role usage and activation hierarchies (best viewed in slide show mode)
DESCRIPTION
Role Usage and Activation Hierarchies (best viewed in slide show mode). Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu [email protected]. Reference. - PowerPoint PPT PresentationTRANSCRIPT
© 2005 Ravi Sandhuwww.list.gmu.edu
Role Usage and Activation Hierarchies
(best viewed in slide show mode)
Ravi SandhuLaboratory for Information Security Technology
George Mason [email protected]
2
© 2005 Ravi Sandhuwww.list.gmu.edu
Reference• Ravi Sandhu, “Role Hierarchies and Constraints for Lattice-Based
Access Controls.” Proc. Fourth European Symposium on Research in Computer Security, Rome, Italy, September 25-27, 1996, pages 65-79. Published as Lecture Notes in Computer Science, Computer Security-ESORICS96 (Elisa Bertino et al, editors), Springer-Verlag, 1996.
• Ravi Sandhu, “Role Activation Hierarchies.” Proc. Third ACM Workshop on Role-Based Access Control, Fairfax, Virginia, October 22-23, 1998, pages 33-40.
• Sylvia Osborn, Ravi Sandhu and Qamar Munawer. “Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies.” ACM Transactions on Information and System Security, Volume 3, Number 2, May 2000, pages 85-106.
3
© 2005 Ravi Sandhuwww.list.gmu.edu
Role hierarchies
• Two aspects• Role usage: permission inheritance
• Role activation: activation hierarchy
• RBAC96 combines both aspects in a single hierarchy• ANSI/NIST standard model leaves this open
• Do one or both, just make it clear what you are doing
4
© 2005 Ravi Sandhuwww.list.gmu.edu
Example Role Hierarchy
5
© 2005 Ravi Sandhuwww.list.gmu.edu
LBAC to RBAC
6
© 2005 Ravi Sandhuwww.list.gmu.edu
Simple security property
• some variations of LBAC use 2 labels for subjects• λr for read and λw for read • λr = λw for the single label case
7
© 2005 Ravi Sandhuwww.list.gmu.edu
Variations of *-property
8
© 2005 Ravi Sandhuwww.list.gmu.edu
LBAC to RBAC: independent read-write hierarchies
9
© 2005 Ravi Sandhuwww.list.gmu.edu
LBAC to RBAC: intertwined read-write hierarchies
10
© 2005 Ravi Sandhuwww.list.gmu.edu
Activation hierarchies and dynamic SOD
11
© 2005 Ravi Sandhuwww.list.gmu.edu
Formal definition
12
© 2005 Ravi Sandhuwww.list.gmu.edu
Activation hierarchy with non-maximal roles
13
© 2005 Ravi Sandhuwww.list.gmu.edu
Read-write RBAC and LBAC
14
© 2005 Ravi Sandhuwww.list.gmu.edu
LBAC with trusted strict *-property