ARBAC 97 (ADMINISTRATIVE RBAC)

1
ARBAC 97 (ADMINISTRATIVE RBAC)

• Ravi Sandhu
• Venkata Bhamidipati
• Ed Coyne
• Srinivas Ganta
• Qamar Munawer
• Charles Youman

2
ARBAC97 DECENTRALIZES

• user-role assignment (URA97)
• permission-role assignment (PRA97)
• role-role hierarchy
• groups or user-only roles (extend URA97)
• abilities or permission-only roles (extend PRA97)
• UP-roles or user-and-permission roles (RRA97)

3
ADMINISTRATIVE RBAC
ROLES
PERMISSIONS
USERS
CAN- MANAGE
ADMIN ROLES
ADMIN PERMISSIONS
4
ADMINISTRATIVE RBAC
5
EXAMPLE ROLE HIERARCHY
Director (DIR)
Project Lead 1 (PL1)
Project Lead 2 (PL2)
Production 1 (P1)
Quality 1 (Q1)
Production 2 (P2)
Quality 2 (Q2)
Engineer 1 (E1)
Engineer 2 (E2)
Engineering Department (ED)
PROJECT 2
PROJECT 1
Employee (E)
6
EXAMPLE ADMINISTRATIVE ROLE HIERARCHY
Senior Security Officer (SSO)
Department Security Officer (DSO)
Project Security Officer 1 (PSO1)
Project Security Officer 2 (PSO2)
7
USER-ROLE ASSIGNMENTCAN-ASSIGN-USER

• ARole Prereq Role Role Range
• PSO1 ED E1,PL1)
• PSO2 ED E2,PL2)
• DSO ED (ED,DIR)
• SSO E ED,ED
• SSO ED (ED,DIR

8
USER-ROLE ASSIGNMENT CAN-ASSIGN-USER

• ARole Prereq Cond Role Range
• PSO1 ED E1,E1
• PSO1 ED P1 Q1,Q1
• PSO1 ED Q1 P1,P1
• PSO2 ED E2,E2
• PSO2 ED P2 Q2,Q2
• PSO2 ED Q2 P2,P2

9
USER-ROLE ASSIGNMENT CAN-REVOKE-USER

• ARole Role Range
• PSO1 E1,PL1)
• PSO2 E2,PL2)
• DSO (ED,DIR)
• SSO ED,DIR

10
USER-ROLE ASSIGNMENT REVOCATION

• WEAK REVOCATION
• revokes explicit membership only
• STRONG REVOCATION
• revokes explicit and implicit membership
• revocation propagates upwards to senior roles
• defined in terms of weak revoke

11
PERMISSION-ROLE ASSIGNMENT

• dual of user-role assignment
• can-assign-permission
• can-revoke-permission
• weak revoke
• strong revoke (propagates down)

12
PERMISSION-ROLE ASSIGNMENT CAN-ASSIGN-PERMISSION

• ARole Prereq Cond Role Range
• PSO1 PL1 E1,PL1)
• PSO2 PL2 E2,PL2)
• DSO E1 ? E2 ED,ED
• SSO PL1 ? PL2 ED,ED
• SSO ED E,E

13
PERMISSION-ROLE ASSIGNMENT CAN-REVOKE-PERMISSION

• ARole Role Range
• PSO1 E1,PL1
• PSO2 E2,PL2
• DSO (ED,DIR)
• SSO ED,DIR

14
RRA97
UP-roles Users and Permissions
Group roles Users only
Ability roles Permissions only
Extended URA97
RRA97
Extended PRA97
15
RRA97

• OBJECTIVE
• Decentralization of role-role relationships
• Administrative role autonomy within a range.
• Encapsulation of authority Ranges.

