Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this document? Why not share!

Overview Of RBAC






Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.linkedin.com 1


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Overview Of RBAC Overview Of RBAC Document Transcript

  • Author : Frank Appiah Version : 1.0 Date : 26/10/10 ©2010 All Rights Reserved. Title : Overview of RBAC T his report provides a technical overview of RBAC(Role-Based Access Control) in the sense of its short comings and the potential extensions that can be made to enhance expressiveness and richness of RBAC's. Despite the widely use and adoption of the American National Standard Institute (ANSI) on RBAC in the commercial arena, it still has some associated problematic (limitations) that needs to be confronted and resolved. The report sorts not to provide an alternative to RBAC but to bring to bear the enhancements that has been made. It is also to provide a supplementary short and concise overlook of RBAC. 1 Introduction 2 Short comings of RBAC L ampson[8] introduced some basic ideas about discretionary access control(DAC) but has an inherent weakness that information can be copied I n this section, I will discuss some notable short comings of RBAC. The identified short comings of RBAC are collectively group into two groups from one object to another. It is difficult for DAC to namely: vagueness and limited expressiveness. The enforce a safety policy and protect against some subsections below provides a thoroughly overlook of security attacks. Mandatory access control (MAC) these short comings. was invented in order to overcome the shortcomings of DAC and to enforce lattice-based confidentiality Vagueness policies in the face of Trojan Horse attacks. Sandhu RBAC standard is vague to some margin on the et al[7] presented now standardized Role based following points : access control (RBAC), which was considered as a promising alternative to resolve the shortcomings of ● [Notion of Role:] Role in ANSI RBAC[11] both DAC and MAC. is established as a job function within the RBAC as model provides some merits and hence has context of an organisation with some contributed to its widely use. It can easily mirror an associated semantics regarding authority and organization’s structure and encourage well- responsibility conferred on the user assigned structured access control policies. It provides a to the role ([11], p. 233). Role in RBAC is powerful mechanism for reducing the complexity, not definitely established what it represents cost and potential errors of assigning users and poses a lot of questions. Within an permissions within the organization. It naturally organisational context, is a role just a job supports delegation of access permissions. The most function formally? or should a role be common method of implementing access control in a understood functionally?. Is a role simply an computer system is through access control lists identifier for a particular type of ascribed (ACL). Despite the widely use and adoption of the status? The name of a set (of role members? American National Standard Institute (ANSI) on Permissions?). Role-Based Access Control (RBAC) in the ● [Hierarchy issues in RBAC:] Hierarchical commercial arena, it still has some associated RBAC adds requirements for supporting role limitations that needs to be confronted and resolved. hierarchies[11]. Demonstratively, Hierarchical RBAC component defined mathematically a partial order of seniority relation between roles which seems to be inappropriate when issues like update of roles is taken into consideration. RBAC 1
  • Author : Frank Appiah Version : 1.0 Date : 26/10/10 ©2010 All Rights Reserved. Title : Overview of RBAC failure to address this issue poses a provider can provide software for other OVERVIEW OF RBAC lot questions and puts a burden on companies who have purchased a the development of an effective consumable number of access that is administrative RBAC model. This addressed either by decreasing their access exposes the vagueness of ANSI counter by 1 or increasing the cost by a RBAC as a standard. According to certain amount until the maximum is reached ANSI RBAC, partial order of which they have pay for. Controlling usage seniority between roles means that of sensitive information requires protection senior roles acquire the permissions of digital information that may be important of junior roles and junior roles to organisations and nations. Relatively, acquire the user membership of the senior Content Providers' interest belongs here also; roles. to maximize ROI(Return-on-Investment) to This poses the following questions: run the company. RBAC as a standard did 1. Is this unconstrained upward inheritance not take into account how this kind of usage which violates least privilege? control can be catered for in the scenario 2. Is role activation transitive?: When there described above. Usage access control does is no session then role activation does not not fall into RBAC's notion of job function exit at all which even greatly affects the and organisational picture painted to us. notion of role activation (transitivity). RBAC's failure to address this type of access With Single Role Activation (SRA), only control has introduced a limited expressive one role activation in a session which power into the model and its been a standard makes Role Activation (RA) transitivity is questionable, and needs an extension not applicable. possibly. 