architectures and models for administration of user-role assignment in role based access control...

34
Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Upload: marissa-hunter

Post on 26-Mar-2015

216 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Architectures and Models for Administration of User-Role

Assignment in Role Based Access Control

Venkata Bhamidipati

PhD Dissertation

Page 2: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Presentation Outline

• Introduction• Decentralized user-role assignment (URA97)• ASCAA principles• Self service role assignment (SSRBAC08)• Conclusions • Contributions• Future work• Publications

2Venkata Bhamidipati

Page 3: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Introduction

• Principal motivation of RBAC is to simplify administration.

• Using RBAC to manage itself is an appealing possibility

• Three components in administration of RBAC• user–role, permission–role, role-role

• Focus of this work is on user-role administration

3Venkata Bhamidipati

Page 4: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Introduction: Problem Statement• In large systems administration is a big task. • Frequent changes to

• user-role assignment– roles: 100s or 1000s– users: 1000s or 10,000s or more

• Less frequent changes for• role hierarchy

• Need for decentralization and automation of user-role assignment

• Early Part of this work focuses on decentralization (URA97). Later part on automation (SSRBAC08)

4Venkata Bhamidipati

Page 5: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Introduction: Contributions URA97 model for user role assignment

– Related work: Munawer 99, Oh 2002

• PRA97 for permission role assignment• URA97 proof of concept implementation in Oracle

– Related work: Ahn & Sandhu 98,01 Sandhu & Park 98

• Push model for user assignment in distributed systems

– Related work: Dekker 2008

ASCAA principles for next generation RBAC Framework for self service assignment (SSRBAC08)

– Related work: Khatani 2004

5Venkata Bhamidipati

Page 6: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Introduction: RBAC96

SSRBAC08

ROLES

USERS

PERMISSIONS

...

ADMINROLES

ADMINPERMISSIONS

Constraints

Sessions

URA976Venkata Bhamidipati

Page 7: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Introduction: OM-AM

Objectives

Architecture

Model

Mechanism

What?

How?

Assurance

Decentralization and Automation

URA97, PRA97, SSRBAC08

Push Model for URA97

Oracle Stored Procedures

7Venkata Bhamidipati

Page 8: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

User Role Assignment (URA97)

• Model to administer user-role assignment• Decentralizes user-role administration• Members of administrative roles perform assignment

and revocation operations

8Venkata Bhamidipati

Page 9: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Example Role Hierarchy

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

9Venkata Bhamidipati

Page 10: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Example Administrative Role Hierarchy

Senior Security Officer (SSO)

Department Security Officer (DSO)

Project SecurityOfficer 1 (PSO1)

Project SecurityOfficer 2 (PSO2)

10Venkata Bhamidipati

Page 11: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

URA97 Grant Model: can-assign• Imposes restrictions on which users can be added to

a role by whom• The can-assign relation

• can-assign (x,y,{a,b,c}) – a member of administrative role x (or senior to x) can assign a

user whose current membership, or non-membership, in regular roles satisfies the prerequisite condition y to be a member of regular roles a, b or c

• The prerequisite condition is a boolean expression on terms of the form z(u) where z(u) is a boolean function with the same name as role z which evaluates to true if user u is a member of role z and evaluates to false otherwise

11Venkata Bhamidipati

Page 12: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

URA97 Grant Model : can-assign

• Alice is a member of admin role PSO1– She can assign a user regular role E1, if the user satisfies condition

of having membership in role ED

– She can assign a user regular role Q1, if the user satisfies condition of having membership in ED and not having P1

– She can assign a user regular role PL1, if the user satisfies condition of having membership in P1 and Q1

• Bob is a member of admin role DSO– He can assign a user regular roles in the range (ED, DIR), if the

user satisfies condition of having membership in role ED

12Venkata Bhamidipati

Page 13: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

URA97 Grant Model

• “redundant” assignments to senior and junior roles• are allowed• are useful

13Venkata Bhamidipati

Page 14: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

URA97 Revoke Model : can-revoke

• The can-revoke relation• can-revoke (x,Y), when Y: range of revocation. a member

of the administrative role x (or senior to x) can revoke membership of a user from any regular role yY.

