Role Based Access Control - NIST - National Institute of Standards
NIST Standard for Role-Based Access Control
description
Transcript of NIST Standard for Role-Based Access Control
![Page 1: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/1.jpg)
NIST Standard for Role-Based Access Control
Present by Wenyi Ni
![Page 2: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/2.jpg)
The root of RBAC The use of groups in UNIX and other
operating systems Privilege grouping in DBMS Separation of duty concepts
RBAC embodies these notions in a single access control model.
![Page 3: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/3.jpg)
RBAC includes: Roles and role hierarchies Role activation Constraints on user/role membership
and role set activation
![Page 4: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/4.jpg)
RBAC is organized into two part RBAC reference model RBAC Functional Specification
![Page 5: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/5.jpg)
RBAC reference model Define a common vocabulary of
terms for in consistently specifying requirements and to set the scope of the RBAC features included in the standard
![Page 6: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/6.jpg)
RBAC Functional Specification
Define requirements over administrative operations for the creation and maintenance of RBAC element sets and relations
![Page 7: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/7.jpg)
NIST RBAC model is defined in terms of four model components
Core RBAC Hierarchical RBAC Static separation of duty relations Dynamic Separation of duty
relations
![Page 8: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/8.jpg)
Core RBAC Define a minimum collection of
RBAC elements, element sets, relations in order to completely achieved a role-based access control system
It includes:1.user-role assignment2.permission-role assignment
![Page 9: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/9.jpg)
Definitions in core RBAC User: defined as a human being. It
can be extended to include machine, network,intelligent autonomous agent
Role: a job function within the context of an organization with some associated semantics regarding the authority and responsibility
![Page 10: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/10.jpg)
Definition (continued) Permission: an approval to perform
an operation on one or more RBAC protected objects
Operation: an executable image of a program
Session: a mapping between a user and an activated subset of roles that are assigned to the user
![Page 11: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/11.jpg)
Core RBAC model element sets and relations
![Page 12: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/12.jpg)
Hierarchal RBAC It adds relations for supporting role
hierarchies Senior roles acquire the permissions
of their juniors A role’s set of authorized users and
authorized permission Role hierarchy can be 1)tree 2)inverted tree 3)lattice
![Page 13: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/13.jpg)
Role hierarchy Tree
![Page 14: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/14.jpg)
Role hierarchy inverted tree
![Page 15: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/15.jpg)
Role hierarchy lattice
![Page 16: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/16.jpg)
Example: accounting roles
![Page 17: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/17.jpg)
Separation of duty relations
It is used to enforce conflict of interest policies that organizations may employ to prevent users from exceeding a reasonable level of authority for their position
![Page 18: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/18.jpg)
Static Separation of Duty Relations Enforce constraints on the
assignment of users to roles Place restrictions on sets of roles. If
a user is assigned to one role, the user is prohibited from being a member of a second role.
![Page 19: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/19.jpg)
Because of the conflict of role ‘billing’ and ‘Cashier’ , Frank is prohibited to be assigned both of them
![Page 20: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/20.jpg)
Dynamic Separation of Duty Relations Place constraints on the roles that
can be activated within or across a users sessions.
It supports each user has different levels of permission at different time.
It is often referred as timely revocation of trust
![Page 21: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/21.jpg)
Categories of functions in RBAC Used to meet the requirements for
each of the components1.Administrative Functions2.Supporting System Functions3.Review Functions
![Page 22: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/22.jpg)
Administrative Functions in core RBAC Create and maintain element
sets(users,roles,OPS,OBS)1.AddUser, DeleteUser2.AddRole, DeleteRole3.AssignUser, DeassignUser4.GrantPermission, revokePermission
![Page 23: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/23.jpg)
Supporting System Function in Core RBAC Session management and make
access control decisions1.CreateSession2.AddActiveRole, DropActiveRole3.CheckAccess
![Page 24: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/24.jpg)
Review Function in Core RBAC View the contents of user-to-role
and permission-to-role assignment.1.AssignedRoles2.RolePermissions3.UserPermissions4.SessionPermisssions5.RoleOperationsOnObjects6.UserOperationsOnObjects
![Page 25: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/25.jpg)
Administrative Function in Hierarchical RBAC Create and maintain the partial
order relation among roles1.AddInheritance, DeleteInheritance2.AddAscendant, AddDescendant
![Page 26: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/26.jpg)
Supporting System Functions in Hierarchical RBAC
Same function as for Core RBAC, some function need to be redefined because of the role hierarchy.
Such as: createSession, addActiveRole.
![Page 27: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/27.jpg)
Review Functions in Hierarchical RBAC All review functions specified for
Core RBAC is valid here Add the review functions to inherited
roles.1.AuthorizedUsers2.AuthorizedRoles
![Page 28: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/28.jpg)
Functions in SSDAdministrative:1CreatSSDSet,DeleteSSDSet2AddSSDRoleMember, DeleteSSDRolemember3.SetSSDRoleMember4.SetSSDCardinalitySupporting System: same as those for core RBACReview:1.SSDRoleSets2.SSDRoleSetRoles3.SSDRoleSetCardinality
![Page 29: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/29.jpg)
Functions in DSDAdministrative1.CreateDSDSet, DeleteDSDSet2.AddDSDRoleMember,DeleteDSDRoleMember3.SetDSDCardinalitySuport System:1.CreateSession2.AddActiveRole3.DropActiveRole Review:1.DSDRoleSets2.DSDRoleSetRoles3.DSDRoleSetCardinality
![Page 30: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/30.jpg)
Conclusion RBAC is used to simplify security
policy administration RBAC is an open-ended
technology,which ranges from very simple to fairly sophisticated.
RBAC continues to be an evolving technology.
![Page 31: NIST Standard for Role-Based Access Control](https://reader036.fdocuments.net/reader036/viewer/2022081418/5681452b550346895db1eff6/html5/thumbnails/31.jpg)
End Reference:http://csrc.nist.gov/rbac/rbacSTD-ACM.