authorization in trust management conditional delegation and attribute-based role assignment using...
TRANSCRIPT
Authorization in Trust ManagementConditional Delegation and
Attribute-Based Role Assignmentusing XACML and RBAC
Brian Garback
© Brian Garback 2005
Authorization in Trust Management
Trust Management System:– Architecture to maintain
privacy and security of medical data
– Control access within and across domains
Authorization– Policy Definition– Policy Enforcement
Policy Enforcement Filter
Hospital Portal
Data
Web Services and Data Repository
XA
CM
L
Au
tho
riza
tio
n
Res
po
nse
XA
CM
L
Au
tho
riza
tio
n
Req
ues
t
Attribute Service
XACML PolicyDatabase
Data Request Medical DataDatabase
DemographicDatabase
Medical ImageryWeb Service
Medical RecordWeb Service
DemographicWeb Service
SAML ID Token
SAML Authorization Web Service(Policy Decision Point)
Talk Outline
RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML
– Attribute-Based Role Assignment– Conditional Delegation of Permission
Talk Outline
RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML
– Attribute-Based Role Assignment– Conditional Delegation of Permission
Role-Based Access Control
Physician
Nurse
Patient
Admin
Read Medical Record
Write Prescription
Write Medical Record
Read Prescription
⋮
Users Roles Permissions
Hierarchical RBAC
Physician
Patient
Operate
⋮
Users Roles Permissions
Hospital User
OrthopedistSurgeon
Perform X-Ray
Write Prescription
Read Prescription
Read Demographics
Talk Outline
RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML
– Attribute-Based Role Assignment– Conditional Delegation of Permission
XACML from
XML extension language to specify and enforce authorization policy
XACML 2.0 approved Feb 2005 XACML provides:
– Standard security policy language– Policy combination– Conditional context-aware access control
XACML System Design
XA
CM
L R
esp
on
se
XA
CM
L R
equ
est
PolicyAdministration
Point (PAP)
Resource
Access
Policy Decision Point (PDP)
Policy Enforcement Point(PEP)
Access Request
Policy Information Point (PIP)
Attribute Request
Attribute Request
1
2
3
4
56
7
Policy
XML Structure
<Policy Set><Policy Set>
COMPARE REQUEST vs. POLICIES for all applicable policies for all applicable rules evaluate condition combine rule results combine policy results return RESULT
<Policy Set>
<Policy>
<Request>
<Subject> <Attribute><Attribute><Attribute>
<Resource> <Attribute><Attribute><Attribute>
<Action> <Attribute><Attribute><Attribute>
<Policy><Policy>
<Target>
<Subjects> <Resources> <Actions>
<Rule><Rule><Rule>
<Target>
<Subjects> <Resources> <Actions>
<Condition>
<Apply><Apply><Apply>
<Response>
<Result>
<Decision>
<Status>
PEP PAP
PDP
Talk Outline
RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML
– Attribute-Based Role Assignment– Conditional Delegation of Permission
XACML Profile for RBAC
Draft v2.0 approved Sept. 2004 Contents:
– Assigning and Enabling Role Attributes– Core and Hierarchical RBAC implementation– Access Control
RBXACML Policies
Role Assignment Policy Set– Enables roles for users
Permission Policy Set– Associates permissions with roles
Role Policy Set– Associates enabled roles with a PPS
Three Employee-Manager Examples
-
Role Assignment Example
subject-id = Seth
subject-id = Steve
role = employee
role = manager
Role Assignment <Policy>
Employee Role <Rule>
<Target>
<Subjects> subject-id = Seth || subject-id = Anne
<Resources> role = employee
<Actions> action = enableRole
<Condition> 9h < current-time < 17h
Manager Role <Rule>
<Target>
<Subjects> subject-id = Steve
<Resources> role = manager
<Actions> action = enableRole
<Request>
<Subject> subject-id = Seth
<Resource> role = employee
<Action> action-id = enableRole
<Result>
<Decision> Permit
PDP
<Request>
<Subject> subject-id = Steve
<Resource> role = manager
<Action> action-id = enableRole
Manager Permission Example
Manager Role <Policy Set>
<Target>
<Subjects> role = manager
<PolicySetIDReference> Manager Permission <PS>
Manager Permission <Policy Set>
<Policy>
<Rule> Permission to sign purchase order
<Target>
<Resources> resource-id = purchase order
<Actions> action-id = sign
<PolicySetIDReference> Employee Permission <PS>
<Result>
<Decision> Permit
subject-id = Seth
subject-id = Steve
role = employee
role = manager
PDP
<Request>
<Subject> subject-id = Steve
<Resource> resource-id = purchase order
<Action> action-id = sign
role = manager
Hierarchical Permission Example
