Lecture Chapter 4: Access Control Role-based modelsRBAC

Lecture Chapter 4 - Access Control Role-based models RBAC presentation of content: Role-based models, role based access control, administrative role-based access control model.
Nội dung trích xuất từ tài liệu:
Lecture Chapter 4: Access Control Role-based modelsRBAChapter4 AccessControl Rolebasedmodels RBACAgenda Rolebasedmodels Administrativerolebasedaccesscontrolmodel https://books.google.com.vn/books? id=_O7xBwAAQBAJ&pg=PA171&lpg=PA171 &dq=Open/close+policy+in+database+security &source=bl&ots=4cH6efHzHp&sig=eO6djffm piyvB0L6hmWAbPPeZow&hl=vi&sa=X&ei= F2PVb YOcaJuATyvIHQAw&redir_esc=y#v=onepage &q&f=falseRolebasedmodels Manyorganizationsbaseaccesscontroldecisionson“therolesthat individualuserstakeonaspartoftheorganization”. Theyprefertocentrallycontrolandmaintainaccessrightsthatreflect theorganization’sprotectionguidelines. WithRBAC,rolepermissionrelationshipscanbepredefined,which makesitsimpletoassignuserstothepredefinedroles. Thecombinationofusersandpermissionstendtochangeovertime, thepermissionsassociatedwitharolearemorestable. RBACconceptsupportsthreewellknownsecurityprinciples: – Leastprivilege – Separationofduties – DataabstractionRoleBasedAccessControl(RBAC)Accesscontrolinorganizationsis RolesHierarchiesbasedon“rolesthatindividualuserstakeonaspartoftheorganization” UserRole Assignment RolePermission Assignment Users RolesAroleis“isa Permissionscollectionofpermissions” ConstraintsRoleBasedAccessControl(RBAC)RBACAccessdependsonrole/function,notidentity – Example:AllisonisbookkeeperforMath Dept.Shehasaccesstofinancialrecords.Ifshe leavesandBettyishiredasthenew bookkeeper,Bettynowhasaccesstothose records.Theroleof“bookkeeper”dictates access,nottheidentityoftheindividual. RBAC Users Permission Users Permissions Manager u1 o1 u1 o1 Senior SeniorAdministrator Engineer u2 Role o2 u2 o2 rAdministrator Engineer un om un om Employee n +m n m assignments assignments (a) (b)RBAC(cont’d) IsRBACadiscretionaryormandatoryaccesscontrol? – RBACispolicyneutral;howeverindividualRBACconfigurations cansupportamandatorypolicy,whileotherscansupporta discretionarypolicy. RoleHierarcies RoleAdministration ProjectSupervisor Testengineer Programmer ProjectMember RBAC(NISTStandard) UA PA Users Roles Operations Objects Permissionsuser_sessions role_sessions(one-to-many) (many-to-many) Sessions An important difference from classical models is that Subject in other models corresponds to a Session in RBACCoreRBAC(relations) Permissions=2OperationsxObjects UA⊆UsersxRoles PA⊆PermissionsxRoles assigned_users:Roles 2Users assigned_permissions:Roles 2Permissions Op(p):setofoperationsassociatedwithpermissionp Ob(p):setofobjectsassociatedwithpermissionp user_sessions:Users 2Sessions session_user:Sessions Users session_roles:Sessions 2Roles – session_roles(s)={r|(session_user(s),r) UA)} avail_session_perms:Sessions 2Permissions RBACwithGeneralRoleHierarchy RH (role hierarchy) UA PA Users Roles Operations Objects Permissionsuser_sessions(one-to-many) role_sessions (many-to-many) SessionsRBACwithGeneralRoleHierarchy authorized_users:Roles 2Users authorized_users(r)={u|r’≥r&(r’,u) UA) authorized_permissions:Roles 2Permissions authorized_users(r)={p|r’≥r&(p,r’) PA) RHRolesxRolesisapartialorder – calledtheinheritancerelation – writtenas≥.(r1≥r2) authorized_users(r1)⊆authorized_users(r2)&authorized_permisssions(r2)⊆authorized_permisssions(r1) Example px, e10py e8, px, e9 py Manager px, e5py Senior e3, px, e4 py pp Senior Administrator Engineer e6, px, e7 py popa, pb e1, px, e2 ...