role usage and activation hierarchies (best viewed in slide show mode)

© 2005 Ravi Sandhuwww.list.gmu.edu

Role Usage and Activation Hierarchies

(best viewed in slide show mode)

Ravi SandhuLaboratory for Information Security Technology

George Mason [email protected]

2


Reference• Ravi Sandhu, “Role Hierarchies and Constraints for Lattice-Based

Access Controls.” Proc. Fourth European Symposium on Research in Computer Security, Rome, Italy, September 25-27, 1996, pages 65-79. Published as Lecture Notes in Computer Science, Computer Security-ESORICS96 (Elisa Bertino et al, editors), Springer-Verlag, 1996.

• Ravi Sandhu, “Role Activation Hierarchies.” Proc. Third ACM Workshop on Role-Based Access Control, Fairfax, Virginia, October 22-23, 1998, pages 33-40.

• Sylvia Osborn, Ravi Sandhu and Qamar Munawer. “Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies.” ACM Transactions on Information and System Security, Volume 3, Number 2, May 2000, pages 85-106.

3


Role hierarchies

• Two aspects• Role usage: permission inheritance

• Role activation: activation hierarchy

• RBAC96 combines both aspects in a single hierarchy• ANSI/NIST standard model leaves this open

• Do one or both, just make it clear what you are doing

4


Example Role Hierarchy

5


LBAC to RBAC

6


Simple security property

• some variations of LBAC use 2 labels for subjects• λr for read and λw for read • λr = λw for the single label case

7


Variations of *-property

8


LBAC to RBAC: independent read-write hierarchies

9


LBAC to RBAC: intertwined read-write hierarchies

10


Activation hierarchies and dynamic SOD

11


Formal definition

12


Activation hierarchy with non-maximal roles

13


Read-write RBAC and LBAC

14


LBAC with trusted strict *-property

role usage and activation hierarchies (best viewed in slide show mode)

Documents