SlideShare a Scribd company logo

Attribute Based Access Control and Administrative Model

M
Maanak Gupta, Ph.D.

Attribute Based Access Control Model with Groups and Administrative Model

Education
1 of 15
Download to read offline
The GURAG Administrative Model for User and Group Attribute Assignment Prof. Ravi Sandhu Executive Director and Endowed Chair 10th International Conference on Network and System Security (NSS) September 28-30, 2016 ravi.sandhu@utsa.edu www.profsandhu.com Maanak Gupta and Ravi Sandhu Department of Computer Science Institute for Cyber Security © Ravi Sandhu World-Leading Research with Real-World Impact! 1
 Attribute Based Access Control  requires attributes of entities to make access control decisions.  provides flexible and fine grained access control  needs attributes (characteristics of entities) to be assigned by security administrators before access policies can be enforced.  Several models have been developed  ABACα model [DBSec12]  Attribute based encryption (ABE) [CCS06]  Logical Based Framework for ABAC [FMSE04]  Attributed based AC for web services [ICWS'05]  Guide to ABAC Definitions and Considerations [NIST SP 800-162]  etcetera!! Attribute Based Access Control (ABAC) © Ravi Sandhu World-Leading Research with Real-World Impact! 2
© Ravi Sandhu World-Leading Research with Real-World Impact! 3 ABAC Administration GURA (Single User, Single Attribute Value Assignment) satisfy condition Attribute Value assign or delete Who ? Prerequisite Cond. Attribute Value Attribute Value Attribute Value satisfy condition Attribute Value assign or delete
Redefined HGABAC © Ravi Sandhu World-Leading Research with Real-World Impact! 4 U: User UG: User-Group S: Subject UA: User Attributes O: Object OG: Object-Group OA: Object Attributes OP: Operation (Actions)  [Servos et al] proposed Hierarchical Group and Attribute based Access Control (HGABAC) operational model  Introduces the notion of User and Object Groups  Core advantage is simplified administration of attributes  User and Objects are assigned set of attributes in one go as compared to single assignment at a time.
Example User-Group Hierarchy © Ravi Sandhu World-Leading Research with Real-World Impact! 5  Senior Groups inherit attributes from junior group  Graduate group (G) is senior to CSD and UN  G inherits attributes from both CSD and UN  example: ‘univId’ and ‘college’ attribute for G inherited from UN and CSD  User assigned to group G will have direct attributes and attributes from G
GURAG Administrative Model © Ravi Sandhu World-Leading Research with Real-World Impact! 6 GURAG Sub Models UAA: User Attribute Assignment UGAA: User Group Attribute Assignment UGA: User to User-Group Assignment This paper proposes the first administration model for HGABAC model referred as GURAG.
 Example UAA rules User Attribute Assignment (UAA) © Ravi Sandhu World-Leading Research with Real-World Impact! 7 Administrative Role Prerequisite Condition Allowed values Rule 1: Administrative Role DeptAdmin (or senior) can add any value in {TA, Grader} to user attribute ‘jobTitle’ if the user’s ‘studType’ attribute includes ‘Grad’ value. Common Policy Expression Language: EXPR(UA) in UAA:
 Example UGAA rules User Group Attribute Assignment (UGAA) © Ravi Sandhu World-Leading Research with Real-World Impact! 8 EXPR(UA) in UGAA:
User to User-Group Assignment (UGA) © Ravi Sandhu World-Leading Research with Real-World Impact! 9 EXPR(UA ∪ UG) in UGA: Example UGA canAssign rules: Example UGA canRemove rules:
studId: {abc12} skills: {c,java} roomAcc: {1.2} USER GRADUATE GROUP (G) DeptAdmin (or senior) USER UGA studType: {Grad} roomAcc: {2.03, 2.04, 3.02} userType: {student} college: {COS} univId: {12345} studId: {abc12} skills: {c,java} roomAcc: {1.2, 2.03, 2.04, 3.02} studType: {Grad} userType: {student} college: {COS} univId: {12345} effective attributes effective attributesdirect & effective attributes 1 2 3 User to User-Group Assignment (UGA) © Ravi Sandhu World-Leading Research with Real-World Impact! 10 Here the user has been assigned set of attributes by group G membership, in lieu of single attribute assignment, making attribute administration easy.
 Weak Removal versus Strong Removal  GURAG Model Extensions © Ravi Sandhu World-Leading Research with Real-World Impact! 11 will not impact implicit membership o After removal from CSD, user still inherits attribute of CSD through G. will remove both explicit and implicit memberships o User will be removed from G, if removed from CSD and authorized by rules. USER
 Weak Removal versus Strong Removal GURAG Model Extensions © Ravi Sandhu World-Leading Research with Real-World Impact! 12 will not impact implicit membership o After removal from CSD, user still inherits attribute of CSD through G. will remove both explicit and implicit memberships o User will be removed from G, if removed from CSD and authorized by rules. USER
GURAG Model Extensions  Inherited Value Deletion in User  Inherited Value Deletion in User Group © Ravi Sandhu World-Leading Research with Real-World Impact! 13 canDeleteunivId ADMIN ROLE 2 1 Deleting an inherited value from a user will require to remove the membership of a user from all the user groups from where the value is inherited. Deleting an inherited value from a user group will require the deletion of value from all the junior groups which have value directly assigned. GROUP (G3) studType: {Grad} roomAcc: {2.03, 2.04, 3.02} userType: {student} effective attributes GROUP (G1) roomAcc: {2.04, 3.02} userType: {student} GROUP (G2) roomAcc: {2.03} userType: {student} canDeleteuserType 1 22 Note: Administrative Rules must exist to authorize operations.
 Advantage: Simplified distributed attribute administration. RBAC advantage inherited.  Limitations: Cascading pre-assignment of attributes may lead to some values assignment not essentially required by the entity. UGA may require multiple pre-assignments of junior group to assign senior group, though the same inheritance can be achieved by senior group membership only.  Future Work:  Reachability Analysis for GURAG  User and Object Group hierarchy administration.  Attribute based User and Group attribute management. Discussions and Future Work © Ravi Sandhu World-Leading Research with Real-World Impact! 14
Institute for Cyber Security © Ravi Sandhu World-Leading Research with Real-World Impact! 15

