Advanced Access Control. Role-Based Access Control. Common Concepts. General RBAC Rules RBAC96

Similar documents
Trust Management: An Overview

CS590U Access Control: Theory and Practice. Lecture 12 (February 23) Role Based Access Control

KeyNote: Trust Management for Public-Key. 180 Park Avenue. Florham Park, NJ USA.

CS590U Access Control: Theory and Practice. Lecture 15 (March 1) Overview of Trust Management

Information Security CS 526

Core Role Based Access Control (RBAC) mechanism for MySQL

Policy, Models, and Trust

Data Security and Privacy. Topic 8: Role Based Access Control

Access Control Models Part II

Chapter 4: Access Control

CSC 474/574 Information Systems Security

Access Control Mechanisms

Access control models and policies. Tuomas Aura T Information security technology

The R BAC96 RBAC96 M odel Model Prof. Ravi Sandhu

Network Working Group. A. Keromytis U. of Pennsylvania March DSA and RSA Key and Signature Encoding for the KeyNote Trust Management System

Secure Role-Based Workflow Models

RBAC: Motivations. Users: Permissions:

AN ACCESS CONTROL AND TRUST MANAGEMENT FRAMEWORK FOR LOOSELY-COUPLED MULTIDOMAIN ENVIRONMENTS. Yue Zhang. Submitted to the Graduate Faculty of

Category: Informational January 2010 ISSN:

An Object-Dependent and Context Constraints-Aware Access Control Approach Based on RBAC

CSE509: (Intro to) Systems Security

Information Security & Privacy

A Modal Logic for Role-Based Access Control

Introduction to Security

Introduction p. 1 The purpose and fundamentals of access control p. 2 Authorization versus authentication p. 3 Users, subjects, objects, operations,

A Framework for Enforcing Constrained RBAC Policies

Chapter 7: Hybrid Policies

On Mutually-Exclusive Roles and Separation of Duty

Outlines. Design of A Role -based Trustmanagement. Permission-based (capability-style) What We Mean by Trust- Management? Systems?

Distributed Trust. John Ioannidis, AT&T Labs Research. Angelos D. Keromytis, Columbia University

Access control models and policies

Identity-based Access Control

Computer Security. Access control. 5 October 2017

Administration of RBAC

Computer Security 3e. Dieter Gollmann. Chapter 5: 1

INHERITANCE PROPERTIES OF ROLE HIERARCHIES. W.A. Jansen National Institute of Standards and Technology Gaithersburg, MD 20899, USA

CSE Computer Security

Outline. Modeling Trust in Distributed Systems. Supply Chain Management. Problem. Problems. Ontology. Background. Processing Limitations

Mobile and Heterogeneous databases Security. A.R. Hurson Computer Science Missouri Science & Technology

Practical Safety in Flexible Access Control Models

Distributed Access Control. Trust Management Approach. Characteristics. Another Example. An Example

Efficient Role Based Access Control Method in Wireless Environment

Towards Modal Logic Formalization of Role-Based Access Control with Object Classes

Access control models and policies

Governance, Risk, and Compliance Controls Suite. Release Notes. Software Version

Expires: 11 October April 2002

IBM Security Identity Manager Version Planning Topics IBM

A Context-sensitive Access Control Model and Prototype Implementation

Module 4: Access Control

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Formal Specification for Role Based Access Control User/Role and Role/Role Relationship Management

Role-Evolution in Role-based Access Control System Suganthy. A * Department of Banking Technology Pondicherry University, Puducherry, India

Access Control (slides based Ch. 4 Gollmann)

Chapter 8: Class and Method Design

Access Control. Discretionary Access Control

Access Control. Discretionary Access Control

Applying the Semantic Web Layers to Access Control

CS590U Access Control: Theory and Practice. Lecture 18 (March 10) SDSI Semantics & The RT Family of Role-based Trust-management Languages

Draft. Policies of Colorado State University University Policy. Category: Information Technology

Separation of Duty in Role-Based Access Control Model through Fuzzy Relations

Type Checking and Type Equality

Hong Kong Access Federation (HKAF) Identity Provider Management Standard Version 1.0

Authorization in Trust Management: Features and Foundations

Labels and Information Flow

Delegation Logic: A Logic-based Approach to Distributed Authorization

TRANSLATION GUIDELINES

Trust is the Foundations for Computer Security

Network Working Group. AT&T Labs - Research A. Keromytis U. of Pennsylvania September 1999

Identity, Authentication and Authorization. John Slankas

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

CS 591: Introduction to Computer Security. Lecture 3: Policy

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Integrity Constraints For Access Control Models

PERMIS An Application Independent Authorisation Infrastructure. David Chadwick

CS 356 Lecture 7 Access Control. Spring 2013

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Secure Active Network Environment (SANE) Trust, but Verify

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

General Access Control Model for DAC

Single Academy Trust Structure

FedRAMP Digital Identity Requirements. Version 1.0

Conflict Checking of Separation of Duty Constraints in RBAC - Implementation Experiences

Access Control Policy

Post-Class Quiz: Access Control Domain

Modeling and Reasoning about Business Processes under Authorization Constraints: a Planning-based Approach

The Eight Rules of Security

Access Control Models

Optimized Multi-Domain Secure Interoperation using Soft Constraints

Overview. Evolution of Access Control in Commercial Products. Access Control is Different from other Mechanisms. Security Policies

Coding and Unit Testing! The Coding Phase! Coding vs. Code! Coding! Overall Coding Language Trends!

