Role Usage and Activation Hierarchies (best viewed in slide show mode)

1. Role Usage and Activation Hierarchies(best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu

2. Reference • Ravi Sandhu, “Role Hierarchies and Constraints for Lattice-Based Access Controls.” Proc. Fourth European Symposium on Research in Computer Security, Rome, Italy, September 25-27, 1996, pages 65-79. Published as Lecture Notes in Computer Science, Computer Security-ESORICS96 (Elisa Bertino et al, editors), Springer-Verlag, 1996. • Ravi Sandhu, “Role Activation Hierarchies.” Proc. Third ACM Workshop on Role-Based Access Control, Fairfax, Virginia, October 22-23, 1998, pages 33-40. • Sylvia Osborn, Ravi Sandhu and Qamar Munawer. “Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies.” ACM Transactions on Information and System Security, Volume 3, Number 2, May 2000, pages 85-106.

3. Role hierarchies • Two aspects • Role usage: permission inheritance • Role activation: activation hierarchy • RBAC96 combines both aspects in a single hierarchy • ANSI/NIST standard model leaves this open • Do one or both, just make it clear what you are doing

4. Example Role Hierarchy

5. LBAC to RBAC

6. Simple security property • some variations of LBAC use 2 labels for subjects • λr for read and λw for read • λr = λw for the single label case

7. Variations of *-property

8. LBAC to RBAC: independent read-write hierarchies

9. LBAC to RBAC: intertwined read-write hierarchies

10. Activation hierarchies and dynamic SOD

11. Formal definition

12. Activation hierarchy with non-maximal roles

13. Read-write RBAC and LBAC

14. LBAC with trusted strict *-property