410 likes | 1.35k Views
Lecture 8 Access Control ( cont). modified from slides of Lawrie Brown. Mandatory Access Control (MAC). Top Secret. Labeling Mechanism is used. Prevent any illegal flow of information through the enforcement of multilevel security. Secret. Military Security. Confidential.
E N D
Lecture 8Access Control (cont) modified from slides of Lawrie Brown
Mandatory Access Control (MAC) Top Secret Labeling Mechanism is used Prevent any illegal flow of information through the enforcement of multilevel security Secret Military Security Confidential Require a strict classification of subjects and objects in security levels Drawback of being too rigid Applicable only to very few environments Unclassified dominance can-flow Adopted from : Role-Based Access Control by Prof.RaviSandhu
Compartments and Sensitivity Levels • Information access is limited by the need-to-know • Compartment: Each piece of classified information may be associated with one or more projects called compartments Top Secret Compartment 1 Secret Compartment 2 Confidential Compartment 3 Restricted Unclassified
Classification & Clearance • <rank; compartments> • class of a piece of information • Clearance: an indication that a person is trusted to access information up to a certain level of sensitivity • <rank; compartments> • clearance of a subject
Dominance Relation • We say that s dominates o (or o is dominated by s) if o <= s For a subject s and an object o, o <= s if and only if rank(o) <= rank(s) and compartments(o) is subset of compartments(s) • A subject can read an object if the subject dominates the object.
Example • Information classified as <secret; {Sweden}> • Which of the following subject clearances can read the above information? • <top secret; {Sweden}> • <secret; {Sweden, crypto}> • <top secret; {crypto}> • <confidential; {Sweden}> • <secret; {France}>
... Role-Based Access Control Role Hierarchies Usrer-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS Primary-Care Physician Specialist Physician Sessions Physician • Users are human beings or other active agents • Business function the user perform is role • A user can be a member of many roles • Each role can have many users as members • A user can invoke multiple sessions • In each session a user can invoke any subset of roles that the user is a member of • A permission can be assigned to many roles • Each role can have many permissions • read, write, append, execute Health-Care Provider Adopted from : Role-Based Access Control by Prof.RaviSandhu
Constraints - RBAC • provide a means of adapting RBAC to the specifics of administrative and security policies of an organization • a defined relationship among roles or a condition related to roles • mutually exclusive roles • cardinality • prerequisite roles • a user can only be assigned to one role in the set (during a session or statically) • any permission can be granted to only one role in the set • setting a maximum number with respect to roles • dictates that a user can only be assigned to a particular role if it is already assigned to some other specified role
RBAC System • administrative functions • supporting system functions • review functions • provide the capability to create, delete, and maintain RBAC elements and relations • provide functions for session management and for making access control decisions • provide the capability to perform query operations on RBAC elements and relations
NIST RBAC Basic Definitions • object • any system resource subject to access control, such as a file, printer, terminal, database record • operation • an executable image of a program, which upon invocation executes some function for the user • permission • an approval to perform an operation on one or more RBAC protected objects
Core RBAC • administrative functions • supporting system functions • review functions • add and delete users from the set of users • add and delete roles from the set of roles • create and delete instances of user-to-role assignment • create and delete instances of permission-to-role assignment • create a user session with a default set of active roles • add an active role to a session • delete a role from a session • check if the session subject has permission to perform a request operation on an object • enable an administrator to view but not modify all the elements of the model and their relations
Hierarchical RBAC limited role hierarchies • general role hierarchies • allow an arbitrary partial ordering of the role hierarchy • impose restrictions resulting in a simpler tree structure • supports multiple inheritance, • in which a role may inherit permissions from multiple subordinate roles and • more than one role can inherit from the same subordinate role • role may have one or more immediate ascendants • but is restricted to a single immediate descendant
Static Separation of Duty • enables the definition of a set of mutually exclusive roles, • if a user is assigned to one role in the set, the user may not be assigned to any other role in the set • can place a cardinality constraint on a set of roles • defined as a pair (role set, n) where no user is assigned to n or more roles from the role set • includes administrative functions for creating and deleting role sets and adding and deleting role members • includes review functions for viewing the properties of existing SSD sets
Dynamic Separation of Duty • limit the permissions available to a user • places constraints on the roles that can be activated within or across a user’s sessions • define constraints as a pair (role set, n) with the property that no user session may activate n or more roles from the role set • where n is a natural number n ≤ 2 • enables the administrator to specify certain capabilities for a user at different, time spans • includes administrative and review functions for defining and viewing DSD relations
Task Based Access Control Classical subject-object access control P S x O x A TBAC view of access control P S x O x A x U x AS TBAC extensions P – Permission S – Subject O – Object A – Actions U – Usage and Validity Counts AS – Authorization step • Active Security Model • Dynamic authorization gives flexibility • No Roles Involved • Constraints for this model is still under study • For each authorization step consumes permission, usage count is incremented • Usage Count reaches its limit, the associated permission is deactivated Adopted from Source: Task based authorization controls by R.S.Sandhu and R.K.Thomas
TBAC with Constraints Users Tasks Workflow Alice Check Patient Non-Workflow Bob Do Physical Exam Write Prescription (T5) Out Patient Workflow Do Physical Exam (T1) Check Patient (T2) Perform Lab Test (T3) View Lab Results (T4) End Start Refer another specialist (T6) Non-Workflow View Current Patient List
TBAC with Constraints Workflow Objects – Health Records or Files. Task Instances Non-Workflow Permissions Operations – Read, Update, Write, Copy, Print etc Check Patient task Bob Alice Check Patient Grace Check Patient Josh Task Instance 1 Task Instance 2
Constraints User Instance Task constraints – Least Privilege Users are not given more permission than is necessary to perform their duties Constraints Achieved through task instances Permissions status Tasks Alice Check Patient Josh Initiated Active Access Permissions starts when the instance is initiated Access Permissions end when the instance is completed or revoked Revoked Fine Grained Access Control Completed
Static and Dynamic Separation of Duty No single individual can execute all tasks within the workflow Nurse Physician Technician Physician Alice Check Patient Josh Do Physical Exam (T1) Check Patient (T2) Perform Lab Test (T3) View Lab Results (T4) Write Prescription (T5) Task Instance 1 End Start Protects against fraudulent activities of users Static SOD - Defining the tasks in workflow or non workflow govern the administration or design-time associations between users and permissions. Dynamic SOD - permissions or task instances are granted at run-time.
Delegation of Tasks Initially assigned user is not available to complete the task Supervisor can delegate task to another junior user in the same hierarchy Access rights revoked once the task is completed Senior Physician (Jan) Task Instance Task Instance Physician (Alice) Physician (Bob) Alice Bob Check Patient Josh Check Patient Josh Jan can delegate task to Bob
Spatial and Temporal Constraints • Accessed from anywhere and at anytime • User’s location and time is taken into consideration for granting access to a task Family Practice Physician Location Constraint (Reno Office) Tasks Nurse Time Constraint (8 - 5)
Passive and Active Access Control Read View Current Patient List File 1 Passive Access Write File 2 Write Prescription Active Access Physician Write Prescription (T5) Workflow Do Physical Exam (T1) Check Patient (T2) Perform Lab Test (T3) View Lab Results (T4) End Start Refer another specialist (T6)
Classification of Tasks Family Practice Senior Physician (Jan) Diagnosis Details Physician (Alice) View Current Patient List Write Prescription (T5) Do Physical Exam (T1) Check Patient (T2) Perform Lab Test (T3) View Lab Results (T4) Workflow End Start Refer another specialist (T6) ClassPrivate ClassSupervision
Classification of Tasks ClassWorkflow Family Practice ClassApproval Senior Physician (Jan) Physician (Alice) Check Patient Senior Physician (Jan) Workflow Write Prescription (T5) Physician (Alice) Physician (Bob) Do Physical Exam (T1) Check Patient (T2) Perform Lab Test (T3) View Lab Results (T4) End Start Refer another specialist (T6) Same Hierarchy
Functions and Roles for Banking Example • Functions and Official Positions
Functions and Roles for Banking Example (b) Permission Assignments
Functions and Roles for Banking Example (c) Permission Assignment with Inheritance
Summary • access control • prevent unauthorized users from gaining access to resources • prevent legitimate users from accessing resources in an unauthorized manner • enable legitimate users to access resources • subjects, objects, access rights • authentication, authorization, audit • discretionary access controls (DAC) • controls access based on identity • mandatory access control (MAC) • controls access based on security labels • role-based access control (RBAC) • controls access based on roles