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

1. Federation Participant Information DRAFT

SmartAccess: An Intelligent Proactive Role-Based Authorization System

Records Management Metadata Standard

Integrity and Security

Statecharts. Chapter Interplay of Statecharts with Prolog

Comparison of Various Role Based Access Control Scheme

USING PARAMETERIZED UML TO SPECIFY AND COMPOSE ACCESS CONTROL MODELS

Technical Trust Policy

Towards a Long Term Research Agenda for Digital Library Research. Yannis Ioannidis University of Athens

Transcription:

Advanced Access Control In many cases, identity is a bad criteria for authorization. We examine two modern paradigms for access control, which overcome this limitation: 1. Role-Based Access Control 2. Trust Management Systems Role-Based Access Control In many cases, authorization should be based on the function (role) of the subject in the manipulation of the object Examples Function in a bank branch teller clerks financial advisors Bank manager Function in a hospital Doctors (GP, consultant, treating doctor, ) Nurses (ward nurse, nurse, ) Hospital administrators Functions at a university Academics (teachers, research fellows, ) Non-academic staff (secretaries, system administrators, ) Students 02230 Data Security 2 Common Concepts Definitions: Active role: AR(s : subject) = (the active role for subject s) Authorized : RA(s : subject) = {authorized for subject s} Authorized transactions: TA(r : role) = {authorized transactions for role r} Predicate exec: exec(s : subject, t : transaction) = true iff s can execute t Session: Binds a user to a set of currently activated General RBAC Rules Rules: 1. Role assignment: s : subject, t : transaction (exec(s,t) AR(s) ) A subject can only execute a transaction if it has selected a role 2. Role authorization: s : subject (AR(s) RA(s)) A subject s active role must be authorized for the subject 3. Transaction authorization: s : subject, t : transaction (exec(s,t) t TA(AR(s))) A subject can only execute a transaction if it is authorized for its active role 02230 Data Security 3 02230 Data Security 4 RBAC96 RBAC 0 Role-Based Access Control was defined by Ferraiolo & Kuhn from NIST in 1992 A family of related RBAC models were defined by Sandhu et al. in 1996 this family is commonly known as RBAC96 RBAC96 forms the basis for most of the continued work on Role-based Access Control RBAC 3 RBAC96 defines the following models: Extends RBAC RBAC 1 0 with role hierarchies Combines RBAC 1 and RBAC 2 RBAC 2 Extends RBAC 0 with constraints RBAC 0 Basic RBAC model 02230 Data Security 5 02230 Data Security 6 1

, & In RBAC, a user is a human being, though it can be generalized to include other active agents Each individual should be known as exactly one user are always positive No negative permission. Denial of access is modelled as a constraint (RBAC 2 and RBAC 3 ) A permission can be defined for a single object or a set of objects Depends on applications RBAC 0 Formal Definition U, R, P, and S,, permissions, sessions PA P R: permission-role assignment UA U R: user-role assignment user: S U, : S 2 R, (s) {r (user(s),r) UA}, : S 2P (s) U r (s) {p/(p,r) PA} 02230 Data Security 7 02230 Data Security 8 RBAC 1 (RH) Transitive Inheritance of General Practitioner Hospital Consultant Doctor Health Care Provider 02230 Data Security 9 02230 Data Security 10 Multiple Inheritance of Software Supervising Hardware Semantics of Role Hierarchies User inheritance r1 r2 means every user that is a member of r1 is also a member of r2 Permission inheritance r1 r2 means every permission that is authorized for r2 is also authorized r1 Activation inheritance r1 r2 means that activating r1 will also activate r2 02230 Data Security 11 02230 Data Security 12 2

RBAC 1 Formal Definition RBAC 2 U, R, P, S, PA, UA and user are same as RBAC 0 RH R R, a partial order with dominance relation, : S 2 R, (s) {r ( r' r) [(user(s),r') UA]}, : S 2 P (s) U r (s) {p ( r'' r)[(p,r'') PA]} Constraints 02230 Data Security 13 02230 Data Security 14 RBAC Constraints Mutually Exclusive (Separation of Duty - SoD) Static Exclusion (static SoD): The same individual user can never hold mutually exclusive (by UA) Dynamic Exclusion (dynamic SoD): The same individual user can never hold mutually exclusive in single session Mutually Exclusive Static Exclusion (static SoD): Two mutually exclusive cannot be assigned with the same permissions Dynamic Exclusion (dynamic SoD): Two mutually exclusive can be assigned with the same permissions but cannot be activated at the same time by different Mutually Exclusive Static Exclusion (static SoD): The same role should never be assigned to mutually exclusive permissions Dynamic Exclusion (dynamic SoD): The same role can never hold mutually exclusive permissions in single session Dynamic Constraints Constraints may also consider other elements: Physical environment Location (certain can only be activated in certain places) Time (time-lock on till or safe) Execution history Enforces well-formed transactions Context Business meetings Emergencies Games 02230 Data Security 15 02230 Data Security 16 RBAC 3 RBAC Summary (RH) Constraints add a useful level of indirection, which allows aggregation of and permissions Fewer relationships to manage from O(mn) to O(m+n), where m is the number of and n is the number of permissions Role hierarchies allow to assume more specialized (with more permissions) as needed This helps enforce the principle of least privilege Constraints allow enforcement of separation of duty and dynamic adaptation of policies to the current context, e.g., Chinese Wall policy 02230 Data Security 17 02230 Data Security 18 3

