1 / 31

NIST Standard for Role-Based Access Control

NIST Standard for Role-Based Access Control. Present by Wenyi Ni. The root of RBAC. The use of groups in UNIX and other operating systems Privilege grouping in DBMS Separation of duty concepts RBAC embodies these notions in a single access control model. RBAC includes:.

glyn
Download Presentation

NIST Standard for Role-Based Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NIST Standard for Role-Based Access Control Present by Wenyi Ni

  2. The root of RBAC • The use of groups in UNIX and other operating systems • Privilege grouping in DBMS • Separation of duty concepts RBAC embodies these notions in a single access control model.

  3. RBAC includes: • Roles and role hierarchies • Role activation • Constraints on user/role membership and role set activation

  4. RBAC is organized into two part • RBAC reference model • RBAC Functional Specification

  5. RBAC reference model • Define a common vocabulary of terms for in consistently specifying requirements and to set the scope of the RBAC features included in the standard

  6. RBAC Functional Specification • Define requirements over administrative operations for the creation and maintenance of RBAC element sets and relations

  7. NIST RBAC model is defined in terms of four model components • Core RBAC • Hierarchical RBAC • Static separation of duty relations • Dynamic Separation of duty relations

  8. Core RBAC • Define a minimum collection of RBAC elements, element sets, relations in order to completely achieved a role-based access control system • It includes: 1.user-role assignment 2.permission-role assignment

  9. Definitions in core RBAC • User: defined as a human being. It can be extended to include machine, network,intelligent autonomous agent • Role: a job function within the context of an organization with some associated semantics regarding the authority and responsibility

  10. Definition (continued) • Permission: an approval to perform an operation on one or more RBAC protected objects • Operation: an executable image of a program • Session: a mapping between a user and an activated subset of roles that are assigned to the user

  11. Core RBAC model element sets and relations

  12. Hierarchal RBAC • It adds relations for supporting role hierarchies • Senior roles acquire the permissions of their juniors • A role’s set of authorized users and authorized permission • Role hierarchy can be 1)tree 2)inverted tree 3)lattice

  13. Role hierarchy Tree

  14. Role hierarchy inverted tree

  15. Role hierarchy lattice

  16. Example: accounting roles

  17. Separation of duty relations It is used to enforce conflict of interest policies that organizations may employ to prevent users from exceeding a reasonable level of authority for their position

  18. Static Separation of Duty Relations • Enforce constraints on the assignment of users to roles • Place restrictions on sets of roles. If a user is assigned to one role, the user is prohibited from being a member of a second role.

  19. Because of the conflict of role ‘billing’ and ‘Cashier’ , Frank is prohibited to be assigned both of them

  20. Dynamic Separation of Duty Relations • Place constraints on the roles that can be activated within or across a users sessions. • It supports each user has different levels of permission at different time. • It is often referred as timely revocation of trust

  21. Categories of functions in RBAC • Used to meet the requirements for each of the components 1.Administrative Functions 2.Supporting System Functions 3.Review Functions

  22. Administrative Functions in core RBAC • Create and maintain element sets(users,roles,OPS,OBS) 1.AddUser, DeleteUser 2.AddRole, DeleteRole 3.AssignUser, DeassignUser 4.GrantPermission, revokePermission

  23. Supporting System Function in Core RBAC • Session management and make access control decisions 1.CreateSession 2.AddActiveRole, DropActiveRole 3.CheckAccess

  24. Review Function in Core RBAC • View the contents of user-to-role and permission-to-role assignment. 1.AssignedRoles 2.RolePermissions 3.UserPermissions 4.SessionPermisssions 5.RoleOperationsOnObjects 6.UserOperationsOnObjects

  25. Administrative Function in Hierarchical RBAC • Create and maintain the partial order relation among roles 1.AddInheritance, DeleteInheritance 2.AddAscendant, AddDescendant

  26. Supporting System Functions in Hierarchical RBAC • Same function as for Core RBAC, some function need to be redefined because of the role hierarchy. Such as: createSession, addActiveRole.

  27. Review Functions in Hierarchical RBAC • All review functions specified for Core RBAC is valid here • Add the review functions to inherited roles. 1.AuthorizedUsers 2.AuthorizedRoles

  28. Functions in SSD Administrative: 1CreatSSDSet,DeleteSSDSet 2AddSSDRoleMember, DeleteSSDRolemember 3.SetSSDRoleMember 4.SetSSDCardinality Supporting System: same as those for core RBAC Review: 1.SSDRoleSets 2.SSDRoleSetRoles 3.SSDRoleSetCardinality

  29. Functions in DSD Administrative 1.CreateDSDSet, DeleteDSDSet 2.AddDSDRoleMember,DeleteDSDRoleMember 3.SetDSDCardinality Suport System: 1.CreateSession 2.AddActiveRole 3.DropActiveRole Review: 1.DSDRoleSets 2.DSDRoleSetRoles 3.DSDRoleSetCardinality

  30. Conclusion • RBAC is used to simplify security policy administration • RBAC is an open-ended technology,which ranges from very simple to fairly sophisticated. • RBAC continues to be an evolving technology.

  31. End • Reference: http://csrc.nist.gov/rbac/rbacSTD-ACM.pdf

More Related