3. What is the correct semantics of SoD ● [Negative authorisation:] RBAC failed to (Separation of Duties) with inheritance? express how negative authorisation should be The standard is unclear about the issues carried out and the ANSI RBAC claims to and these are left as an implementation satisfy the least privilege without addressing issue with no one solution. how this concern poses a lot of questions that it needs to be answered. Limited Expressiveness ● [Limited Status Control:] The ANSI RBAC model in a distributed sense fails to scale because of the bottleneck introduced in the A NSI RBAC as a standard failed to address the expressiveness and richness of the model to definitely establish how access control for some model. The standard RBAC model assumed a more relatively static access environment which will be administered by human users, different context aside the organisational picture with a complete knowledge of users, job painted in the standard should be confronted. Below functions, qualifications and responsibilities, are some of the few points to back the point of and this tends not be available in a dynamic limited expressiveness in RBAC: distributed sense like ubiquitous system: ● [No Usage Control:] In this global era, distributed sensor system for weather digital objects are all around us and it is forecasting. Barker[3] for example pointed important to allow privilege access with out that the model is also concerned with a consumable functionality to avoid abuse and one-type ascribed status, an assignment of help protect the works of others. For user to a role. According to Barker, the example, a payment made with your credit elements of RBAC makes it suitable for use card to buy a ticket to watch a movie can be in the centralised case are not necessarily so used only once at the cinema or a SaaS relevant in a certain distributed computing 2
  • Author : Frank Appiah Version : 1.0 Date : 26/10/10 ©2010 All Rights Reserved. Title : Overview of RBAC context([3], p. 1:3). ● [Time and Triggered(Event-based) access:] Temporal authorisation enables 3 Potential extensions of RBAC Security Administrators to specify that a F user's permission to access resource is to hold for a restricted time interval and or the shortcomings of the ANSI RBAC model automatically expires as soon as the short listed in Section 2, I will discuss the maximum time point in the interval is potential ways in which the ANSI RBAC model has elapsed[6]. RBAC overlooked all the above soundly been extended to address the shortcomings: merits and failed to definitely establish how this is to be catered for in different temporal Addressing vagueness in RBAC authorisation context that certain resources ● [Notion of Role:] According Sandhu, Roles would and should be accessed. For example, in RBAC are (1) a set of users and (2) a set the UK Visa Border Agency grants visas to of permissions. This is definition is a bit persons for a specify time interval specified more clearer because it at least keeps one of in date and resources that are accessible by the most important key of interest at any visa requester expires after that interval. point in time, set of permissions. The notion Without temporal authorisation, ANSI of role can be extended to include that a role RBAC is only feasible for fixed and always is sometimes argued to be a set of privileges accessible resources which tends not be whiles a group as a set of users. possible for all scenarios in real life. Clearly, lack of temporal authorisation greatly ● [Addressing hierarchy issues in RBAC:] reduced the expressiveness of standard The ANSI RBAC standard should distinctly RBAC model. RBAC does not allow clarify the difference between base relations Security Administrators to express proactive and derived relations by allowing only one of specifications because of the lack of user assignment and assigned users be temporal constraints. In a distributed context, treated as a base relations which is allowed entities requesting information from a to be updated by administrative functions. An resource may not be known and also user auxiliary derived function can be used to authorisation may change dynamically on the specify other RBAC specifications. The basis of occurrence of wider range of events Reference Model can maintain a relation that other than the role and permission contains the role dominance relationships assignments used in RBAC[9]. RBAC is that have been added and update