Pause Back in 15 minutes Trust Management Term coined by Matt Blaze in 1996 Provides (partial) answer to questions like: Should I perform this (dangerous) action? Why should this principal be granted this privilege? Systematic approach to managing: Security policies, credentials and trust relationships Based on compliance checking, not human notion of trust 02230 Data Security 19 02230 Data Security 20 Compliance Checking Provides advice to applications on whether dangerous actions should be permitted Compliance checker uses local policy and signed credentials in these decisions Only actions that conform to policy are allowed As long as all dangerous actions are checked with the compliance checker, we know that the security policy is being followed Distributed Policies Ideally policies are stored in one place and specified by one person In reality, different parts of the policy often come from different places (and authorities) Delegation of authorization Different administrators for different services Multiple requirements for access There may not even be a single complete statement of the policy Large scale systems imply high complexity in managing specification, location and consistency of policy components 02230 Data Security 21 02230 Data Security 22 Policies and Credentials A policy specifies who is allowed to do what who may be a public-key what may be a potentially dangerous action A credential delegates authorization to someone else someone else may also be a public-key Distributed systems blur the distinction between policies and credentials A credential is a policy signed by someone who are authorized to do so Trust Management Elements A language for Actions Operations with security implications for applications A naming scheme for Principals Entities that can be authorized to request actions A language for Policies Govern the actions that principals are authorized for A language for Credentials Allow principals to delegate authorization A Compliance Checker and interface Service that determines whether a requested action should be allowed, based on policy and a set of credentials 02230 Data Security 23 02230 Data Security 24 4

Trust Management Architecture KeyNote credentials action requests credential system local policy DB signed creds. local policies Compliance Checker (PolicyMaker, KeyNote or REFEREE Interpreter) Key & action desciption response application trust boundary 02230 Data Security 25 02230 Data Security 26 Typical Trust Management Languages PolicyMaker Blaze, Feigenbaum and Lazy (1996) Compliance checking formalized in Blaze, Feigebaum and Strauss (1998) Very general, designed more for study than for use KeyNote Blaze, Feigenbaum, Ioannidis, Keromytis (1997) Defined in RFC 2704 Designed to be used, especially in Internet apps. Both share the same basic semantic structure Based on assertions Assertions Authorize principals to perform actions Policies are defined by a collection of assertions Assertions contain two basic parts: A principal identifier (key or key expression) allows the principal to be authenticated Action predicate Principal is authorized to perform actions that pass the action predicated Assertions can be signed by keys Signed assertions are credentials 02230 Data Security 27 02230 Data Security 28 Assertion Syntax principal is-authorized-for predicate {signed-by authorizer} The keys in principal are authorized for actions that pass the predicate according to authorizer Exmple of Keynote assertion syntax: Authorizer: <keyword POLICY or signer s public-key> Licensees: <principal, tests signer keys> Conditions: <trust-expression, tests action attributes> Signature: <encoding of signature, for signed credentials> Compliance Checking Semnatics An action is allowed if any policy assertion allows it An assertion is considered to allow an action if its predicate passes and either The action was directly requested by the assertions licensees The action was approved by some other assertion signed by the licensees 02230 Data Security 29 02230 Data Security 30 5

Compliance Checking Process Application collects appropriate assertions Local, trusted root policy assertions Credentials signed by someone else Application forms action description Collection of free form attributes Associated with principal identifier (ID or key) Compliance Checker finds compliance value Evaluates action against conditions in assertions forming a graph between root policy and requestor Binary: allowed/denied, or multi-valued Assertion Monotonicity Assertions are monotone Adding an assertion can never cause an acction to become disallowed Deleting an assertion will never cause a disallowed action to become allowed Nothing is allowed unless explicitly allowed by an assertion Implications of monotonicity Safe for distributed systems Missing assertions cannot cause policy violations Set of allowing assertions constitute proof of compliance Clients can collect appropriate signed assertions and present them to server No conflicts If an action can be allowed it will be allowed 02230 Data Security 31 02230 Data Security 32 Summary of Trust Management Appropriate for large-scale distributed systems Decentralized policy specification and storage Decentralized (autonomous) policy enforcement Provides both decision and reason for decision List of credentials used to authorize request Facilitates dynamic evolution of policy Incremental addition of assertions allows policies to evolve, e.g., adding new principals//permissions/resources Well suited for dynamic open systems (pervasive computing) 02230 Data Security 33 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback