Академический Документы
Профессиональный Документы
Культура Документы
Security Management
Lecture 7
UA PA
Users Roles Operations Objects
Permissions
user_sessions
Dynamic
(one-to-many)
Separation
Sessions of Duty
Advantages of RBAC
Allows efficient security management
Supports principle of least privilege
Separation of duty constraints
Policy-neutral and provides generality
Encompasses traditional discretionary and
mandatory policies
Suitable for use in multidomain environments
such as digital government, multi-enterprise
venture and international coalition
Time-based Access Control
Requirement
Organizational functions and services with
temporal requirements
A part-time staff is authorized to work only
between 9am-2pm on weekdays
A day doctor must be able to perform his/her
duties between 8am-8pm
An external auditor needs access to organizational
financial data for a period of three months
A video library allows access to a subscriber to
view at most three movies every week
In an insurance company, an agent needs access
to patient history until a claim has been settled
What to model in Generalized
Temporal RBAC (GTRBAC)?
Triggers and Events
Temporal constraints
Roles, user-role and role-permission assignment
constraints
Activation constraints (cardinality, active
duration,..)
Temporal role hierarchy
Time-based Separation of duty constraints
States of a Role in GTRBAC
ac
t iv
at
e
activate
Enabled
Enabled
Enabled Active
Active
Active
deactivate
disable disable
enable
te
iv a
de act
Disabled
Disabled
Disabled
Event and Trigger
Simple events
enable r disable r
assignU r to u deassignU r to u
assignP p to r deassignP p to r
activate r for u deactivate r for u
Prioritized event pr:E, where pr ∈ Prios
Status
Role, assignment status – e.g.. enabled(r); p_assigned(p ,r)
Triggers: E1 ,…, En , C1 ,…, Ck → pr:E after ∆t , where Ei
are events, Ci are status expressions
Example:
enable DayDoctor → enable DoctorInTraining after 1 hour
User/administrator run-time request: pr:E after ∆t
Temporal Constraints: Roles, User-role
and Role-permission Assignments
Periodic time
(I, P) : 〈[begin, end], P〉 is a set of intervals
P is an infinite set of recurring intervals
Calendars:
Hours, Days, Weeks, Months, Years
Examples
all.Weeks + {2, …, 6}.Days + 10.Hours ⊲
12.hours
- Daytime (9am to 9pm) of working days
Temporal Constraints: Roles, User-role
and Role-permission Assignments
Periodicity: (I, P, pr:E)
([1/1/2000, ∝], Daytime, enable DayDoctor)
([1/1/2001, ∝], {Mon,Wed}, assignU DayDoctor
to Smith)
Duration constraint: (D, pr:E)
(Five hours, enable DoctorInTraining)
activate DayDoctor for Smith → enable
DoctorInTraining after 1 hour
Activation Time Constraints
Active role duration
Total duration for role activation
1. Per role: Dactive, [Ddefault], activeR_total r
2. Per user role: Duactive, u, activeUR_total r
Max active role duration per activation
1. Per role: Dmax, activeR_max r
2. Per user role: Dumax, u, activeUR_max r
Cardinality
Total number of role activations
1. Per role: Nactive, [Ndefault], activeR_n r
2. Per user role: Nuactive, u, activeUR_n r
Max number of concurrent activations
1. Per role: Nmax, [Ndefault], activeR_con r
2. Per user role: Numax, u , activeUR_con r
Example GTRBAC access policy for a
healthcare system