this relation limited to express policies for a dynamic and when there is hierarchical changes in roles. distributed environment. This contributes to The standard can take up the notion of its limited expressive power. private roles in RBAC role hierarchies. ● [No Spatial Control:] In the area of Secondly, inheritable and non inheritable pervasive and ubiquitous computing, location permissions should be taken into account to information will be necessary to access help resolve which permissions are deem for certain kind of information. With the inheritance by transitivity or not. Different growing of wireless network and mobile organizational structure demands different device like mobile phones, PDA's etc. Spatial solution to RBAC's role hierarchies but representation in RBAC is another head-on downwards delegation of powers either by battle that the implementer is the loser in this grant or transfer via RBAC hierarchy based war in the cyberspace. on task would be desirable. 3
  • Author : Frank Appiah Version : 1.0 Date : 26/10/10 ©2010 All Rights Reserved. Title : Overview of RBAC Potential extensions to address captured through a history of events in relation to the limited expressiveness user (requester). This history enables changing access policy requirements to be naturally resolved [No Usage Control:] In UCONABC[1], The UCON in a distributed environment([3], p. 1). Barker points model considers this temporal and consumed out an idea to status levels that are assigned to attributes as the mutable attributes of subjects or agents that request access to system resources objects. The UCON model has unified traditional (henceforth these agents are referred to as access control models and temporal access models requester agents).These status levels change OVERVIEW OF RBAC with its ABC (Authorizations, Obligations and dynamically in response to the actions the Conditions) core models. requester agent performs[3]. Clearly SBAC In TUCON[2], a further work on both temporal and can be introduced into the RBAC standard consumable authorisation was modelled to address as an extension and to confront the problems the issue of privilege consuming usage of digital that the standard failed to address. SBAC is objects in the global context. It extends the a formal, well defined model and provides a traditional usage control models with a temporal basis for proving access control properties constraint. In terms of usage of a digital object three that satisfies SBAC policy specification. It attributes are required for authorisation in TUCON supports meta-policy specification and policy representation: provides sanctioning in the form of automated (1) Time Interval (2) Valid Period (3) Usage times[2] penalization by action demotion. Time Interval: It includes the starting and the ending time. [Time and Triggered(Event-based) access:] In Valid Period: An access to a resource is allowed TRBACN[6] an approach based on ura and pra during the valid period of usage. specification can be use to model and introduce a Usage Times: It is the maximum time an access to temporal constraint into RBAC as an extension. the object is prohibited and revocation is carried out TRBACN claims that to specify a time interval for automatically by the system. which ura or rpa predicate holds, a conjunction of TUCON carries out revocation on when (1) the time linear constraints of time variable, T is used. interval of authorisation has expired and (2) the Illustratively, if a User, U is assigned to a role, R usage times is zero during the ongoing usage of from a point in time 20091212 (YYYMMDD) until digital objects. some point in the future 20091218 then TRBACN TUCON can introduce temporal usage constraints will specify this using ura predicate with the T into RBAC to address the issue of usage control in conjunction as: general. It would allow RBAC to also express time- ura(u, r, T) <-- 20091212<= T, T <= 20091218. based authorisations. A times authorisation is a 6- Conversely to represent that a role, r has all the tuple. For example, an assertion( 6, James, Sun, permissions P on a resource, books from 20091112 read, +, Bob) means that Bob authorizes 6 times to some point 20091201 in the future can be privilege read on the book Sun to James. represented by rpa predicate as: rpa(r, P, books, T) <-- 20091112<=T, [Limited Status Control:] In S. Barker et al[3], a T<=20091201. distributed access control model based on status was RBAC's role hierarchy is represented with a senior- modelled to address the issue of the one-type to and d-s relation. A role R1 in the senior-to relation ascribed status and static access policies introduced with role R2 represented as senior-to(R1,R2) means as a bottleneck because of the centralised that R2 inherits all the permissions of R1. A static environment. The modelled status-based access policy specification is rarely common which lead control for distributed access control is called TRBACN to resolve this problem. In TRBACN , user- SBAC. It has a notion of an action status and an role assignment and permission-role assignments are ascribed status([3], page 1). The action status is revoked by physical deletion of the appropriate 4
