1

Role-Based Access ControlStandard

ANSI INCITS 359-2004

James Joshi, Associate Professor

University of Pittsburgh

Access Control Access Control refers to

Ensuring principals are allowed or denied privileges to access resources

Basic Access Control Matrix model

Subjects: Active entities (rows) E.g., user processes

Objects: Passive entities (columns) E.g., files

Rights: refers to access mode entries in each matrix cell representing what

action a subject can perform on the corresponding object

2

Confidentiality

Authorized to read

IntegrityAuthorized to modify

Access Control Matrix

3

s3 r

s1

f1 f2 f3 f4 f5 f6

s2

s3

o, r, w

o, r, w

o, r, w o, r, w

o, r, w

o, r, w

r

r

r r

w

f1

f2

f3

f4

f6

s2

s1 o, r, w s2 r

s1 o, r, w s3 r

s3 o, r, w

f5 s2 o, r, w s3 r s1 w

s3 o, r, w

f5 w s1 f2 o, r, w f3 o, r, w

f2 r s2 f1 o, r, w f5 o, r, w

f3 r s3 f4 o, r, wf2 r

f5 r f6 o, r, w

o: ownr: readw:write

Access Matrix

Access Control ListCapabilities

o, r, w

Access Control Models Several models exist

Discretionary Access Control (DAC) Model Users can give rights to other users

Mandatory Access Control (MAC) model System enforces mandatory rules

Some modelsBell LaPadula model Biba model of integrityClark-wilson model Chinese wall model

DAC is too flexible and MAC is often too restrictive

Researchers have looked for more flexible and more expressive models

RBAC has been considered a better 4

5

Access control in organizations is based on “roles that individual users take on as part of the organization”

Access depends on function, not identity

Example: Allison is bookkeeper for Math Dept. She has access to financial records. She leaves and Betty is hired as bookkeeper The role of “bookkeeper” dictates access, not the identity of the individual.

A role is “is a collection of permissions”

RBAC: Role Based Access Control

BK

A

Accessprivileges

B

6

RBAC – two key advantages

u1

u2

un

o1

o2

om

u1

u2

un

o1

o2

om

Roler

n + massignments

n massignments

Users Permission Users Permissions

(a) (b)

Total number Of assignments

n + m

Total number Of assignments

n x m

Administrator

Employee

Engineer

SeniorEngineer

SeniorAdministrator

Manager

Role hierarchy

7

RBAC standard Standards efforts

Annual ACM RBAC Workshop – in 1990s NIST Standard proposed in 2001 (TISSEC) XACML Profile for RBAC ANSI INCITS 359-2004 RBAC standard in

2004 The ANSI standard consists of two parts

Reference Model System and Administrative Functional

Specification

8

ANSI RBAC standard – Reference Model

Reference Model Basic elements of the model

Users, Roles, Permissions, Relationships

Four model components Core RBAC Hierarchical RBAC Static Separation of Duty RBAC Dynamic Separation of Duty RBAC

9

Permissions

Core RBAC

Users Roles Operations Objects

Sessions

UA

user_sessions(one-to-many)

role_sessions(many-to-many)

PA

10

Core RBAC (relations) Permissions = 2Operations x

Objects

UA ⊆ Users x Roles

PA ⊆ Permissions x Roles

assigned_users: Roles 2Users

assigned_permissions: Roles 2Permissions

Op(p): set of operations associated with permission p

Ob(p): set of objects associated with permission p

user_sessions: Users 2Sessions

session_user: Sessions Users

session_roles: Sessions 2Roles

session_roles(s) = {r | (session_user(s), r) UA)}

avail_session_perms: Sessions 2Permissions

11

Permissions

Hierarchical RBAC

Users Roles Operations Objects

Sessions

UA

user_sessions(one-to-many)

role_sessions(many-to-many)

PA

RH(role hierarchy)

12

Role Hierarchy

General Role Hierarchy Inheritance from multiple roles

allowed Limited Role hierarchy

No multiple inheritances Single immediate descendant

13

General Role Hierarchy A role can inherit from multiple roles

RH ⊆ Roles x Roles is a partial order called the inheritance relation written as ≥.

(r1 ≥ r2) authorized_users(r1) ⊆ authorized_users(r2) &

authorized_permisssions(r2) ⊆ authorized_permisssions(r1)

authorized_users: Roles 2Users

authorized_users(r) = {u | r’ ≥ r &(r’, u) UA}

authorized_permissions: Roles 2Permissions

authorized_permissions(r) = {p | r ≥ r’ &(p, r’) PA}

14

Limited Role Hierarchy Imposes restriction on the immediate

descendents of the general role hierarchy

That is, Limited role hierarchy is a General role hierarchy with the following limitation

r, r1, r2 , r2 Roles, r ≥ r1 r ≥ r2 r1 r ≥ r2

In Limited Role hierarchy, a role can have only one descendent

15

Example

Administrator

Employee

Engineer

SeniorEngineer

SeniorAdministrator

Manager

px, py

p1, p2

pa, pb

e1, e2

e3, e4

e5

e6, e7

e8, e9

e10

pm, pn

po

pp

authorized_users(Employee)?authorized_users(Administrator)?authorized_permissions(Employee)? authorized_permissions(Administrator)?

authorized_users(Employee)?authorized_users(Administrator)?authorized_permissions(Employee)? authorized_permissions(Administrator)?

