1 / 24

INFS 767 Fall 2003 RBAC-MAC-DAC

INFS 767 Fall 2003 RBAC-MAC-DAC. Prof. Ravi Sandhu. RBAC96. ROLE HIERARCHIES. USER-ROLE ASSIGNMENT. PERMISSIONS-ROLE ASSIGNMENT. USERS. ROLES. PERMISSIONS. SESSIONS. CONSTRAINTS. Supervising Engineer. Hardware Engineer. Software Engineer. Engineer. HIERARCHICAL ROLES.

orien
Download Presentation

INFS 767 Fall 2003 RBAC-MAC-DAC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFS 767 Fall 2003 RBAC-MAC-DAC Prof. Ravi Sandhu

  2. ... RBAC96 ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS SESSIONS CONSTRAINTS

  3. Supervising Engineer Hardware Engineer Software Engineer Engineer HIERARCHICAL ROLES

  4. WHAT IS THE POLICY IN RBAC? • RBAC is policy neutral • Role hierarchies facilitate security management • Constraints facilitate non-discretionary policies

  5. + - H M1 M2 - + L LBAC: LIBERAL *-PROPERTY Read Write

  6. HR LW M1R M2R LR HW RBAC96: LIBERAL *-PROPERTY + M1W M2W - Read Write

  7. RBAC96: LIBERAL *-PROPERTY • user  xR, user has clearance x user  LW, independent of clearance • Need constraints • session  xR iff session  xW • read can be assigned only to xR roles • write can be assigned only to xW roles • (O,read) assigned to xR iff (O,write) assigned to xW

  8. H M1 M2 L LBAC: STRICT *-PROPERTY + - Read Write

  9. HR M1R M2R LR RBAC96: STRICT *-PROPERTY M1W LW HW M2W

  10. Variations of DAC • Strict DAC • Liberal DAC

  11. Strict DAC • Only owner has discretionary authority to grant access to an object. • Example: • Alice has created an object (she is owner) and grants access to Bob. Now Bob cannot grant propagate the access to another user.

  12. Liberal DAC • Owner can delegate discretionary authority for granting access to other users. • One Level grant • Two Level Grant • Multilevel Grant

  13. One Level Grant • Owner can delegate authority to another user but they cannot further delegate this power. Bob Charles Alice

  14. Two Level Grant • In addition a one level grant the owner can allow some users to delegate grant authority to other users. Bob Charles Dorothy Alice

  15. Revocation • Grant-Independent Revocation. • Grant-Dependent Revocation.

  16. Common Aspects • Creation of an object in the system requires the simultaneous creation of • three administrative roles • OWN_O, PARENT_O, PARENTwithGRANT_O • One regular role • READ_O

  17. OWN_O PARENTwithGRANT_O PARENT_O READ_O Administration of roles associated with object O OWN_O PARENTwithGRANT_O PARENT_O Administrative role hierarchy

  18. Common Aspects II • We require simultaneous creation of Eight Permissions • canRead_O • destroyObjet_O • addReadUser_O, deleteReadUser_O • addParent_O, deleteParent_O • addParentWithGrant_O, deleteParentWithGrant_O

  19. Roles and associated Permissions • OWN_O • destroyObject_O, addParentWithGrant_O, deleteParentWithgrant_O • PARENTwithGRANT_O • addParent_O, deleteParent_O • PARENT_O • addReadUser_O, deleteReadUser_O • READ_O • canRead_O

  20. Common Aspects III • Destroying an object O requires deletion of four roles and eight permissions in addition of destroying the object O.

  21. Strict DAC in RBAC96 • Cardinality constraints as: • Role OWN_O = 1 • Role PARENTwithGRANT_O = 0 • Role PARENT_O = 0

  22. One level DAC in RBAC96 • Cardinality constraints as: • Role OWN_O = 1 • Role PARENTwithGRANT_O = 0

  23. Two Level DAC in RBAC96 • Cardinality constraints as: • Role OWN_O = 1

  24. U1_PARENT_O U1_READ_O U2_PARENT_O U2_READ_O Un_PARENT_O Un_READ_O READ_O role associated with members of PARENT_O

More Related