Ravi Sandhu

1
Role-Based Administration of User-Role
AssignmentThe URA97 Model and its Oracle
Implementation

• Ravi Sandhu
• Venkata Bhamidipati
• Laboratory for Information Security Technology
  (LIST)
• George Mason University

2
OUTLINE

• RBAC96 review
• URA97 model
• URA97 Oracle implementation
• Closing remarks

3
RBAC96
ROLES
PERMISSIONS
USERS
CONSTRAINTS
SESSIONS
ADMIN ROLES
ADMIN PERMISSIONS
4
RBAC96 RBAC0
ROLES
PERMISSIONS
USERS
SESSIONS
5
RBAC96 RBAC1
ROLES
PERMISSIONS
USERS
SESSIONS
6
RBAC96 RBAC2
ROLES
PERMISSIONS
USERS
CONSTRAINTS
SESSIONS
7
RBAC96 RBAC3
ROLES
PERMISSIONS
USERS
CONSTRAINTS
SESSIONS
8
RBAC96
ROLES
PERMISSIONS
USERS
CONSTRAINTS
SESSIONS
ADMIN ROLES
ADMIN PERMISSIONS
9
RBAC96
10
SCALE AND RATE OF CHANGE

• roles 100s or 1000s
• users 1000s or 10,000s or more
• Frequent changes to
• user-role assignment
• permission-role assignment
• Less frequent changes for
• role hierarchy

11
ADMINISTRATIVE RBAC

• user-role assignment
• permission-role assignment
• role-role hierarchy

12
EXAMPLE ROLE HIERARCHY
Director (DIR)
Project Lead 1 (PL1)
Project Lead 2 (PL2)
Production 1 (P1)
Quality 1 (Q1)
Production 2 (P2)
Quality 2 (Q2)
Engineer 1 (E1)
Engineer 2 (E2)
Engineering Department (ED)
PROJECT 2
PROJECT 1
Employee (E)
13
EXAMPLE ADMINISTRATIVE ROLE HIERARCHY
Senior Security Officer (SSO)
Department Security Officer (DSO)
Project Security Officer 1 (PSO1)
Project Security Officer 2 (PSO2)
14
URA97 GRANT MODELcan-assign

• ARole Prereq Role Role Range
• PSO1 ED E1,PL1)
• PSO2 ED E2,PL2)
• DSO ED (ED,DIR)
• SSO E ED,ED
• SSO ED (ED,DIR

15
URA97 GRANT MODEL can-assign

• ARole Prereq Cond Role Range
• PSO1 ED E1,E1
• PSO1 ED P1 Q1,Q1
• PSO1 ED Q1 P1,P1
• PSO2 ED E2,E2
• PSO2 ED P2 Q2,Q2
• PSO2 ED Q2 P2,P2

16
URA97 GRANT MODEL

• redundant assignments to senior and junior
  roles
• are allowed
• are useful

17
URA97 REVOKE MODEL

• WEAK REVOCATION
• revokes explicit membership in a role
• independent of who did the assignment

18
URA97 REVOKE MODEL

• STRONG REVOCATION
• revokes explicit membership in a role and its
  seniors
• authorized only if corresponding weak revokes are
  authorized
• alternatives
• all-or-nothing
• revoke within range

19
URA97 REVOKE MODEL can-revoke

• ARole Role Range
• PSO1 E1,PL1)
• PSO2 E2,PL2)
• DSO (ED,DIR)
• SSO ED,DIR

20
ORACLE ROLES

• support RBAC1
• administrative model has strong discretionary
  flavor
• administrative authority on role implies
• can grant role to any user or role
• can grant role to any role
• anyone with grant option on a permission can
  grant it to any role

21
URA97 IN ORACLE

• administrative option for all roles is retained
  solely with DBA
• never given to any user
• use generic stored procedures with URA97
  can-assign and can-revoke implemented as relations

22
URA97 IN ORACLE

• Oracle primitives for traversing role hierarchy
  need to be extended

23
can-assign in dnfER DIAGRAM
CAN_ASSIGN
CAN_ASSIGN2
Admin Role PreCondition Min_Int Min Role Max
Role Max_Int
PreCondition AND set name NOT set name
CAN_ASSIGN4
CAN_ASSIGN3
NOT set name NOT roles
AND set name AND roles
24
can-revokeRELATION
CAN_REVOKE
Admin Role Min_Int Min Role Max Role Max_Int
25
ORACLE STORED PROCEDURES

• can extend Oracle access control model
• limitation
• stored procedure can determine who the user is
  BUT
• cannot determine active roles of the user

26
URA97 STORED PROCEDURES

• ASSIGN(user, trole, arole)
• WEAK_REVOKE(user, trole, arole)
• STRONG_REVOKE(user, trole, arole)
• user user being added to trole
• trole target role
• arole administrative role used for this
  operation
• due to Oracle limitations

27
CLOSING REMARKSPREVIEW OF WORK IN PROGRESS

• user-role assignment
• URA97 and Oracle, this paper
• other platforms
• permission-role assignment
• PRA97, dual of URA97
• Oracle implementation

28
CLOSING REMARKSPREVIEW OF WORK IN PROGRESS

• role-role hierarchy
• user-only roles (groups) like URA97
• permission-only roles like PRA97
• user and permission roles RRA97