Recommended

important struts interview questions
important struts interview questionsimportant struts interview questions
important struts interview questionssurendray
 
Types of models
Types of modelsTypes of models
Types of modelsRahul Nagda
 
Database Management System Security.pptx
Database Management System Security.pptxDatabase Management System Security.pptx
Database Management System Security.pptxRoshni814224
 
3122019 Originality Reporthttpsblackboard.nec.eduweb.docx
3122019 Originality Reporthttpsblackboard.nec.eduweb.docx3122019 Originality Reporthttpsblackboard.nec.eduweb.docx
3122019 Originality Reporthttpsblackboard.nec.eduweb.docxrhetttrevannion
 
Android Dagger2
Android Dagger2Android Dagger2
Android Dagger2Monir Zzaman
 
IRJET- An Sla-Aware Cloud Coalition Formation Approach for Virtualized Networks.
IRJET- An Sla-Aware Cloud Coalition Formation Approach for Virtualized Networks.IRJET- An Sla-Aware Cloud Coalition Formation Approach for Virtualized Networks.
IRJET- An Sla-Aware Cloud Coalition Formation Approach for Virtualized Networks.IRJET Journal
 
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdf
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdfMicrosoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdf
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdfSkillCertProExams
 
SAP SECURITY ONLINE TRAINING
SAP SECURITY ONLINE TRAININGSAP SECURITY ONLINE TRAINING
SAP SECURITY ONLINE TRAININGSanthosh Sap
 

Recommended

important struts interview questions
important struts interview questionsimportant struts interview questions
important struts interview questionssurendray
 
Types of models
Types of modelsTypes of models
Types of modelsRahul Nagda
 
Database Management System Security.pptx
Database Management System Security.pptxDatabase Management System Security.pptx
Database Management System Security.pptxRoshni814224
 
3122019 Originality Reporthttpsblackboard.nec.eduweb.docx
3122019 Originality Reporthttpsblackboard.nec.eduweb.docx3122019 Originality Reporthttpsblackboard.nec.eduweb.docx
3122019 Originality Reporthttpsblackboard.nec.eduweb.docxrhetttrevannion
 
Android Dagger2
Android Dagger2Android Dagger2
Android Dagger2Monir Zzaman
 
IRJET- An Sla-Aware Cloud Coalition Formation Approach for Virtualized Networks.
IRJET- An Sla-Aware Cloud Coalition Formation Approach for Virtualized Networks.IRJET- An Sla-Aware Cloud Coalition Formation Approach for Virtualized Networks.
IRJET- An Sla-Aware Cloud Coalition Formation Approach for Virtualized Networks.IRJET Journal
 
