Role-Based Access Control
user_sessions
(RH)
Role Hierarchy
session_roles
(UA)
User Assign-
ment
(PA)
Permission
Assignment
USERS
OBS
OPS
SESSIONS
ROLES
PRMS
SSD
DSD
Access Controls - Basics
Discretionary AC
Name Access
Tom Yes
John No
Cindy Yes
Application
Access List
Individuals
Resources
Server 1
Server 3
Server 2
Legacy Apps
Mandatory AC
Individuals
Resources
Server 1
“Top Secret”
Server 3
“Classified”
Server 2
“Secret”
SIPRNET
Legacy Apps
Better security than DAC
Role-Based AC
“Ideally, the [RBAC] system is clearly defined and agile, making the addition of new applications, roles, and employees as efficient as possible”
Role-Based AC
Individuals
Roles
Resources
Role 1
Role 2
Role 3
Server 1
Server 3
Server 2
User’s change frequently, Roles don’t
Rules of RBAC
RBAC Variance
RBAC Model
Effort
RBAC3
A family of RBAC with four models
(restrictions on RBAC configuration)
4. RBAC3: RBAC0 plus all of the above
Role-Based AC Framework
Core Components
Constraint Components
Core RBAC
user_sessions
session_roles
(UA)
User Assign-
ment
(PA)
Permission
Assignment
USERS
OBS
OPS
SESSIONS
ROLES
PRMS
UA (user assignment)
A user can be assigned to one or more roles
Developer
USERS set
ROLES set
Help Desk Rep
A role can be assigned
to one or more users
PA (prms assignment)
A prms can be assigned to one or more roles
Admin.DB1
PRMS set
ROLES set
A role can be assigned
to one or more prms
User.DB1
View
Update
Append
Create
Delete
Drop
SESSIONS Assignment
The mapping of user u onto a set of sessions.
USERS
guest
user
admin
invokes
SQL
User2.DB1.table1.session
User2.FIN1.report1.session
User2.APP1.desktop.session
SESSION
USER2
USER1
SESSIONS Assignment
The mapping of session s onto a set of roles
SESSION
ROLES
SQL
DB1.table1.session
user_sessions
(RH)
Role Hierarchy
session_roles
(UA)
User Assign-
ment
(PA)
Permission
Assignment
USERS
OBS
OPS
SESSIONS
ROLES
PRMS
Hierarchal RBAC
Role Hierarchies (rh)
General
Limited
Tree Hierarchies
Production
Engineer 1
Engineer 1
Quality
Engineer 1
Engineering Dept
Production
Engineer 2
Engineer 2
Quality
Engineer 2
Production
Engineer 1
Project Lead 1
Quality
Engineer 1
Director
Production
Engineer 2
Project Lead 2
Quality
Engineer 2
Lattice Hierarchy
Production
Engineer 1
Engineer 1
Quality
Engineer 1
Engineering Dept
Production
Engineer 2
Engineer 2
Quality
Engineer 2
Project Lead 1
Director
Project Lead 2
Upper roles have all the access rights of the lower roles as well other access rights not available to a lower role
General RH
User
r-w-h
Guest
-r-
Only if all permissions of r1 are also permissions of r2
Only if all users of r1 are also users of r2
i.e. r1 inherits r2
Guest Role Set
Power User Role Set
User Role Set
Admin Role Set
Support Multiple Inheritance
Limited RH
A restriction on the immediate descendants of the general role hierarchy
Role1
Role2
Role3
Role2 inherits from Role1
Role3 does not inherit from
Role1 or Role2
user_sessions
(RH)
Role Hierarchy
session_roles
(UA)
User Assign-
ment
(PA)
Permission
Assignment
USERS
OBS
OPS
SESSIONS
ROLES
PRMS
SSD
DSD
Constrained RBAC
Constrained RBAC
Static
Dynamic
Separation of Duties
SSD
SSD in Presence of RH
DSD
RBAC Defense in Depth
RBAC for GIAC Enterprises
RBAC in the DMZ
RBAC for Internal Systems
RBAC for Network Devices
RBAC for Infrastructure
RBAC for Auditing
References