ravi sandhu venkata bhamidipati laboratory for information security technology (list) george mason...
TRANSCRIPT
![Page 1: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/1.jpg)
Ravi Sandhu
Venkata Bhamidipati
Laboratory for Information Security Technology (LIST)
George Mason University
Role-Based Administration of User-Role Assignment:
The URA97 Model and its Oracle Implementation
![Page 2: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/2.jpg)
2© Ravi Sandhu 1997
OUTLINE
RBAC96 review URA97 model URA97 Oracle implementation Closing remarks
![Page 3: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/3.jpg)
3© Ravi Sandhu 1997
RBAC96
ROLES
USERS
PERMISSIONS
...
ADMINROLES
ADMINPERMISSIONS
CONSTRAINTS
SESSIONS
![Page 4: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/4.jpg)
4© Ravi Sandhu 1997
RBAC96: RBAC0
ROLES
USERS
PERMISSIONS
...
SESSIONS
![Page 5: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/5.jpg)
5© Ravi Sandhu 1997
RBAC96: RBAC1
ROLES
USERS
PERMISSIONS
...
SESSIONS
![Page 6: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/6.jpg)
6© Ravi Sandhu 1997
RBAC96 : RBAC2
ROLES
USERS
PERMISSIONS
... CONSTRAINTS
SESSIONS
![Page 7: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/7.jpg)
7© Ravi Sandhu 1997
RBAC96 : RBAC3
ROLES
USERS
PERMISSIONS
... CONSTRAINTS
SESSIONS
![Page 8: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/8.jpg)
8© Ravi Sandhu 1997
RBAC96
ROLES
USERS
PERMISSIONS
...
ADMINROLES
ADMINPERMISSIONS
CONSTRAINTS
SESSIONS
![Page 9: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/9.jpg)
9© Ravi Sandhu 1997
RBAC96
RBAC2RBAC1
RBAC0
RBAC3
ARBAC2ARBAC1
ARBAC0
ARBAC3
![Page 10: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/10.jpg)
10© Ravi Sandhu 1997
SCALE AND RATE OF CHANGE
roles: 100s or 1000s users: 1000s or 10,000s or more Frequent changes to
user-role assignment permission-role assignment
Less frequent changes for role hierarchy
![Page 11: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/11.jpg)
11© Ravi Sandhu 1997
ADMINISTRATIVE RBAC
user-role assignment permission-role assignment role-role hierarchy
![Page 12: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/12.jpg)
12© Ravi Sandhu 1997
EXAMPLE ROLE HIERARCHY
Employee (E)
Engineering Department (ED)
Project Lead 1(PL1)
Engineer 1(E1)
Production 1(P1)
Quality 1(Q1)
Director (DIR)
Project Lead 2(PL2)
Engineer 2(E2)
Production 2(P2)
Quality 2(Q2)
PROJECT 2PROJECT 1
![Page 13: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/13.jpg)
13© Ravi Sandhu 1997
EXAMPLE ADMINISTRATIVE ROLE HIERARCHY
Senior Security Officer (SSO)
Department Security Officer (DSO)
Project SecurityOfficer 1 (PSO1)
Project SecurityOfficer 2 (PSO2)
![Page 14: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/14.jpg)
14© Ravi Sandhu 1997
URA97 GRANT MODEL:can-assign
ARole Prereq Role Role Range
PSO1 ED [E1,PL1)
PSO2 ED [E2,PL2)
DSO ED (ED,DIR)
SSO E [ED,ED]
SSO ED (ED,DIR]
![Page 15: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/15.jpg)
15© Ravi Sandhu 1997
URA97 GRANT MODEL :can-assign
ARole Prereq Cond Role Range
PSO1 ED [E1,E1]
PSO1 ED & ¬ P1 [Q1,Q1]
PSO1 ED & ¬ Q1 [P1,P1]
PSO2 ED [E2,E2]
PSO2 ED & ¬ P2 [Q2,Q2]
PSO2 ED & ¬ Q2 [P2,P2]
![Page 16: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/16.jpg)
16© Ravi Sandhu 1997
URA97 GRANT MODEL
“redundant” assignments to senior and junior roles are allowed are useful
![Page 17: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/17.jpg)
17© Ravi Sandhu 1997
URA97 REVOKE MODEL
WEAK REVOCATION revokes explicit membership in a role independent of who did the assignment
![Page 18: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/18.jpg)
18© Ravi Sandhu 1997
URA97 REVOKE MODEL
STRONG REVOCATION revokes explicit membership in a role and its
seniors authorized only if corresponding weak
revokes are authorized alternatives
all-or-nothing revoke within range
![Page 19: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/19.jpg)
19© Ravi Sandhu 1997
URA97 REVOKE MODEL :can-revoke
ARole Role Range
PSO1 [E1,PL1)
PSO2 [E2,PL2)
DSO (ED,DIR)
SSO [ED,DIR]
![Page 20: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/20.jpg)
20© Ravi Sandhu 1997
ORACLE ROLES
support RBAC1 administrative model has strong
discretionary flavor administrative authority on role implies
can grant role to any user or role can grant role to any role
anyone with grant option on a permission can grant it to any role
![Page 21: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/21.jpg)
21© Ravi Sandhu 1997
URA97 IN ORACLE
administrative option for all roles is retained solely with DBA never given to any user
use generic stored procedures with URA97 can-assign and can-revoke implemented as relations
![Page 22: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/22.jpg)
22© Ravi Sandhu 1997
URA97 IN ORACLE
Oracle primitives for traversing role hierarchy need to be extended
![Page 23: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/23.jpg)
23© Ravi Sandhu 1997
can-assign in dnfER DIAGRAM
Admin RolePreConditionMin_IntMin RoleMax RoleMax_Int
CAN_ASSIGN
PreConditionAND set nameNOT set name
CAN_ASSIGN2
NOT set nameNOT roles
CAN_ASSIGN4
AND set nameAND roles
CAN_ASSIGN3
![Page 24: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/24.jpg)
24© Ravi Sandhu 1997
can-revokeRELATION
Admin RoleMin_IntMin RoleMax RoleMax_Int
CAN_REVOKE
![Page 25: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/25.jpg)
25© Ravi Sandhu 1997
ORACLE STORED PROCEDURES
can extend Oracle access control model
limitation stored procedure can determine who
the user is BUT cannot determine active roles of the
user
![Page 26: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/26.jpg)
26© Ravi Sandhu 1997
URA97 STORED PROCEDURES
ASSIGN(user, trole, arole) WEAK_REVOKE(user, trole, arole) STRONG_REVOKE(user, trole, arole)
user: user being added to trole trole: target role arole: administrative role used for this
operation due to Oracle limitations
![Page 27: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/27.jpg)
27© Ravi Sandhu 1997
CLOSING REMARKS:PREVIEW OF WORK IN PROGRESS
user-role assignment URA97 and Oracle, this paper other platforms
permission-role assignment PRA97, dual of URA97 Oracle implementation
![Page 28: Ravi Sandhu Venkata Bhamidipati Laboratory for Information Security Technology (LIST) George Mason University Role-Based Administration of User-Role Assignment:](https://reader033.vdocuments.us/reader033/viewer/2022061305/551463ab550346414e8b5a5c/html5/thumbnails/28.jpg)
28© Ravi Sandhu 1997
CLOSING REMARKS:PREVIEW OF WORK IN PROGRESS
role-role hierarchy user-only roles (groups): like URA97 permission-only roles: like PRA97 user and permission roles: RRA97