1 a. (DayTime, enable DayDoctor), (NightTime, enable NightDoctor)
b. ((M, W, F), assignU Adams to DayDoctor), ((T, Th, S, Su), assignU Bill to
DayDoctor);
((M, W, F), assignU Alice to NightDoctor), ((T, Th, S, Su), assignU Ben to
NightDoctor)
Run-time
action External events
System
handler Priority-based (run-time events)
State
conflict resolution
Type 2
activation event has lower precedence
Type 3(b)
per-user-role constraints takes precedence
Example
{H:enable r0 ,H:disable r0 , VH:enable r1, H:disable r1,
VH:(s:activate r1 for u)}
After resolution
{H:disable r0 , VH:enable r1, VH:(s:activate r1 for u)}
Ambiguous Event Dependency
A set of triggers may give rise to ambiguous
semantics
Example:
tr1: enable R1 → disable R2
tr2: enable R2 → disable R1
Let the runtime requests be: {enable R1; enable R2},
1. tr1 fires: {enable R1; disable R2}
(Intuitively, tr1 blocks tr2)
two symmetric
2. tr2 fires: {enable R2; disable R1} possibilities
(Intuitively, tr2 blocks tr1)
Solution: Detect ambiguity using Labeled dependency graph
Dependency Graph Analysis
Labeled Dependency Graph
Directed graph (N, E)
N: set of prioritized events that occur in the head of some
trigger
E: set of triples of the form (X, l, Y)
For all triggers [B →p:E]
For all events E’ in the body B, and for all nodes q:E’ in N
<q:E’, + , p:E>
Consistency Property:
Let <f> ∈{≥t, ≽t, ≿t} and <f’> ∈ {≥t, ≽t, ≿t}/{<f>}. Let x and y be
distinct roles such that x <f> y; then the condition ¬(y <f’> x) must
hold.
Types of role Hierarchy
Permission-inheritance hierarchy (I-hierarchy)
Senior inherits juniors’ permissions
User assigned to senior cannot activate juniors
Role-Activation hierarchy (A-hierarchy)
Senior does not inherit juniors’ permissions
User assigned to senior can activate junior
Advantage: SOD constraint can be defined on hierarchically
related roles
Activation Inheritance hierarchy (IA-hierarchy)
Senior inherits juniors’ permissions
User assigned to senior can activate junior
Types of Role Hierarchy
u assigned to u assigned to u assigned to
{(Software Engineer),
(Software Engineer, Programmer),
(Programmer) }
τ1 τ2
Programmer
(P P )
(i) (ii)
Strongly Restricted
∀p, (x≥s,t y) ∧ enabled(x, t) ∧ enabled (y, t) ∧
Is-hierarchy (x ≥s,t y)
can_be_acquired (p, y, t) → can_be_acquired (p, x,t)
∀p, (x ≽s,t y) ∧ enabled(x, t) ∧ enabled (y, t) ∧
As –hierarchy (x ≽s,t y)
can_activate(u, x, t) → can_activate(u, y, t)
IAs-hierarchy (x ≿s,t y) (x ≿s,t y) ↔ (x ≥s,t y) ∧ (x≽s,t y)
Temporal Role Hierarchy Example
PartTimeDoctor
{(3pm-6pm), (7am-10am)}
Is Is
Example:
(≥t is an I-hierarchy and h = (ProjManager ≥t
ProjEngineer))
u1 r1 u1 r1 u1 r1
u2 r2 u2 r2 u2 r2
u1 r1 u1 r1 u1 r1
u2 r2 u2 r2 u2 r2
Policy XML
Validation Parser RBAC
XML
Module Module Authorization
Policy Base
XML/SOAP
DOM
XML Session
Sessions DataSet
Access Log
Request
XML/SOAP XML GTRBAC
Processor Processor
Validation support is provided by Apache Xalan XSLT engine built into JAXP
Policy Design Issue
GTRBAC constraint set is not minimal
Constraint design considerations
Usability: Clarity of Semantics, Manageability
Complexity of specification
Complexity Description
parameter
n.R n roles
n.S n default assignments
n.Tr n temporal constraints on (n) roles
n.Tur (n.Trp) n temporal constraints on user- assignment
