isa 662 rbac-mac-dac prof. ravi sandhu. 2 © ravi sandhu rbac96 roles user-role assignment...
TRANSCRIPT
![Page 1: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/1.jpg)
ISA 662
RBAC-MAC-DAC
Prof. Ravi Sandhu
![Page 2: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/2.jpg)
2© Ravi Sandhu
RBAC96
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
![Page 3: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/3.jpg)
3© Ravi Sandhu
HIERARCHICAL ROLES
Engineer
HardwareEngineer
SoftwareEngineer
SupervisingEngineer
![Page 4: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/4.jpg)
4© Ravi Sandhu
WHAT IS THE POLICY IN RBAC?
RBAC is policy neutral Role hierarchies facilitate security
management Constraints facilitate non-discretionary
policies
![Page 5: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/5.jpg)
5© Ravi Sandhu
LBAC: LIBERAL *-PROPERTY
H
L
M1 M2
Read Write- +
+ -
![Page 6: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/6.jpg)
6© Ravi Sandhu
RBAC96: LIBERAL *-PROPERTY
HR
LR
M1R M2R
LW
HW
M1W M2W
Read Write-
+
![Page 7: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/7.jpg)
7© Ravi Sandhu
RBAC96: LIBERAL *-PROPERTY
user xR, user has clearance xuser LW, independent of clearance
Need constraints session xR iff session xW read can be assigned only to xR roles write can be assigned only to xW roles (O,read) assigned to xR iff
(O,write) assigned to xW
![Page 8: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/8.jpg)
8© Ravi Sandhu
LBAC: STRICT *-PROPERTY
H
L
M1 M2
Read Write-
+
![Page 9: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/9.jpg)
9© Ravi Sandhu
RBAC96: STRICT *-PROPERTY
HR
LR
M1R M2R LW HWM1W M2W
![Page 10: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/10.jpg)
10© Ravi Sandhu
Variations of DAC
Strict DAC Liberal DAC
![Page 11: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/11.jpg)
11© Ravi Sandhu
Strict DAC
Only owner has discretionary authority to grant access to an object.
Example: Alice has created an object (she is owner) and
grants access to Bob. Now Bob cannot grant propagate the access to another user.
![Page 12: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/12.jpg)
12© Ravi Sandhu
Liberal DAC
Owner can delegate discretionary authority for granting access to other users. One Level grant Two Level Grant Multilevel Grant
![Page 13: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/13.jpg)
13© Ravi Sandhu
One Level Grant
Owner can delegate authority to another user but they cannot further delegate this power.
Alice Bob Charles
![Page 14: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/14.jpg)
14© Ravi Sandhu
Two Level Grant
In addition a one level grant the owner can allow some users to delegate grant authority to other users.
Alice Bob Charles Dorothy
![Page 15: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/15.jpg)
15© Ravi Sandhu
Revocation
Grant-Independent Revocation. Grant-Dependent Revocation.
![Page 16: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/16.jpg)
16© Ravi Sandhu
Common Aspects
Creation of an object in the system requires the simultaneous creation of three administrative roles
• OWN_O, PARENT_O, PARENTwithGRANT_O
One regular role• READ_O
![Page 17: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/17.jpg)
OWN_O PARENTwithGRANT_O PARENT_O READ_O
Administration of roles associated with object O
OWN_O
PARENTwithGRANT_O
PARENT_O
Administrative role hierarchy
![Page 18: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/18.jpg)
18© Ravi Sandhu
Common Aspects II
We require simultaneous creation of Eight Permissions canRead_O destroyObjet_O addReadUser_O, deleteReadUser_O addParent_O, deleteParent_O addParentWithGrant_O,
deleteParentWithGrant_O
![Page 19: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/19.jpg)
19© Ravi Sandhu
Roles and associated Permissions
OWN_O• destroyObject_O, addParentWithGrant_O,
deleteParentWithgrant_O
PARENTwithGRANT_O• addParent_O, deleteParent_O
PARENT_O• addReadUser_O, deleteReadUser_O
READ_O• canRead_O
![Page 20: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/20.jpg)
20© Ravi Sandhu
Common Aspects III
Destroying an object O requires deletion of four roles and eight permissions in addition of destroying the object O.
![Page 21: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/21.jpg)
21© Ravi Sandhu
Strict DAC in RBAC96
Cardinality constraints as: Role OWN_O = 1 Role PARENTwithGRANT_O = 0 Role PARENT_O = 0
![Page 22: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/22.jpg)
22© Ravi Sandhu
One level DAC in RBAC96
Cardinality constraints as: Role OWN_O = 1 Role PARENTwithGRANT_O = 0
![Page 23: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/23.jpg)
23© Ravi Sandhu
Two Level DAC in RBAC96
Cardinality constraints as: Role OWN_O = 1
![Page 24: ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE](https://reader035.vdocuments.us/reader035/viewer/2022062618/551463d9550346414e8b5a76/html5/thumbnails/24.jpg)
24© Ravi Sandhu
U1_PARENT_O U1_READ_O
U2_PARENT_O
Un_PARENT_O
U2_READ_O
Un_READ_O
READ_O role associated with members of PARENT_O