MAC policies
26
RBAC’s Economic Benefits
27
Cost Benefits
Saves about 7.01 minutes per employee, per year in administrative functions Assume Average IT admin salary -
$59.27 per hour The annual cost saving is:
$6,924/1000; $692,471/100,000
28
Quantified Economic Benefits
NIST did an economic benefit survey analysis in 2009 More efficient provisioning by network
and systems administrators, Reduced employee downtime from
more efficient provisioning, and More efficient access control policy
maintenance and certification
29
Quantified Economic Benefits Quantified economic benefits of RBAC for
adopting firms, per employee
From NIST Report: 2010 Economic Analysis of Role-Based Access Control
30
RBAC Extensions Several Extensions have been made to
make RBAC applicable to different application scenarios TRBAC/GTRBAC (time based RBAC0 LoT/Geo RBAC (Location based) GeoSocial RBAC Privacy aware RBAC Etc.
31
Summary
Overview of ANSI RBAC standard Four component models Functional Specification Advantages and Economic benefits