Ravi Sandhu - PowerPoint PPT Presentation

About This Presentation
Title:

Ravi Sandhu

Description:

Laboratory for Information Security Technology (LIST) George Mason University. Role-Based Administration of ... PREVIEW OF WORK IN PROGRESS. role-role hierarchy. user-only roles ... – PowerPoint PPT presentation

Number of Views:24
Avg rating:3.0/5.0
Slides: 29
Provided by: rav67
Category:
Tags: lead | ravi | sandhu | trole

less

Transcript and Presenter's Notes

Title: Ravi Sandhu


1
Role-Based Administration of User-Role
AssignmentThe URA97 Model and its Oracle
Implementation
  • Ravi Sandhu
  • Venkata Bhamidipati
  • Laboratory for Information Security Technology
    (LIST)
  • George Mason University

2
OUTLINE
  • RBAC96 review
  • URA97 model
  • URA97 Oracle implementation
  • Closing remarks

3
RBAC96
ROLES
PERMISSIONS
USERS
CONSTRAINTS
SESSIONS
ADMIN ROLES
ADMIN PERMISSIONS
4
RBAC96 RBAC0
ROLES
PERMISSIONS
USERS
SESSIONS
5
RBAC96 RBAC1
ROLES
PERMISSIONS
USERS
SESSIONS
6
RBAC96 RBAC2
ROLES
PERMISSIONS
USERS
CONSTRAINTS
SESSIONS
7
RBAC96 RBAC3
ROLES
PERMISSIONS
USERS
CONSTRAINTS
SESSIONS
8
RBAC96
ROLES
PERMISSIONS
USERS
CONSTRAINTS
SESSIONS
ADMIN ROLES
ADMIN PERMISSIONS
9
RBAC96
10
SCALE AND RATE OF CHANGE
  • roles 100s or 1000s
  • users 1000s or 10,000s or more
  • Frequent changes to
  • user-role assignment
  • permission-role assignment
  • Less frequent changes for
  • role hierarchy

11
ADMINISTRATIVE RBAC
  • user-role assignment
  • permission-role assignment
  • role-role hierarchy

12
EXAMPLE ROLE HIERARCHY
Director (DIR)
Project Lead 1 (PL1)
Project Lead 2 (PL2)
Production 1 (P1)
Quality 1 (Q1)
Production 2 (P2)
Quality 2 (Q2)
Engineer 1 (E1)
Engineer 2 (E2)
Engineering Department (ED)
PROJECT 2
PROJECT 1
Employee (E)
13
EXAMPLE ADMINISTRATIVE ROLE HIERARCHY
Senior Security Officer (SSO)
Department Security Officer (DSO)
Project Security Officer 1 (PSO1)
Project Security Officer 2 (PSO2)
14
URA97 GRANT MODELcan-assign
  • ARole Prereq Role Role Range
  • PSO1 ED E1,PL1)
  • PSO2 ED E2,PL2)
  • DSO ED (ED,DIR)
  • SSO E ED,ED
  • SSO ED (ED,DIR

15
URA97 GRANT MODEL can-assign
  • ARole Prereq Cond Role Range
  • PSO1 ED E1,E1
  • PSO1 ED P1 Q1,Q1
  • PSO1 ED Q1 P1,P1
  • PSO2 ED E2,E2
  • PSO2 ED P2 Q2,Q2
  • PSO2 ED Q2 P2,P2

16
URA97 GRANT MODEL
  • redundant assignments to senior and junior
    roles
  • are allowed
  • are useful

17
URA97 REVOKE MODEL
  • WEAK REVOCATION
  • revokes explicit membership in a role
  • independent of who did the assignment

18
URA97 REVOKE MODEL
  • STRONG REVOCATION
  • revokes explicit membership in a role and its
    seniors
  • authorized only if corresponding weak revokes are
    authorized
  • alternatives
  • all-or-nothing
  • revoke within range

19
URA97 REVOKE MODEL can-revoke
  • ARole Role Range
  • PSO1 E1,PL1)
  • PSO2 E2,PL2)
  • DSO (ED,DIR)
  • SSO ED,DIR

20
ORACLE ROLES
  • support RBAC1
  • administrative model has strong discretionary
    flavor
  • administrative authority on role implies
  • can grant role to any user or role
  • can grant role to any role
  • anyone with grant option on a permission can
    grant it to any role

21
URA97 IN ORACLE
  • administrative option for all roles is retained
    solely with DBA
  • never given to any user
  • use generic stored procedures with URA97
    can-assign and can-revoke implemented as relations

22
URA97 IN ORACLE
  • Oracle primitives for traversing role hierarchy
    need to be extended

23
can-assign in dnfER DIAGRAM
CAN_ASSIGN
CAN_ASSIGN2
Admin Role PreCondition Min_Int Min Role Max
Role Max_Int
PreCondition AND set name NOT set name
CAN_ASSIGN4
CAN_ASSIGN3
NOT set name NOT roles
AND set name AND roles
24
can-revokeRELATION
CAN_REVOKE
Admin Role Min_Int Min Role Max Role Max_Int
25
ORACLE STORED PROCEDURES
  • can extend Oracle access control model
  • limitation
  • stored procedure can determine who the user is
    BUT
  • cannot determine active roles of the user

26
URA97 STORED PROCEDURES
  • ASSIGN(user, trole, arole)
  • WEAK_REVOKE(user, trole, arole)
  • STRONG_REVOKE(user, trole, arole)
  • user user being added to trole
  • trole target role
  • arole administrative role used for this
    operation
  • due to Oracle limitations

27
CLOSING REMARKSPREVIEW OF WORK IN PROGRESS
  • user-role assignment
  • URA97 and Oracle, this paper
  • other platforms
  • permission-role assignment
  • PRA97, dual of URA97
  • Oracle implementation

28
CLOSING REMARKSPREVIEW OF WORK IN PROGRESS
  • role-role hierarchy
  • user-only roles (groups) like URA97
  • permission-only roles like PRA97
  • user and permission roles RRA97
Write a Comment
User Comments (0)
About PowerShow.com