16
EXAMPLE ROLE HIERARCHY
Director (DIR)
Project Lead 1 (PL1)
Project Lead 2 (PL2)
Production 1 (P1)
Quality 1 (Q1)
Production 2 (P2)
Quality 2 (Q2)
Engineer 1 (E1)
Engineer 2 (E2)
Engineering Department (ED)
PROJECT 2
PROJECT 1
Employee (E)
17
Range Hierarchy
Range
Create Range
Encap. Range
Authority Range
18
RRA97 - Definitions

• Range
• (x, y) r Roles x lt r lt y
• Authority Range
• A range referenced in can-modify relation
• Junior Authority range
• The range (x, y) is junior to range (x, y) if (
  x ? x ? y ? y) ? ( x gt x ? y gt y)
• The range (x, y) is a senior range

19
RRA97 - Definitions

• Partial Overlap of Ranges
• The ranges Y and Y partially overlap if
• Y ? Y ? ? and
• Y ? Y ? Y ? Y

20
RRA97 - Definitions

• Encapsulated Authority Range
• The authority range (x, y) is said to be
  encapsulated if
• ?r1 ? (x, y) and ?r2 ? (x, y)
• r2 gt r1 ? r2 gt y ?
• r2 lt r1 ? x lt r2

21
Encapsulated Range (x, y)
y
y
r1
r2
r4
r3
x
x
22
Non-encapsulated Range (x, y)
y
y
r1
r2
r4
r3
x
x
23
RRA97 - Definitions

• Set of Authority Ranges
• ?x, y roles (x, y) is an authority range
• Immediate Authority Range of role r
• The authority range (x, y) is immediate authority
  range of role r ? (x, y) if
• ?(x, y) ? set of AR (x, y) ? (x, y) ? r ?
  (x, y)

24
RRA97 - Definitions

• Create Range
• The range (x, y) is a create range if
• (a) ARimmediate(x) ARimmediate(y) ?
• (b) x End point of ARimmediate(y) ?
• (c) y End point of ARimmediate(x)
• Immediate Senior roles
• r1 gt immediate r2 if
• ?r ? roles ? r gt r2 ? ?( r ? r1)

25
Create Range
A
y
y
r1
r2
r4
r3
x
x
B
26
RRA97 - Definitions

• Immediate Junior Roles
• r1 lt immediate r2
• ?r ? roles ? r gt r1 ? ?( r lt r2)
• Inactive Roles
• A user associated to it cannot use it.
• Inheritance of permissions is not affected.
• Permissions and users can be revoked.

27
INSERT ROLE

• Role is inserted one at a time.
• Roles can be inserted only in create range.
• Create-role(r, (x, y)) inserts a role r in create
  range (x, y) such that it is junior to y and
  senior to x.

28
Example Create-role(r, (r1, r2))
y
r
r1
r2
x
29
DELETE ROLE

• Roles referred in can-assign,can-revoke and
  can-modify cannot be deleted.
• Roles can be deleted only if they are empty.

30
DELETE ROLE (Continued)

• RELAXATIONS
• Roles referred in can-assign,can-revoke and
  can-modify can be made inactive.
• Role is deleted only after its permissions are
  assigned to immediate senior and users to
  immediate junior roles.

31
INSERTION OF AN EDGE

• Implied edges are not considered.
• Inserted only between incomparable roles (No
  Cycles)
• Inserted one at a time.
• The edge AB is inserted if
• (a) ARimmediate(A) ARimmediate(B) and
• (b) For a junior authority range (x, y)
• (A y ? B gt x) or (B x ? A lt y) must ensure
  encapsulation of (x, y).

32
DELETION OF AN EDGE

• Deleted one at a time.
• Implied edges are no considered.
• The edges in transitive reduction are candidates
  for deletion.
• Edges connecting the end points of an authority
  range cannot be deleted.
• When edges AB is deleted then necessary edges
  must be inserted to preserve implications.

33
System Calls

• To create a role in create range Y create-role(r,
  Y)
• To delete a role r delete-role(r)
• To add edge AB add-edge(A, B)
• To delete an edge AB delete-edge(A, B)
• To inactivate a role r inactivate-role
  (r)
• To activate a role r Activate-role (r)

34
Strong Deletions

• Strong deletion of role.
• Strong deletion of an edge.