n.Aur (n.Ar) n per-user-role (per-role) time constraint
u can acquire p at t in C1
There exists a minimum set of constraint types
GTRBAC Family of Models
All constraints
GTRBAC2
Level 2
{Per-role constraint,
role enabling, trigger} Alternative 1: n.S + n.T + n.R
Replace
Replace temporal
temporal
constraints
constraints on
on p-r
p-r by
by
Algo: that on role-enabling
that on role-enabling
Algo: transformPR
transformPR -Change
-Change triggers
triggers
-Change
-Change hierarchies
hierarchies
Algo:
Algo: transformMDS
transformMDS C’out
Replace
Replace temporal
temporal
Algo:
Algo: transformUR
transformUR constraints
constraints on
on u-r
u-r by
by
-Compute
-Compute MDS
MDS that
that on
on role-enabling
role-enabling
-Create
-Create new
new roles
roles -Change
-Change triggers
triggers
-Compute MS
-Compute MS -Change
-Change hierarchies
hierarchies
-Assign
-Assign users
users to
to MS
MS Replace activation
Replace activation
elements
elements constraints
-Change
-Change triggers
triggers Cout ≈ Cin constraints
-Change
-Change hierarchies
hierarchies
Level 0
Example
P E A = { S u n , M o n , T u e , W e d , T h u , F ri} P E A = { S u n , M o n , T u e , W e d , T h u , F ri}
A Simple A
P E C = { S u n , T u e , T h u , F ri} P E C = { S u n , T u e , T h u , F ri}
C D ay C D ay
D o c to r D o c to r
P E D = { S u n , M o n , T u e , W e d , S a t} P E D = { S u n , M o n , T u e , W e d , S a t} ,
D D
P E E = { T h u , F ri} P E E = { T h u , F ri}
E E
(a ) TransformMDS (b )
P E ’” 1 = { S u n , T u e }
A
P E ’” 2 = { T h u , F ri}
B
D ay
C
D o c to r
D
P E ’” 3 = { M o n , W e d }
E
(c ) P E ’” 4 = { S a t}
Alternative (c): p.S + s.T + s.R+ s.H, Alternative (b): n.S + n.T + n.R + n.H
where n ≤ p ≤ n2n-1; 1 ≤ s ≤ (2n -1)
Design Guidelines
GTRBAC1,U is better than
alternative b as the policy
representation is less complex in Alternative
Alternative (b):
(b):
terms of number of roles and n.S
n.S +
+ n.T
n.TRR +
+ n.R
n.R +
+ n.H
n.H
hierarchies
GTRBAC1,U is flexible – one can Alternative
Alternative (c):
p.S
(c):
p.S + + s.T
s.TRR +
+ s.R
s.R +
+ s.H
s.H
schedule role enabling and user where
where
assignments separately nn ≤≤ ppnn ≤≤ n2
n2n-1
n-1;;
A MV1
(Weekly, 300, 100, active R_total MV1)
(Weekly, 600, active R_total MV)
B MV2
(Weekly, 300, 100, active R_total MV2)
C MV3 MV Video
(W eekly, 300, 100, active R_total MV3) Database
D MV4
(W eekly, 250, active R_total MV4)
E MV5
(b)
(W eekly, 50, active R_total MV5)
(a )
(W e e k ly , 5 0 , a c tiv e R _ to ta l M V 2 )
E M V2
B M V1
(W e e k ly , 3 0 0 , 1 0 0 , ac tiv e R _ to ta l M V 1 )
C
(W e e k ly , 6 0 0 , a c tiv e R _ to ta l M V ) MV V id eo
D ata b a se
D
(W e e k ly , 2 5 0 , D , ac tiv e U R _ to ta l M V 2 )
M V2
(b )
E (W e e k ly , 5 0 , E , a c tiv e U R _ to ta l M V 2 )
GTRBAC
GTRBAC1,A representation: (n - n ).A UR +
1,A representation: (nxx - nyy).AUR + nnyy.A
.ARR +
+ c.(b.n
c.(b.nyy++ 1).(R+
1).(R+ H); H);
where,(1) nnxx =
where,(1) = |D
|Dmm|| and
and nnyy =
= |D’|
|D’| ,, such
such that
that (1) D’ ⊆
(1) D’ ⊆D Dmm,, and (2) ifif dd ∈D’
and (2) ∈D’ then
then C
Cmm(d)
(d) >> 1;
1; (2)
(2) bb =1
=1 ifif (n
(n >
> nnxx);); bb =0
=0
otherwise;
otherwise; (3)(3) cc =1
=1 ifif (n
(n >> nnxx>0);
>0); cc == 00 otherwise.
otherwise.