16

Constrained RBAC:SSD RBAC & DSD RBAC

Permissions

Users Roles Operations Objects

Sessions

UA

user_sessions(one-to-many)

PA

RH(role hierarchy)Static

Separation of Duty

DynamicSeparation

of Duty

17

Separation of Duty

SoD Security principle Widely recognized Captures conflict of interest policies

to restrict authority of a single authority

Prevent Fraud

Example, A single person should not be allowed

to “approve a check” & “cash it”

18

Static Separation of Duty

SSD ⊆2Roles x N In absence of hierarchy

Collection of pairs (RS, n) where RS is a role set, n ≥ 2for all (RS, n) SSD, for all t ⊆RS:

|t| ≥ n ∩rt assigned_users(r)=

Example Assume u1, u2, u3 are assigned to r1 Assume u2, u4 are assigned to r2 Is ({r1, r2}, 2) SSD valid?

Example: ({r1, r2}, 2) SSD

19

Static Separation of Duty

SSD ⊆2Roles x N In presence of hierarchy

Collection of pairs (RS, n) where RS is a role set, n ≥ 2;

for all (RS, n) SSD, for all t ⊆RS: |t| ≥ n ∩rt authorized_uers(r)=

Example Assume u1, u2, u3 are assigned to r1 Assume u4 are assigned to r2 Is ({r1, r2}, 2) DSD valid? What if u2 is assigned to r3 and r3 ≥ r2

Example: ({r1, r2, r3}, 2) SSD

20

Dynamic Separation of Duty DSD ⊆2Roles x N

Collection of pairs (RS, n) where RS is a role set, n ≥ 2;

A user cannot activate n or more roles from RS What is the difference between SSD or DSD

containing:(RS, n)?

Consider (RS, n) = ({r1, r2, r3}, 2)? If SSD – can r1, r2 and r3 be assigned to u? If DSD – can r1, r2 and r3 be assigned to u?

21

ANSI RBAC standard – Functional specification

Administrative operations Creation and maintenance of sets and

relations Administrative review functions

To perform administrative queries System level functionality

Creating and managing RBAC attributes on user sessions and making access decisions

22

Functional components for CORE RBAC Administrative commands

AddUser Delete User AddRole Delete Role GrantPermissions RevokePermissions AssignUser DeassignUser CreateSession DeleteSession AddActiveRole DropActiveRole

Supporting System functins CreateSession, DeleteSession, AddActiveRole,

DropActive Role, CheckAccess

23

Functional components for CORE RBAC Review functions

AssignedUSers AssignedRoles RolePermissions UserPermissions SessionRoles SessionPermissions RoleOperationsOnObject UserOperationOnObject

For other RBAC Extended/redefined set with regards to

inheritance Extended/redefined with regards to

SSD/DSD

24

Functional Specification Package

Methodology for Creating functional packages

CoreRBAC

Hierarchical RBAC

(a) General

(b) Limited

DSD Relations

SSD Relations(a) w/Hierachy(b)wo/Hierarchy

25

Advantages of RBAC Allows Efficient Security Management

Administrative roles, Role hierarchy Principle of least privilege allows

minimizing damage Separation of Duty constraints to

prevent fraud Allows grouping of objects / users Policy-neutral - Provides generality Encompasses DAC and MAC policies

26

RBAC’s Economic Benefits

27

Cost Benefits

Saves about 7.01 minutes per employee, per year in administrative functions Assume Average IT admin salary -

$59.27 per hour The annual cost saving is:

$6,924/1000; $692,471/100,000

28

Quantified Economic Benefits

NIST did an economic benefit survey analysis in 2009 More efficient provisioning by network

and systems administrators, Reduced employee downtime from

more efficient provisioning, and More efficient access control policy

maintenance and certification

29

Quantified Economic Benefits Quantified economic benefits of RBAC for

adopting firms, per employee

From NIST Report: 2010 Economic Analysis of Role-Based Access Control

30

RBAC Extensions Several Extensions have been made to

make RBAC applicable to different application scenarios TRBAC/GTRBAC (time based RBAC0 LoT/Geo RBAC (Location based) GeoSocial RBAC Privacy aware RBAC Etc.

31

Summary

Overview of ANSI RBAC standard Four component models Functional Specification Advantages and Economic benefits