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdf
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdfMicrosoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdf
Microsoft Azure Security Technologies (AZ-500) Exam Dumps 2023.pdfSkillCertProExams
 
SAP SECURITY ONLINE TRAINING
SAP SECURITY ONLINE TRAININGSAP SECURITY ONLINE TRAINING
SAP SECURITY ONLINE TRAININGSanthosh Sap
 
SAP-Security-Madhu
SAP-Security-MadhuSAP-Security-Madhu
SAP-Security-MadhuMadhu Sharma
 
Model-Based Systems Requirements
Model-Based Systems RequirementsModel-Based Systems Requirements
Model-Based Systems RequirementsJean-Michel Bruel
 
Anil kumar sap security and grc consultant
Anil kumar sap security and grc consultantAnil kumar sap security and grc consultant
Anil kumar sap security and grc consultantAnil Kumar
 
A Framework for Predicate Based Access Control Policies in Infrastructure as ...
A Framework for Predicate Based Access Control Policies in Infrastructure as ...A Framework for Predicate Based Access Control Policies in Infrastructure as ...
A Framework for Predicate Based Access Control Policies in Infrastructure as ...IJERA Editor
 
Vpd
VpdVpd
VpdSage Computing Services
 
Opencast Valencia 2017: Users, groups, roles, ACLs and providers
Opencast Valencia 2017: Users, groups, roles, ACLs and providersOpencast Valencia 2017: Users, groups, roles, ACLs and providers
Opencast Valencia 2017: Users, groups, roles, ACLs and providersStephen Marquard
 
Book Recommendation System
Book Recommendation SystemBook Recommendation System
Book Recommendation SystemIRJET Journal
 
Supporting Privacy Protection In Personalized Web Search
Supporting Privacy Protection In Personalized Web SearchSupporting Privacy Protection In Personalized Web Search
Supporting Privacy Protection In Personalized Web SearchIRJET Journal
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
Cavaros
CavarosCavaros
CavarosToo Jannarong
 
How much do we know about Object-Oriented Programming?
How much do we know about Object-Oriented Programming?How much do we know about Object-Oriented Programming?
How much do we know about Object-Oriented Programming?Sandro Mancuso
 
Learning Software Performance Models for Dynamic and Uncertain Environments
Learning Software Performance Models for Dynamic and Uncertain EnvironmentsLearning Software Performance Models for Dynamic and Uncertain Environments
Learning Software Performance Models for Dynamic and Uncertain EnvironmentsPooyan Jamshidi
 
Framework for tagging software in web application
Framework for tagging software in web applicationFramework for tagging software in web application
Framework for tagging software in web applicationcsandit
 
FRAMEWORK FOR TAGGING SOFTWARE IN WEB APPLICATION
FRAMEWORK FOR TAGGING SOFTWARE IN WEB APPLICATIONFRAMEWORK FOR TAGGING SOFTWARE IN WEB APPLICATION
FRAMEWORK FOR TAGGING SOFTWARE IN WEB APPLICATIONcscpconf
 
Software Engineering Unit 1
Software Engineering Unit 1Software Engineering Unit 1
Software Engineering Unit 1Abhimanyu Mishra
 
High Performance Cloud Native APIs Using Apache Geode
High Performance Cloud Native APIs Using Apache Geode High Performance Cloud Native APIs Using Apache Geode
High Performance Cloud Native APIs Using Apache Geode VMware Tanzu
 
Anil kumar sap security and grc consultant
Anil kumar sap security and grc consultantAnil kumar sap security and grc consultant
Anil kumar sap security and grc consultantAnil Kumar
 
Online examination documentation
Online examination documentationOnline examination documentation
Online examination documentationWakimul Alam
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET Journal
 
Manoj(Java Developer)_Resume
Manoj(Java Developer)_ResumeManoj(Java Developer)_Resume
Manoj(Java Developer)_ResumeVamsi Manoj
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsNbelano25
 

More Related Content

Similar to Attribute Based Access Control and Administrative Model

SAP-Security-Madhu
SAP-Security-MadhuSAP-Security-Madhu
SAP-Security-MadhuMadhu Sharma
 
Model-Based Systems Requirements
Model-Based Systems RequirementsModel-Based Systems Requirements
Model-Based Systems RequirementsJean-Michel Bruel
 
