Rolebased Access Control RBAC

1
Role-based Access Control (RBAC)

• A. A. Elliott
• October 1st, 2007

2
Presentation Summary

• Introduction (to RBAC)
• Motivation (for RBAC)
• Literature Review
• Discussion Points
• Questions

3
Introduction (1 of 3)

• Authentication

4
Introduction (2 of 3)

• Authorization

5
Introduction (3 of 3)

• How is access authorized
• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Role-based Access Control (RBAC)
• Why RBAC?

6
Motivation (1 of 3)
Case 1 5 users 5 tables 25 grants Case 2
100 users 100 tables 10,000 grants
Explicit Object Grants
Role
Case 1 5 users 5 tables 10 grants Case 2
100 users 100 tables 200 grants
Role-based Access Control (RBAC)
7
Motivation (2 of 3)

• Business and functional roles

Engineering Department
Director of Engineering
Manage Money
Manage People
8
Motivation (3 or 3)

• An appealing solution use RBAC to manage RBAC gt
  delegation

Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
9
Literature (1 of 6)

• RBAC formally introduced in 92
• D. Ferraiolo R. Kuhn
• A family of RBAC models 96
• R. Sandu, E. Coyne, H. Feinstein, C. Youman
• NIST Model proposed standard 00
• R. Sandu, D. Ferraiolo and R. Kuhn
• ANSI INCITS 359-2004

10
Literature (2 of 6)

• October 1992 - D. Ferraiolo R. Kuhn
• Recently, considerable attention has been paid
  to researching and addressing the security needs
  of commercial and civilian government
  organizations. It is apparent that significant
  and broad sweeping security requirements exist
  outside the Department of Defense.
• Within industry and civilian government,
  integrity deals with broader issues of security
  then confidentiality. Integrity is particularly
  relevant to such applications as funds transfer,
  clinical medicine, environmental research, air
  traffic control, and avionics.

11
Literature (3 of 6)

• February 1996 - R. Sandhu, E.J. Coyne, H.L.
  Feinstein and C.E. Youman
• Although RBACs usefulness is widely
  acknowledged, there is little agreement on what
  RBAC means. As a result, RBAC is open to
  interpretation by researchers and system
  developers
• RBAC0 the minimum requirement for an RBAC
  system
• RBAC1 adds role hierarchies includes RBAC0
• RBAC2 adds constraints includes RBAC0
• RBAC3 RBAC1 plus RBAC2 includes RBAC0

12
Literature (4 of 6)

• July 2000 - R. Sandu, D. Ferraiolo and R. Kuhn
• This paper describes a unified model for
  role-based access control (RBAC). RBAC is a
  proven technology for large-scale authorization.
• RBAC is a rich and open-ended technology which
  is evolving as users, researchers and vendors
  gain experience with it.

13
Literature (5 of 6)

• public reviews 2 iterations including
  substantive changes (over 4 years)
• February 3rd, 2004 ANSI INCITS 359-2004
• This standard describes RBAC features that have
  gained acceptance in the commercial market
  place.
• It is intended for 1) software engineers and
  product development managers who design products
  incorporating access control and 2) managers and
  procurement officials who seek to acquire
  computer security products with features that
  provide access control capabilities.

14
Literature (6 of 6)

• Lets recap
• In 1992 RBAC formally introduced
• 12 years
• In 2004 an ANSI standard!
• 2008? Whats next?
• Lets discuss some of the issues

15
Discussion (1 of 7)

• Proliferation of user accounts roles
• OpenLDAP (e.g. mail, calendar directory
  services)
• Active Directory (e.g. print services)
• Oracle Internet Directory (e.g. thin client
  applications)
• fat database account (e.g. desktop
  applications)
• Administration of roles gt ad hoc or engineered

16
Discussion (2 of 7)
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
17
Discussion (3 of 7)
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
18
Discussion (4 of 7)

• Least privilege and activity based authorization
• Static and Dynamic Separation of Duty

19
Discussion (5 of 7)

• Holding vendors accountable!
• e.g. 1 software with one role super
• e.g. 2 software with user credentials stored
  unencrypted in a database table

20
Discussion (6 of 7)

• Oracle Buys Enterprise Role Management Leader
  Bridgestream (SEPT 5, 2007) http//www.oracle.com/
  corporate/press/2007_sep/bridgestream.html?rssidr
  ss_ocom_pr
• http//www.bridgestream.com/flash_docs.php
• Increased Complexity Means Higher Vulnerability
• While regulations continue to evolve and
  multiply, the IT environment at most enterprises
  is growing more complex. The IT department
  typically has hundreds of applications under
  management.

21
Discussion (7 of 7)

• Many individuals who have access to documents
  and resources SHOULDNT have that access
• Most user provisioning is done manually and
  cant scale.
• People are not de-provisioned on time.
• There is no simple way to obtain evidence that
  internal controls have in fact been followed.

22
Primary References

• Ferraiolo, D. and Kuhn, R., Role-based access
  controls, In proceedings of 15th NIST-NCSC
  National Computer Security Conference, Baltimore,
  Maryland, United States, October 1992, pp.
  554-563.
• R. Sandhu, E.J. Coyne, H.L. Feinstein and C.E.
  Youman, Role-based access control models, IEEE
  Computer, February 1996, Volume 29, Number 2, pp
  38-47.
• R. Sandhu, D. Ferraiolo, R. Kuhn. The NIST model
  for role-based access control Towards a unified
  standard, In proceedings of 5th ACM Workshop on
  Role-Based Access Control, Berlin, Germany, July
  2000, pp. 47-63.
• ANSI INCITS 359-2004, February 3, 2004.

23
Questions?

• Thank you!!