• Weak revocation• revokes explicit membership in a role• independent of who did the assignment

• Strong Revocation• revokes explicit membership in a role and its seniors• authorized only if corresponding weak revokes are

authorized• alternatives

– all-or-nothing, revoke within range14

Venkata Bhamidipati

Page 15: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

URA97 Revoke Model : can-revoke

ARole Role Range

PSO1 [E1,PL1)

PSO2 [E2,PL2)

DSO (ED,DIR)

SSO [ED,DIR]

15Venkata Bhamidipati

Page 16: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Introduction: ContributionsURA97 model for user role assignment

– Related work: Munawer 99, Oh 2002

• PRA97 for permission role assignment• URA97 proof of concept implementation in Oracle

– Related work: Ahn & Sandhu 98,01 Sandhu & Park 98

• Push model for user assignment in distributed systems

– Related work: Dekker 2008

ASCAA principles for next generation RBAC Framework for self service assignment

(SSRBAC08)– Related work: Al-Khatani 2004

16Venkata Bhamidipati

Page 17: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

ASCAA Principles

• RBAC96 based on four foundation principles• Abstraction of privileges• Separation of administrative functions• Least privilege• Separation of duty

• Manual intervention in RBAC administration is cumbersome

• New concepts like usage control, rate limits have gained traction

• Accountability is receiving renewed interest

17Venkata Bhamidipati

Page 18: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

ASCAA Principles

Abstraction• Remains unchanged from RBAC96

Separation of Administrative functions• Remains unchanged from RBAC96

Containment• Subsumes least privilege, separation of duties• Includes usage control, rate limits

Automation• Assignment, revocation

Accountability• Re-authentication, obligations, notification and alerts

18Venkata Bhamidipati

Page 19: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Self Service User Assignment (SSRBAC08)

• URA97 requires administrative effort• Simplify administration• A framework for self service user assignment• Based on ASCAA principles

19Venkata Bhamidipati

Page 20: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

SSRBAC08 contd..

• Modifies RBAC96• Constraints are classified into four categories

• Assignment Criteria

• Administrative Criteria

• Usage Criteria

• Revocation Criteria

• Role attributes hold criteria

20Venkata Bhamidipati

Page 21: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

SSRBAC08 contd..

AdministrativeCriteria

Users(U)

Roles(R)

Sessions(S)

UserAssignment (UA)

Usage Criteria

Assignment Criteria

Role Hierarchy (RH)

users

roles

Revocation Criteria

SSRBAC08 Framework

21Venkata Bhamidipati

Page 22: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

SSRBAC08 contd..

• Assignment Criteria (AC)• Defines criteria that need to be satisfied by assignee for role

assignment• Example criteria include

– membership or non membership in roles, approvals, obligations, cardinality limits, rate limits

• Administrative Criteria (ADC)• Defines criteria that control administrative functions• Example criteria include

– people who are allowed to grant the role, specify if self assignment is allowed, rate limits, approvals, obligations

22Venkata Bhamidipati

Page 23: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

SSRBAC08 contd..

• Usage Criteria (UC)• Defines criteria that control role usage

• Example criteria include– environmental conditions, temporal limits, rate limits, dynamic

separation of duties, cardinality limits, approvals , obligations

• Revocation Criteria (RC)• Defines criteria that control role revocation

• Example criteria include– role expiration and time limits, approvals, obligations

23Venkata Bhamidipati

Page 24: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Example Hierarchy

EMP(E)

Manager(M)

Vice President(VP)

HR Manager (HRM)

Consultant (C)

HR VPSupport VP

Sales VP

Sales Director(SD)

Sales Rep (SREP) Production

Engineer 1 (PE1)

Engineer1(E1)

Director(Dir)

Engineering Department (ED)

Quality Engineer 1 (QE1)

ProjectLead 1(PL1)

ENG VP

SupportEngineer

(SE1)

Support Director (SUD)

Support Department (SD)

Support Analyst (SA1)

Support Lead 1(SL1)

Support Lead 2 (SL2)

SupportEngineer

(SE2)

Support Analyst (SA2)

Production Engineer 2 (PE2)

Engineer2(E2)

Quality Engineer 2 (QE2)

ProjectLead 2(PL2)

24Venkata Bhamidipati

Page 25: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

SSRBAC08 ExampleADC for Role E11. Users who have consultant role can perform self assignment.

2. Members with PL1 or higher role can assign E1 role to others.

3. Only 2 assignments in a day can be made by members of roles junior to Eng VP role.

4. No more than 20 assignments of this role per week.

5. There is a cardinality limit of 30 members for users with consultant role.

6. To override cardinality rule need an approval from Eng VP.

7. Members with Dir or higher can perform revocation.

AC for Role E11. Assignee should have role EMP and not belong to E2.

2. Approval of Dir or higher needed to override prerequisite condition.

3. Assignee should not have exceeded 5 self assignment operations in the current month.

4. Obligation to complete mandatory system training 5 days from assignment.

25Venkata Bhamidipati

Page 26: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

SSRBAC08 Example

UC for Role E11. Cannot activate if E2 is active.2. Extranet activation allowed if role C is active.3. Activation of role allowed from extranet only during 9 AM-5

PM Mon-Fri.