Anil kumar sap security and grc consultant
Anil kumar sap security and grc consultantAnil kumar sap security and grc consultant
Anil kumar sap security and grc consultantAnil Kumar
 
A Framework for Predicate Based Access Control Policies in Infrastructure as ...
A Framework for Predicate Based Access Control Policies in Infrastructure as ...A Framework for Predicate Based Access Control Policies in Infrastructure as ...
A Framework for Predicate Based Access Control Policies in Infrastructure as ...IJERA Editor
 
Opencast Valencia 2017: Users, groups, roles, ACLs and providers
Opencast Valencia 2017: Users, groups, roles, ACLs and providersOpencast Valencia 2017: Users, groups, roles, ACLs and providers
Opencast Valencia 2017: Users, groups, roles, ACLs and providersStephen Marquard
 
Book Recommendation System
Book Recommendation SystemBook Recommendation System
Book Recommendation SystemIRJET Journal
 
Supporting Privacy Protection In Personalized Web Search
Supporting Privacy Protection In Personalized Web SearchSupporting Privacy Protection In Personalized Web Search
Supporting Privacy Protection In Personalized Web SearchIRJET Journal
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
How much do we know about Object-Oriented Programming?
How much do we know about Object-Oriented Programming?How much do we know about Object-Oriented Programming?
How much do we know about Object-Oriented Programming?Sandro Mancuso
 
Learning Software Performance Models for Dynamic and Uncertain Environments
Learning Software Performance Models for Dynamic and Uncertain EnvironmentsLearning Software Performance Models for Dynamic and Uncertain Environments
Learning Software Performance Models for Dynamic and Uncertain EnvironmentsPooyan Jamshidi
 
Framework for tagging software in web application
Framework for tagging software in web applicationFramework for tagging software in web application
Framework for tagging software in web applicationcsandit
 
FRAMEWORK FOR TAGGING SOFTWARE IN WEB APPLICATION
FRAMEWORK FOR TAGGING SOFTWARE IN WEB APPLICATIONFRAMEWORK FOR TAGGING SOFTWARE IN WEB APPLICATION
FRAMEWORK FOR TAGGING SOFTWARE IN WEB APPLICATIONcscpconf
 
Software Engineering Unit 1
Software Engineering Unit 1Software Engineering Unit 1
Software Engineering Unit 1Abhimanyu Mishra
 
High Performance Cloud Native APIs Using Apache Geode
High Performance Cloud Native APIs Using Apache Geode High Performance Cloud Native APIs Using Apache Geode
High Performance Cloud Native APIs Using Apache Geode VMware Tanzu
 
Anil kumar sap security and grc consultant
Anil kumar sap security and grc consultantAnil kumar sap security and grc consultant
Anil kumar sap security and grc consultantAnil Kumar
 
Online examination documentation
Online examination documentationOnline examination documentation
Online examination documentationWakimul Alam
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET Journal
 
Manoj(Java Developer)_Resume
Manoj(Java Developer)_ResumeManoj(Java Developer)_Resume
Manoj(Java Developer)_ResumeVamsi Manoj
 

Similar to Attribute Based Access Control and Administrative Model (20)

SAP-Security-Madhu
SAP-Security-MadhuSAP-Security-Madhu
SAP-Security-Madhu
 
Model-Based Systems Requirements
Model-Based Systems RequirementsModel-Based Systems Requirements
Model-Based Systems Requirements
 
Anil kumar sap security and grc consultant
Anil kumar sap security and grc consultantAnil kumar sap security and grc consultant
Anil kumar sap security and grc consultant
 
A Framework for Predicate Based Access Control Policies in Infrastructure as ...
A Framework for Predicate Based Access Control Policies in Infrastructure as ...A Framework for Predicate Based Access Control Policies in Infrastructure as ...
A Framework for Predicate Based Access Control Policies in Infrastructure as ...
 
Vpd
VpdVpd
Vpd
 
Opencast Valencia 2017: Users, groups, roles, ACLs and providers
Opencast Valencia 2017: Users, groups, roles, ACLs and providersOpencast Valencia 2017: Users, groups, roles, ACLs and providers
Opencast Valencia 2017: Users, groups, roles, ACLs and providers
 
Book Recommendation System
Book Recommendation SystemBook Recommendation System
Book Recommendation System
 
Supporting Privacy Protection In Personalized Web Search
Supporting Privacy Protection In Personalized Web SearchSupporting Privacy Protection In Personalized Web Search
Supporting Privacy Protection In Personalized Web Search
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRC
 
Cavaros
CavarosCavaros
Cavaros
 
How much do we know about Object-Oriented Programming?
How much do we know about Object-Oriented Programming?How much do we know about Object-Oriented Programming?
How much do we know about Object-Oriented Programming?
 
