intTypePromotion=1
zunia.vn Tuyển sinh 2024 dành cho Gen-Z zunia.vn zunia.vn
ADSENSE

Lecture Chapter 4: Access Control Role-based models RBAC

Chia sẻ: Hấp Hấp | Ngày: | Loại File: PPTX | Số trang:22

65
lượt xem
2
download
 
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Lecture Chapter 4 - Access Control Role-based models RBAC presentation of content: Role-based models, role based access control, administrative role-based access control model.

Chủ đề:
Lưu

Nội dung Text: Lecture Chapter 4: Access Control Role-based models RBAC

  1. hapter 4 Access Control  Role­based models RBAC
  2. Agenda Role­based models Administrative role­based access control model https://books.google.com.vn/books? id=_O7xBwAAQBAJ&pg=PA171&lpg=PA171 &dq=Open/close+policy+in+database+security &source=bl&ots=4cH6efHzHp&sig=eO6djffm piyvB0L6hmWAbPPeZow&hl=vi&sa=X&ei=­ F2PVb­ YOcaJuATyvIHQAw&redir_esc=y#v=onepage &q&f=false
  3. Role­based models Many organizations base access control decisions on “the roles that  individual users take on as part of the organization”. They prefer to centrally control and maintain access rights that reflect  the organization’s protection guidelines. With RBAC, role­permission relationships can be predefined, which  makes it simple to assign users to the predefined roles.  The combination of users and permissions tend to change over time,  the permissions associated with a role are more stable. RBAC concept supports three well­known security principles: – Least privilege – Separation of duties – Data abstraction
  4. Role Based Access Control  (RBAC) Access control in  organizations is  Roles Hierarchies based on “roles  that individual  users take on as  part of the  organization” User Role Assignment Role Permission Assignment Users Roles A role is “is a  Permissions collection of  permissions” Constraints
  5. Role Based Access Control  (RBAC)
  6. RBAC Access depends on role/function, not  identity – Example: Allison is bookkeeper for Math  Dept. She has access to financial records. If she  leaves and Betty is hired as the new  bookkeeper, Betty now has access to those  records. The role of “bookkeeper” dictates  access, not the identity of the individual.
  7. RBAC Users Permission Users Permissions Manager u1 o1 u1 o1 Senior Senior Administrator Engineer u2 Role o2 u2 o2 r Administrator Engineer un om un om Employee n + m n m assignments assignments (a) (b)
  8. RBAC (cont’d) Is RBAC a discretionary or mandatory access control? – RBAC is policy neutral; however individual RBAC configurations  can support a mandatory policy, while others can support a  discretionary policy. Role Hierarcies Role Administration Project Supervisor Test engineer Programmer Project Member
  9. RBAC (NIST Standard) UA PA Users Roles Operations Objects Permissions user_sessions role_sessions (one-to-many) (many-to-many) Sessions An important difference from classical models is that Subject in other models corresponds to a Session in RBAC
  10. Core RBAC (relations) Permissions = 2Operations x Objects  UA ⊆ Users x Roles PA ⊆ Permissions x Roles assigned_users: Roles   2Users  assigned_permissions: Roles   2Permissions Op(p): set of operations associated with permission p Ob(p): set of objects associated with permission p user_sessions: Users   2Sessions session_user: Sessions   Users session_roles: Sessions   2Roles – session_roles(s) = {r | (session_user(s), r)   UA)} avail_session_perms: Sessions   2Permissions
  11. RBAC with General Role Hierarchy RH (role hierarchy) UA PA Users Roles Operations Objects Permissions user_sessions (one-to-many) role_sessions (many-to-many) Sessions
  12. RBAC with General Role Hierarchy authorized_users: Roles  2Users authorized_users(r) = {u | r’ ≥ r &(r’, u)   UA) authorized_permissions: Roles  2Permissions authorized_users(r) = {p | r’ ≥ r &(p, r’)   PA)  RH    Roles x Roles is a partial order – called the inheritance relation  – written as ≥.  (r1 ≥ r2)   authorized_users(r1) ⊆ authorized_users(r2) & authorized_permisssions(r2) ⊆ authorized_permisssions(r1)
  13. Example px, e10py e8, px, e9 py Manager px, e5py Senior e3, px, e4 py pp Senior Administrator Engineer e6, px, e7 py po pa, pb e1, px, e2 py Administrator Engineer Employee px, py pm, pn p1, p2 authorized_users(Employee)? authorized_users(Administrator)? authorized_permissions(Employee)? authorized_permissions(Administrator)?
  14. Constrained RBAC RH Static (role hierarchy) Separation of Duty UA PA Users Roles Operations Objects Permissions user_sessions (one-to-many) Dynamic Separation of Duty Sessions
  15. Separation of Duties §  No user should be given enough privileges to misuse  the system on their own. §  Statically: defining the conflicting roles §  Dynamically: Enforcing the control at access time
  16. Role vs. Types Data Structures RBAC – U: set of users – P: set of permissions – R: set of roles Type Enforcement – E: set of subjects or objects – Permission Assignment ST: set of subject types OT: set of object types O: set of operations
  17. Role vs. Types Data Structures Users: U Permissions: P Roles: R Assignments: User­role, perm­role, role­ role Sessions: S Function: user(S), roles(S) Constraints: C
  18. RBAC Family of Models RBAC0 contains all but hierarchies and  constraints RBAC1 contains RBAC0 and hierarchies RBAC2 contains RBAC0 and constraints RBAC3 contains all The RBAC family idea has always been more a  NIST initiative The RBAC families are present in the NIST  RBAC standard [NIST2001] with slight  modifications: – RBAC0, RBAC1 (options), RBAC3 (SSD) , RBAC3  (DSD)
  19. Advantages of RBAC Allows Efficient Security Management – Administrative roles, Role hierarchy Principle of least privilege allows minimizing  damage Separation of Duties constraints to prevent fraud Allows grouping of objects Policy­neutral ­ Provides generality Encompasses DAC and MAC policies
  20. RBAC’s Benefits
ADSENSE

CÓ THỂ BẠN MUỐN DOWNLOAD

 

Đồng bộ tài khoản
2=>2