RC for Role E11. Revoke if assignment obligations are not met.2. Revoked 1 year from assignment date.3. Need extension approval from Dir or above to override 1

year rule.4. Revocation if no activation in 3 months period.5. Self revoke requires Dir approval.

26Venkata Bhamidipati

Page 27: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

URA97 in SSRBAC08

Role ADC AC

ED Assignor needs to have SSO Assignee needs to have E

E1 Assignor needs to have PSO1 or senior Assignee needs to have ED

PE1 Assignor needs to have PSO1 or senior If assignor is PSO1 then assignee should have ED and not have QE1. If assignor is DSO or higher then assignee should have ED.

QE1 Assignor needs to have PSO1 or senior If assignor is PSO1 then assignee should have ED and not have PE1. If assignor is DSO or higher then assignee should have ED.

PL1 Assignor needs to have PSO1 or senior If assignor is PSO1 then assignee should have QE1 and PE1. If assignor is DSO or higher then assignee should have ED.

DIR Assignor needs to have SSO Assignee needs to have ED

Prerequisite Conditions

27Venkata Bhamidipati

Page 28: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

URA97 in SSRBAC08Revocation

Role ADC

ED SSO or higher can revoke

E1 PSO1 or higher can revoke

PE1 PSO1 or higher can revoke

QE1 PSO1 or higher can revoke

E2 PSO2 or Higher can revoke

PE2 PSO2 or higher can revoke

QE2 PSO2 or higher can revoke

PL1 DSO or higher can revoke

PL2 DSO or higher can revoke

DIR SSO or higher can revoke

28Venkata Bhamidipati

Page 29: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Conclusions

• RBAC can be used to manage itself• URA97 model allows to decentralize user-role assignment • URA97 is viable

• Proof of concept implementation in Oracle

• SSRBAC08 framework allows to realize self service assignment

• Related Work• URA97 Implementations on other platforms (Nt, Unix, and Web)• URA02• Attributed Based RBAC

29Venkata Bhamidipati

Page 30: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Contributions

• URA97 • One of the earliest RBAC administrative model• Decentralizes User-Roles Assignment• Needs Administrative roles.

• PRA97• Dual of URA97• Decentralizes permission-Role Assignment

• Implemented URA97 in Oracle• Proof of concept implementation

30Venkata Bhamidipati

Page 31: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Contributions

• Push Model• Deals with User-role assignment in distributed systems.• Global hierarchy is maintained in a centralized location• Pushes assignment and revocation information to local

systems

• ASCAA Principles• Extend RBAC foundation principles• Containment includes SOD, least privilege and usage control• Automation and accountability are introduced

31Venkata Bhamidipati

Page 32: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Contributions

• SSRBAC08• Framework for self service user-role assignment built on

ASCAA principles.• Modifies RBAC96 by classifying constraints into four

categories• Assignment and Administrative Criteria determine

assignment policy• Usage Criteria determines usage policy• Revocation and Administrative Criteria determine

Revocation policy

32Venkata Bhamidipati

Page 33: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Future Work

• Policy Language for SSRBAC08 criteria• Extend Attribute based RBAC to use • How to model RORBAC in SSRBAC08 framework

33Venkata Bhamidipati

Page 34: Architectures and Models for Administration of User-Role Assignment in Role Based Access Control Venkata Bhamidipati PhD Dissertation

Publications Ravi Sandhu and Venkata Bhamidipati, "The URA97 Model for Role-Based

User-Role Assignment", IFIP11.3 1997. Ravi Sandhu, Venkata Bhamidipati, Edward Coyne, Srinivas Ganta and

Charles Youman, "The ARBAC97 Model for Role-Based Administration of Roles: Preliminary Description and Outline", ACM RBAC 1997

Ravi Sandhu and Venkata Bhamidipati, "An Oracle Implementation of the PRA97 Model for Permission-Role Assignment", ACM RBAC 1998.

Ravi Sandhu, Venkata Bhamidipati and Qamar Munawer, "The ARBAC97 Model for Role-Based Administration of Roles", ACM Transactions on Information and Systems Security (TISSEC), Volume 2, Number, February 1999.

Ravi Sandhu and Venkata Bhamidipati, "Role-Based Administration of User-Role Assignment: The URA97 Model and its Oracle Implementation", Journal of Computer Security, Volume 7, 1999.

Venkata Bhamidipati and Ravi Sandhu, "Push Architectures for User-Role Assignment", NISSC 2000.

Ravi Sandhu and Venkata Bhamidipati, "The ASCAA Principles for Next-Generation Role-Based Access Control". Proc. 3rd International Conference on Availability, Reliability and Security (ARES), 2008

34Venkata Bhamidipati