Learning Software Performance Models for Dynamic and Uncertain Environments
Learning Software Performance Models for Dynamic and Uncertain EnvironmentsLearning Software Performance Models for Dynamic and Uncertain Environments
Learning Software Performance Models for Dynamic and Uncertain Environments
 
Framework for tagging software in web application
Framework for tagging software in web applicationFramework for tagging software in web application
Framework for tagging software in web application
 
FRAMEWORK FOR TAGGING SOFTWARE IN WEB APPLICATION
FRAMEWORK FOR TAGGING SOFTWARE IN WEB APPLICATIONFRAMEWORK FOR TAGGING SOFTWARE IN WEB APPLICATION
FRAMEWORK FOR TAGGING SOFTWARE IN WEB APPLICATION
 
Software Engineering Unit 1
Software Engineering Unit 1Software Engineering Unit 1
Software Engineering Unit 1
 
High Performance Cloud Native APIs Using Apache Geode
High Performance Cloud Native APIs Using Apache Geode High Performance Cloud Native APIs Using Apache Geode
High Performance Cloud Native APIs Using Apache Geode
 
Anil kumar sap security and grc consultant
Anil kumar sap security and grc consultantAnil kumar sap security and grc consultant
Anil kumar sap security and grc consultant
 
Online examination documentation
Online examination documentationOnline examination documentation
Online examination documentation
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using Blockchain
 
Manoj(Java Developer)_Resume
Manoj(Java Developer)_ResumeManoj(Java Developer)_Resume
Manoj(Java Developer)_Resume
 

Recently uploaded

ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsNbelano25
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17Celine George
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxPooja Bhuva
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxPooja Bhuva
 
21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptxJoelynRubio1
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxUmeshTimilsina1
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Basic Intentional Injuries Health Education
Basic Intentional Injuries Health EducationBasic Intentional Injuries Health Education
Basic Intentional Injuries Health EducationNeilDeclaro1
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 

Recently uploaded (20)

ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf arts
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Basic Intentional Injuries Health Education
Basic Intentional Injuries Health EducationBasic Intentional Injuries Health Education
Basic Intentional Injuries Health Education
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 

