Role Usage and Activation Hierarchies (best viewed in slide show mode)
description
Transcript of Role Usage and Activation Hierarchies (best viewed in slide show mode)
© 2005 Ravi Sandhuwww.list.gmu.edu
Role Usage and Activation Hierarchies
(best viewed in slide show mode)
Ravi SandhuLaboratory for Information Security Technology
George Mason [email protected]
2
© 2005 Ravi Sandhuwww.list.gmu.edu
Reference• Ravi Sandhu, “Role Hierarchies and Constraints for Lattice-Based
Access Controls.” Proc. Fourth European Symposium on Research in Computer Security, Rome, Italy, September 25-27, 1996, pages 65-79. Published as Lecture Notes in Computer Science, Computer Security-ESORICS96 (Elisa Bertino et al, editors), Springer-Verlag, 1996.
• Ravi Sandhu, “Role Activation Hierarchies.” Proc. Third ACM Workshop on Role-Based Access Control, Fairfax, Virginia, October 22-23, 1998, pages 33-40.
• Sylvia Osborn, Ravi Sandhu and Qamar Munawer. “Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies.” ACM Transactions on Information and System Security, Volume 3, Number 2, May 2000, pages 85-106.
3
© 2005 Ravi Sandhuwww.list.gmu.edu
Role hierarchies
• Two aspects• Role usage: permission inheritance
• Role activation: activation hierarchy
• RBAC96 combines both aspects in a single hierarchy• ANSI/NIST standard model leaves this open
• Do one or both, just make it clear what you are doing
4
© 2005 Ravi Sandhuwww.list.gmu.edu
Example Role Hierarchy
5
© 2005 Ravi Sandhuwww.list.gmu.edu
LBAC to RBAC
6
© 2005 Ravi Sandhuwww.list.gmu.edu
Simple security property
• some variations of LBAC use 2 labels for subjects• λr for read and λw for read • λr = λw for the single label case
7
© 2005 Ravi Sandhuwww.list.gmu.edu
Variations of *-property
8
© 2005 Ravi Sandhuwww.list.gmu.edu
LBAC to RBAC: independent read-write hierarchies
9
© 2005 Ravi Sandhuwww.list.gmu.edu
LBAC to RBAC: intertwined read-write hierarchies
10
© 2005 Ravi Sandhuwww.list.gmu.edu
Activation hierarchies and dynamic SOD
11
© 2005 Ravi Sandhuwww.list.gmu.edu
Formal definition
12
© 2005 Ravi Sandhuwww.list.gmu.edu
Activation hierarchy with non-maximal roles
13
© 2005 Ravi Sandhuwww.list.gmu.edu
Read-write RBAC and LBAC
14
© 2005 Ravi Sandhuwww.list.gmu.edu
LBAC with trusted strict *-property