Design Guidelines
Per-role constraint with default value
If there are many common durations,
per-user-role constraint
Per-user requirements vary significantly
More flexibility (e.g., requirements vary
constantly)
Hybrid approach (b in previous slide)
can give balanced representations
Related Work
OASIS RBAC Model [Bacon, 02]
Precondition on role activation to support active security
No triggers
RSL2000 Constraint Specification Language [Ahn et. al., 2000],
Need for activation hierarchy [Sandhu, 1999]
Identified its usefulness in expressing MAC
Separation Duty Constraints
Listing of useful set of SoD Constraints
[Simon et. al., 1997],[Gligor et. al., 1998]
None address timing issues
GTRBAC SoDs subsume all the SoD constraints identified
GTRBAC Triggers and SoDs provide a technical foundation for
enforcing history based SoD constraints
Conclusion
Role based access control can be used
to support diverse set of access control
requirements
Time-based access is a crucial
requirement in emerging applications
GTRBAC’s constraint set is not minimal–
however, they are beneficial for
practical use
Current and Future work
Secure Interoperation
Integer Programming approach (for tightly coupled
environments)
Trust-based access management (loosely coupled
environment)
Issues related to Grid, P2P
GTRBAC - extended to LoT-RBAC
Implementation in mobile environment (near completion)
Policy evolution and hybrid hierarchy management
Administrative tools and techniques
Extension of the policy design work to generate tools
for efficient RBAC policy administration
Relevant References
James B. D. Joshi, Elisa Bertino, Usman Latif, Arif Ghafoor, "Generalized Temporal Role Based
Access Control Model," IEEE Transactions on Knowledge and Data Engineering Vol 7, No.
1, Jan, 2005.
James B. D. Joshi, Elisa Bertino, Arif Ghafoor, "Analysis of Expressiveness and Design Issues
for the Generalized Temporal Role Based Access Control Model," Transactions on
Dependable and Secure Computing, April-June 2005.
James B. D. Joshi, Rafae Bhatti, Elisa Bertino, Arif Ghafoor, “An Access Control Language for
Multidomain Environments”, IEEE Internet Computing, Nov-Dec, 2004
Rafae Bhatti, James B. D. Joshi, Elisa Bertino, Arif Ghafoor, "XML-Based Specification for Web
Services Document Security", IEEE Computer, Vol. 37, Number 4, April, 2004, pp 41-49.
Rafae Bhatti, James B. D. Joshi, Elisa Bertino, Arif Ghafoor, "X-GTRBAC: An XML-based
Policy Specification Framework and Architecture for Enterprise-Wide Access Control", ACM
Transactions on Information and System Security, Vol. 8, No. 2, Pages 187-227, May 2005.
Basit Shafiq, James B. D. Joshi, Elisa Bertino, Arif Ghafoor, "Secure Interoperation in a Multi-
Domain Environment Employing RBAC Policies," IEEE Transactions on Knowledge and
Data Engineering.
Smithi Piromruen, James B. D. Joshi, “An RBAC Framework for Time Constrained Secure
Interoperation in Multi-domain Environment,” IEEE Workshop on Object-oriented Real-time
Databases (WORDS-2005), 2005.
Suroop M. Chandran, James B. D. Joshi, “LoT-RBAC: A Location and Time-based RBAC
Model”, accepted the 6th International Conference on Web Information Systems
Engineering, November 20-22, 2005, New York City, New York