Manager Role <Policy Set>
<Target>
<Subjects> role = manager
<PolicySetIDReference> Manager Permission <PS>
Manager Permission <Policy Set>
<Policy>
<Rule> Permission to sign purchase order
<Target>
<Resources> resource-id = purchase order
<Actions> action-id = sign
<PolicySetIDReference> Employee Permission <PS>
Employee Permission <Policy Set>
<Policy>
<Rule> Permission to create purchase order
<Target>
<Resources> resource-id = purchase order
<Actions> action-id = create
<Request>
<Subject> subject-id = Steve
<Resource> resource-id = purchase order
<Action> action-id = create
role = manager
PDP
<Result>
<Decision> Permit
subject-id = Seth
subject-id = Steve
role = employee
role = manager
RBXACML Takeaways
Implementation of RBAC using XACML– Organized into RAPS, PPS, and RPS
Shortcomings:– Hierarchy created through PPS references, not at
role-level– Lacks of clear role assignment specification– No mention of permission delegation
Talk Outline
RBAC Introduction XACML Introduction XACML Profile for RBAC Enhancements to RBXACML
– Attribute-Based Role Assignment– Conditional Delegation of Permission
RBXACML Enhancements
Goals:– More rigorously define role
assignments Assign roles to users based on
sets of user attributes
– Support delegation Allow control for administrator
and delegator over delegated permissions
Physician
Attribute-Based Role Assignment
Original RBAC:
ABRA:
Physician
PhysicianIf subject-id = 5
If holds physician role inhighly-trusted remote domain
XACML for ABRA
Every Role has one RAP
RAPS = { RAPs }
RAP = { enabling rules }
Role Assignment <Policy Set>
⋮
Physician Role Assignment <Policy>
Enabling <Rule> for Remote Physicians
<Target>
<Subject> physician E remote-roles
issuer E highly-trusted-domains
Enabling <Rule> for Subject #5
<Target>
<Subject> subject-id = 5
Patient Role Assignment <Policy> ⋮
Why Delegation?
Delegation: – One giving a portion of its authority to another
Motivating examples:– Physician to Physician
Attending permissions to a patient while on leave
– Physician to Medical Student Permission to read a patient’s record
Constraining Delegation
Constrain delegation by specifying:– which permissions are delegatable
Allow subset to be specified
– how permissions can be delegated Delegation condition
– Fulfilled by delegator before he can delegate a role Delegatee enabling condition
– Fulfilled by delegatee before a role is enabled for him
Manifested as rules in a permission policy
Delegated Physician Permission <Policy>
<Rule> Permission to read a patient record
<Target>
<Resource> resource-id = patient record
<Action> action-id = read
Role Assignment <Policy Set>
⋮
Physician Role Assignment <Policy> ⋮
Physician to Medical Student
Permission <Policy Set>
Physician Permission <Policy>
<Rule> Permission to read a patient record
<Target>
<Resource> resource-id = patient record
<Action> action-id = read
<Rule> Delegate - Permission to read a record
<Target>
<Resource> resource-id = Perm to read...
<Action> action-id = delegate
Delegation <Condition> if used fingerprint
<Rule> Enabling Cond – Perm to read a record
<Target>
<Resource> resource-id = Perm to read...
Enabling <Condition> if student && advisor = delegator
Delegated Physician Role Assignment <Policy>
<Result>
<Decision> Permit
PDP
<Condition> if patient-id = 10
Enabling <Rule> for Subject #4
Enabling <Condition> if student && advisor = delegator
<Target>
<Subject> subject-id = 4
Permission <Policy Set>
Physician Permission <Policy>
⋮
<Rule> Permission to read a patient record
<Target>
<Resource> resource-id = patient record
<Action> action-id = read
<Rule> Delegate - Permission to read a record
<Target>
<Resource> resource-id = Perm to read...
<Action> action-id = delegate
Delegation <Condition> if used fingerprint
Delegated Physician Permission <Policy>
<Rule> Permission to read a patient record
<Target>
<Resource> resource-id = patient record
<Action> action-id = read
<Condition> if patient-id = 10
<Request>
<Subject> subject-id = 5
<Resource> resource-id = Perm to read...
<Action> action-id = deleg
role = physician
login = fingerprint
Summary of Topics
RBAC:
XACML: authorization policy language RBXACML: combines both technologies
Enhancements:– ABRA: roles to user attribute expressions
– Conditional Delegation: Delegation Condition Delegatee Enabling Condition
Physician Read Prescription
PhysicianIf holds physician role in
highly-trusted remote domain