Attribute Based Access Control and Administrative Model

  • 1. The GURAG Administrative Model for User and Group Attribute Assignment Prof. Ravi Sandhu Executive Director and Endowed Chair 10th International Conference on Network and System Security (NSS) September 28-30, 2016 ravi.sandhu@utsa.edu www.profsandhu.com Maanak Gupta and Ravi Sandhu Department of Computer Science Institute for Cyber Security © Ravi Sandhu World-Leading Research with Real-World Impact! 1
  • 2.  Attribute Based Access Control  requires attributes of entities to make access control decisions.  provides flexible and fine grained access control  needs attributes (characteristics of entities) to be assigned by security administrators before access policies can be enforced.  Several models have been developed  ABACα model [DBSec12]  Attribute based encryption (ABE) [CCS06]  Logical Based Framework for ABAC [FMSE04]  Attributed based AC for web services [ICWS'05]  Guide to ABAC Definitions and Considerations [NIST SP 800-162]  etcetera!! Attribute Based Access Control (ABAC) © Ravi Sandhu World-Leading Research with Real-World Impact! 2
  • 3. © Ravi Sandhu World-Leading Research with Real-World Impact! 3 ABAC Administration GURA (Single User, Single Attribute Value Assignment) satisfy condition Attribute Value assign or delete Who ? Prerequisite Cond. Attribute Value Attribute Value Attribute Value satisfy condition Attribute Value assign or delete
  • 4. Redefined HGABAC © Ravi Sandhu World-Leading Research with Real-World Impact! 4 U: User UG: User-Group S: Subject UA: User Attributes O: Object OG: Object-Group OA: Object Attributes OP: Operation (Actions)  [Servos et al] proposed Hierarchical Group and Attribute based Access Control (HGABAC) operational model  Introduces the notion of User and Object Groups  Core advantage is simplified administration of attributes  User and Objects are assigned set of attributes in one go as compared to single assignment at a time.
  • 5. Example User-Group Hierarchy © Ravi Sandhu World-Leading Research with Real-World Impact! 5  Senior Groups inherit attributes from junior group  Graduate group (G) is senior to CSD and UN  G inherits attributes from both CSD and UN  example: ‘univId’ and ‘college’ attribute for G inherited from UN and CSD  User assigned to group G will have direct attributes and attributes from G
  • 6. GURAG Administrative Model © Ravi Sandhu World-Leading Research with Real-World Impact! 6 GURAG Sub Models UAA: User Attribute Assignment UGAA: User Group Attribute Assignment UGA: User to User-Group Assignment This paper proposes the first administration model for HGABAC model referred as GURAG.
  • 7.  Example UAA rules User Attribute Assignment (UAA) © Ravi Sandhu World-Leading Research with Real-World Impact! 7 Administrative Role Prerequisite Condition Allowed values Rule 1: Administrative Role DeptAdmin (or senior) can add any value in {TA, Grader} to user attribute ‘jobTitle’ if the user’s ‘studType’ attribute includes ‘Grad’ value. Common Policy Expression Language: EXPR(UA) in UAA:
  • 8.  Example UGAA rules User Group Attribute Assignment (UGAA) © Ravi Sandhu World-Leading Research with Real-World Impact! 8 EXPR(UA) in UGAA:
  • 9. User to User-Group Assignment (UGA) © Ravi Sandhu World-Leading Research with Real-World Impact! 9 EXPR(UA ∪ UG) in UGA: Example UGA canAssign rules: Example UGA canRemove rules:
  • 10. studId: {abc12} skills: {c,java} roomAcc: {1.2} USER GRADUATE GROUP (G) DeptAdmin (or senior) USER UGA studType: {Grad} roomAcc: {2.03, 2.04, 3.02} userType: {student} college: {COS} univId: {12345} studId: {abc12} skills: {c,java} roomAcc: {1.2, 2.03, 2.04, 3.02} studType: {Grad} userType: {student} college: {COS} univId: {12345} effective attributes effective attributesdirect & effective attributes 1 2 3 User to User-Group Assignment (UGA) © Ravi Sandhu World-Leading Research with Real-World Impact! 10 Here the user has been assigned set of attributes by group G membership, in lieu of single attribute assignment, making attribute administration easy.
  • 11.  Weak Removal versus Strong Removal  GURAG Model Extensions © Ravi Sandhu World-Leading Research with Real-World Impact! 11 will not impact implicit membership o After removal from CSD, user still inherits attribute of CSD through G. will remove both explicit and implicit memberships o User will be removed from G, if removed from CSD and authorized by rules. USER
  • 12.  Weak Removal versus Strong Removal GURAG Model Extensions © Ravi Sandhu World-Leading Research with Real-World Impact! 12 will not impact implicit membership o After removal from CSD, user still inherits attribute of CSD through G. will remove both explicit and implicit memberships o User will be removed from G, if removed from CSD and authorized by rules. USER
  • 13. GURAG Model Extensions  Inherited Value Deletion in User  Inherited Value Deletion in User Group © Ravi Sandhu World-Leading Research with Real-World Impact! 13 canDeleteunivId ADMIN ROLE 2 1 Deleting an inherited value from a user will require to remove the membership of a user from all the user groups from where the value is inherited. Deleting an inherited value from a user group will require the deletion of value from all the junior groups which have value directly assigned. GROUP (G3) studType: {Grad} roomAcc: {2.03, 2.04, 3.02} userType: {student} effective attributes GROUP (G1) roomAcc: {2.04, 3.02} userType: {student} GROUP (G2) roomAcc: {2.03} userType: {student} canDeleteuserType 1 22 Note: Administrative Rules must exist to authorize operations.
  • 14.  Advantage: Simplified distributed attribute administration. RBAC advantage inherited.  Limitations: Cascading pre-assignment of attributes may lead to some values assignment not essentially required by the entity. UGA may require multiple pre-assignments of junior group to assign senior group, though the same inheritance can be achieved by senior group membership only.  Future Work:  Reachability Analysis for GURAG  User and Object Group hierarchy administration.  Attribute based User and Group attribute management. Discussions and Future Work © Ravi Sandhu World-Leading Research with Real-World Impact! 14
  • 15. Institute for Cyber Security © Ravi Sandhu World-Leading Research with Real-World Impact! 15