  • Author : Frank Appiah Version : 1.0 Date : 26/10/10 ©2010 All Rights Reserved. Title : Overview of RBAC definitions of ura(U, R, T) and rpa(R, P, O, T) from some computational context. an instance of TRBACN theory. For audit purposes, it is quite necessary for some 4 Conclusion actions by certain privilege users to be tracked like revocation of roles in TRBACN. TRBACN used the terminated(A,T)1 predicate to keep history of the revocation of ura or rpa assignments. ([7], p.184) For example, James assignment to a role R is I n this report, I explored Role Based Access Control to the extent of its limitations but more importantly the enhancements made to rectify these revoked on 20091113 then the ura(James,R,T) limitations. clause defined is removed physically and the Access control or authorization, in its broadest sense OVERVIEW OF RBAC assertion terminated(ura(James,R), - has existed as a concept for as long as humans have 20091113) is added. On the other hand, a had assets worth protecting. In today’s information read permission on an object, o1 assigned to technology, authorization is concerned with the ways a role, r1 is revoked on 20091218 will be in which users can access resources in the computer added as an assertion system, or informally speaking, with "who can do terminated(rpa(r1,read,o1),20091218). what?", “when to do what?” and “why you did Clearly, TRBACN seems as the right recipe to what?”. solve temporal problems in the standard RBAC because of its clarity and simplicity as compared to other temporal models. 5 References In DEBAC[9], a formal policy representation was modelled to address the issues of dynamic and [1] Park, J. AND Sandhu, R. 2004. The UCONABC distributed information systems using term rewrite Usage Control Model. systems. DEBAC is based fundamentally on the [2] B. Zhao, R. Sandhu, X. Zhang AND X. Qin notion of events which makes it more suitable for 2007.Towards a Time-Based Usage Control Model. autonomous changing context. [3] Barker, S. ,Majek J. Sergot AND Duminda In DEBAC, Bertolissi et al[9] defined an access to a Wijesekera 2008. Status-Based Access Control. resource as: [4] S. H. Park,Y. J. Han AND T. M. ChungS.-H. 2006. Context-Role Based Access Control. “A user u Є U is permitted to perform an [5] S. Barker : Distributed Access Control: A Logic- action a Є A on a resource r Є R that is Based Approach. V. Gorodetsky et al. (Eds.) MMM- located at site s Є S if and only if u is ACNS 2003, LNCS 2776, pp. 217–228, 2003.c assigned to a category c Є C to which an Springer-Verlag Berlin Heidelberg 2003 access on r has been assigned.” [6] S. Barker: TRBACN: A Temporal Authorization Model. V.I. Gorodetski et al. (Eds.): MMM-ACNS DEBAC supports the notion of role hierarchy in 2001, LNCS 2052, pp. 178– 188, 2001. RBAC as a hierarchy of categorisation in which the [7] Sandhu, R.: Role Hierarchies and Constraints for privileges of a category can be inherited by another Lattice-Based Access Controls.In: European category via category hierarchy. DEBAC Symposium on Research in Security and Privacy accommodates the notion of RBAC separation of (1996) duties constraint as categories assigned to a user [8] Lampson, B.W.: Protection. 5th Princeton cannot be mutually exclusive. DEBAC claims sound Symposium on Information Science and Systems, as a good enhancement to the ANSI RBAC model to 1971. Reprinted in ACM Operating Systems address dynamic and distributed requirements of Review, 8(1), 18-24 (1974) [9] Clara Bertolissi, Maribel Fernandez, and Steve Barker. Dynamic Event-Based Access Control as 1 In terminated(A,T), A is the ura or rpa assignments and T is the time of revocation of the ura or rpa assignment. Term Rewriting* 2007. 5
  • Author : Frank Appiah Version : 1.0 Date : 26/10/10 ©2010 All Rights Reserved. Title : Overview of RBAC [10] Clara Bertolissi AND Maribel Fernández 2008. ABOUT THE AUTHOR Time and Location based services with Access Control. He holds MSc in Advanced [11] Sandhu, R. and Ferraiolo, D. and Kuhn, R.: The Software Engineering from King's NIST Model for Role-Based Access Control: College London and BSc in Towards a Unified Standard. Proc. 4th ACM Computer Engineering from Workshop on Role-Based Access Control (2000) 47– KNUST. He specialises in Access 61 Control and Privacy Policies, [12] Sandhu, R., Park, J.: Usage Control: A Vision Distributed Systems, Software for Next Generation Access Control. In: Models and Architecture and Software Architectures for Computer Networks Security. The Technology. Second International Workshopon Mathematical Methods (2003). [13] Indrakshi Ray, Mahendra Kumar, and Lijun Yu: LRBAC: A Location-Aware Role-Based Access Control Model A. Bagchi and V. Atluri (Eds.): ICISS 2006, LNCS 4332, pp. 147–161, 2006. 6