320 likes | 557 Views
A Model of OASIS Role-Based Access Control and Its Support for Active Security. Rick Murphy, IT 862, Spring 2005. The Open Architecture for Securely Interworking Services (OASIS). Built to support healthcare in the UK Role-based access control for services
E N D
A Model of OASIS Role-Based Access Control and Its Support for Active Security Rick Murphy, IT 862, Spring 2005
The Open Architecture for Securely Interworking Services (OASIS) • Built to support healthcare in the UK • Role-based access control for services • Roles and policies at the service level • Local policies • Service-Level Agreements between administrative domains • Parameterized roles and permissions • Allows policy to express policy exceptions
OASIS RBAC • Issues with role hierarchies • Senior roles inherit, violating least privilege • Conflicting constraints • Activation Hierarchies are one solution • Choose to activate roles when necessary • Hierarchies are static, OASIS is dynamic • Dynamic role-role relationship/dependencies
Credential-Based Role Activation • Authorization to activate role depends on • User Credentials • Environmental State • Prerequisite roles • User activates subset of potential roles • Least privilege • Active security takes context into consideration • OASIS Role Activation similar to sessions • Except that user does not deactivate
Role Activation Rules • Specify necessary conditions to activate a role • Prerequisite Roles (Session-based) • Appointments • Constraints (Separation of duties, etc.) • Active security uses time-based constraints • Parametric model based on first-order logic • Variables bound to time, userids, object attributes • Predicates tested at both activation and access time
Appointment vs. Delegation • Delegation allows user to grant role to others • Delegation grants target role’s permissions • Appointment • Appointer role grants credential to user • Credential can be used to activate role(s) • Appointed role is task-based and restricted • Tightly controlled privilege propagation • Appointment does not confer privileges • Appointer can confer privileges they do not possess
Task Assignments and Qualification • OASIS allocates privileges by controlling role activation • Task Assigned to principal • Privileges aggregated into associated role • Combined with appointments • Delegator may not have permission granted • Granted due to holding qualification or credential • May be necessary but not sufficient
Appointment, Role-Based Delegation, and Administrative Roles • Appointment and Role-Based Delegation enable privilege propagation • Delegation need not grant all permissions • Some models allow partial delegation • Role delegation associated with task assignment • Appointer may not themselves have role • As with administrative roles • Appointee granted only permissions necessary to task
Appointment Characteristics • Type: Task assignment, qualification • Appointer: Principal who initiates • Appointer role must permit issuance • Appointee: Principal receiving appointment • Activation rules restrict usage • Identity match, validity rules • Revocation: Triggered by invalidating CR
Appointment Revocation • Appointer-only • Manager delegates and monitors • Appointer-role • Limits error/damage if appointer unavailable • System-managed • Revoked automatically if conditions met • Periodic renewal • Task-Based • Session-Based
OASIS Basic Model • Based on first-order propositional logic • Basic Sets: • U: setofall user sessions • S: set of all services • N: set of all role names • E: set of all environmental constraints • O: set of all objects • A: set of all access modes for objects • Extended Sets: • R: set of all roles • P: set of all privileges • Ω: set of all appointment certificates
Role Activation Rules • All of the xj conditions must be satisfied • These are called activating conditions • Examples: • R = {r1, r2, r3, r4} and Ώ = {ω1, ω2} • r1, ω1├ r4 • user in role r1 holding certificate ω1 can activate role r4(providing appointment certificate conditions are met) • (r1 v r2) ^ ω1├ r4 • Either role r1 or r2 holding ω1can activate r4
Role Activation • Initial roles: depend on Ω, E only • Allow users to start session with some roles • Assumes user authentication/session setup • Can have roles with no antecedent conditions, ┤r. • Initial roles activated after authentication • Additional roles activated during session • Restricted by • Activation rules • Parameter evaluation
Activation Interpretation Function • Activation Rule Predicates must be satisfied to activate a role • Activation Function evaluates those • Interpretation function for user u and variable x: Note that activation rules do not include negation.
Role Activation • Given, Γ, the set of role activation functions: • Definition depends on context: session, environment. • Deactivation may be automatic when membership rule no longer valid
Activation Process • Each condition of the activation rule verified • Some activation variables static • Some depend on roles held, environment • Service s may register trigger to revoke role • Environment changes (timer) • Release of prerequisite roles • Membership in prerequisite groups • Active Security prototype uses database triggers to support this
Membership Rules • Role membership is predicated on Membership Rules (Λ) • These must remain satisfied to remain active in role
Role Deactivation • Deactivated when predicates no longer satisfied • May lead to cascading deactivation • OASIS has event infrastructure for triggers
Role-Privilege relation • Associates roles with privileges • Many-to-Many relation • Specified by security administrators • Direct Privileges • Those assigned to role r directly: • Effective Privileges • Include those that session with user in r must necessarily hold. • DP(r) • EP(x) for prerequisite roles • EP(p) for appointment certificates
Privilege Sets • Some RBAC models allow computation of maximal privilege set • OASIS policies are more complex • Set on a service-by-service basis • Multiple, distributed management domains • Service-level agreements between domains • Appointment certificates may cross levels • Appointment scope may vary (local, cross-domain)
Extended Model • Basic Model decides based on propositions evaluated in current context • Roles and appointments • Permission acquisition policy based on those • Extended model allows parameterization of roles, appointment certificates, privileges, and environmental constraints • Define role activation rules using predicates rather than propositions
Extended Model Constructs • Sets as in basic model : U, S, N, O, A. • Typed parameters • Allows static checking • Variables, constants, functions • Parameter modes: in and out • P(x, y?) has in-parameter x and out-parameter y • Bound variables: u is bound in a rule if used as an out parameter, else free.
Role Activation Rule Example • Cannot have free variables • Allows clearly-defined activation semantics • Example: hospital policy where user who is employed there may acquire doctor_on_duty role whenever she is on duty
Another Example • All patients in a ward are in the care of the doctor currently on duty there.
Appointment Certificate Example • Doctor must be qualified and a current employee to be on duty. • Not all elements need be specified
Privileges and Authorization Rules • Basic model used RP relation • Extended model uses role parameters at access time • Authorization rules • (r, e1,…,en |- p) • en are environment variables, authorizing conditions
Authorization Rule Example • Treating_doctor in the ward is allowed to read fields 1, 3, and 4 only from the EHR of a patient under her care.
Model Semantics • Basic Model uses truth function • Extended Model uses variables • Interpretation guides assignment to variables • Satisfaction based on variable assignment • Interpret environmental predicates • Bind parameters • Evaluate terms • Model provides Term Evaluation rules • Must also consider role deactivation conditions
Case Studies • Detailed case studies provided • Anonymity • Multidomain Healthcare System
Related Work • Temporal RBAC [Bertino et. al.] • OASIS uses environmental triggers • Team-Based Access Control [Thomas; Georgiadis] • OASIS could be extended • Content-Based access control [Giuri and Iglio] • Parameterization of roles via templates
Conclusion • OASIS is a practical approach to real-world problems • Designed from the start to be a distributed system • Dynamic, reactive role membership • Prototype system has been proposed in UK