Through its open standards, the Internet set the foundation for

Transcription

1 F E A T U R E Secure itraets are fouded o the protectio of logical resources accessible i corporate eterprises. A ROLE- BASED ACCESS CONTROL FOR INTRANET SECURITY The proposed I-RBAC, ZAHIR TARI AND SHUN-WU CHAN Royal Melboure Istitute of Techology role-based access cotrol for itraet security, offers efficiet security aageet based o varied levels of role authorizatios. Through its ope stadards, the Iteret set the foudatio for the global couity ad access to resources that illios of coputer users ejoy today. The beefits that accrue to the global couity fro this approach are also available to corporate eterprises through itraets, private iforatio etworks that use Iteret software ad stadards but are ot accessible fro the Iteret-at-large by the geeral public. A itraet uses the TCP/IP protocol for both wide-area ad local-area iforatio trasport, as well as HTTP, SMTP, ad other ope Iteret-based stadards to ove iforatio fro cliets to servers. 1 A itraet architecture for a corporate eterprise typically ivolves a set of servers (such as a SQL server, Web server, ad database server) itercoected withi a local area etwork. I the global couity, uresolved issues of Iteret security ihibit people fro, for exaple, eterig their credit card ubers to purchase goods ad services. Withi corporate eterprises usig itraets, security is usually the uber oe cocer. There are three basic threat areas: storage, access, ad trasfer. Storage security refers /97/$ IEEE IEEE INTERNET COMPUTING 24

2 A C C E S S C O N T R O L to the protectio of physical resources, which ca be located i oe or ore servers. Access security cocers autheticatio ad access to the (logical) resources available i the itraet. Trasfer security relates to the protectio of iforatio i trasit. It ivolves various ecryptio techiques such as syetric ad asyetric keys, ecrypted ad decrypted essages, ad digital sigatures ad certificates. This article describes the basic eleets of a role-based access cotrol fraework we have developed, aely I- RBAC. We also discuss its ipleetatio. I-RBAC protects a itraet fro itruders. It is desiged aroud two cetral issues: deteriig if a etwork object has appropriate perissios to access itraet resources; ad deteriig how to check the perissios of a etwork object. PERMISSION GRANTING Our approach to the proble of gratig user perissios assigs roles that deterie the scope of access that etwork objects have to the itraet s resources ad privileges. Itraet adiistrators ca create roles accordig to the job fuctios perfored i the orgaizatios. They ca the grat perissios essetially, access authorizatios to these roles, ad assig etwork objects to the roles o the basis of the etwork objects resposibilities. A etwork object refers to a etity of a itraet that either uses, cosues, or provides a service. Over the past few years, there have bee several proposals for role-based access cotrol. Soe have suggested extesios to existig cotrol, such as adatory access cotrol. 2-6 Others have discussed specific architectures, such as a threetier architecture, for ipleetig role-based access cotrol o diverse platfors. 7 INTRANET ENVIRONMENTS I-RBAC access cotrol deals specifically with itraet eviroets. Role-based access cotrol for itraets differs fro existig access cotrols o several poits. First, a role ay refer either to local or global perissios withi a itraet. Local perissios are a set of privileges that a etwork object has o the differet etwork objects available i idividual servers. Global perissios are a set of privileges o the servers of the whole itraet. The ai differece betwee local ad global perissios is i the graularity of the perissio set, which ca be o either etwork objects or servers. Secod, local roles refer to specialized roles that are cocered with local perissios o etwork objects i idividual servers, whereas global roles refer to ordiary eterprise roles that have global perissios o a etwork server. For exaple, local roles, withi a Web server, ca be Web Adiistrator, Web Publisher, Web Editor, ad so o. These local roles ay have their job fuctioality specialized to perfor specific tasks withi this Web server. The local perissios related to these local roles ay be the privileges to Read, Write, Modify, ad Create ay Web page withi the Web server. A global role i a corporate eterprise ay cosist of Geeral Maager, Departet Maager, Supervisor, ad ordiary eployee. The global role Supervisor ay be authorized with global perissios to access the itraet s resources with differet local roles i differet servers. Third, to allow flexible eforceet of security policies withi a itraet eviroet, we itroduce two types of role hierarchy. Local role hierarchies describe the perissios of local or global etwork objects to use idividual servers resources. (We will explai the differeces betwee these objects later.) The global role hierarchy relates to resource accessibility across the whole itraet. Each type of hierarchy provides a appropriate echais to eforce differet policies: local policies for idividual servers ad global policies for the etire itraet. Fially, to eforce global security policies efficietly, we propose a replicatio echais that icreases the availability of global security database iforatio for checkig etwork object authorizatios. RATIONALE FOR ROLE-BASED ACCESS Three ai reasos justify a role-based approach to eforce local ad global security policies withi a itraet. Siplified authorizatio aageet: A role hierarchy odel siplifies the task of aagig the eterprise itraet. User authorizatio ca be accoplished by separately (1) assigig users to existig roles, ad (2) assigig access privileges for objects to roles. This separatio has the advatage of siplifyig a itraet adiistrator s workload. Iagie that a prograer, assiged to a eployee role, is prooted to project leader. The itraet adiistrator assigs the project leader to a project role. With role-based access cotrol, the user gais the privileges that coe with project role assiget i additio to the privileges that accopay eployee role assiget. This avoids the ecessity of revokig authorizatio assiget directly betwee users ad objects. Least-privilege assiget: This priciple assigs the iiu privileges to a give object i order for the object to perfor specific operatios usig itraet resources. For exaple, a etwork user assiged a give role ca perfor oly the activities coected with the assiged privileges. This iiizes the potetial for daagig the itraet. Separatio of duties: This priciple requires that several etwork objects be ivoked to perfor a specific task. Thus, o idividual user ca isuse privileges by actig IEEE INTERNET COMPUTING SEPTEMBER OCTOBER

3 I N T R A N E T S Table 1. Network object represetatio. Network Perissio Access Object Property Value Set Cotrol List S1000 Nae Joh [-,C,D,R,W,-] j_ail, j_project S1000 Nae Joh [-,-,-,R,-,-] To PK130 Nae Mary [-,-,-,R,W,-] * aloe. For exaple, both a aager fro the aager role ad a accoutat fro the accoutat role ust be ivolved i the task of issuig a copay check. GENERIC ROLE-BASED ACCESS CONTROL We have desiged a role-based access cotrol for itraets, called I-RBAC. I this sectio we describe the I-RBAC cocepts ad their iterrelatioships i the cotext of itraet security eforceet. Write (W) lets a etwork object write or odify the cotet of a object state Execute (X) eables a etwork object to execute services (or operatios) of other etwork objects Table 1 lists a set of etwork objects, user objects i a corporate eterprise, with their correspodig Access Cotrol Lists ad the associated perissios. Privileges cotaied iside a perissio set are eclosed i square brackets. A idividual grated privilege is separated by a, while the sybol - deotes that the privilege is ot grated to a etwork object. Table 1 shows that the etwork object idetified by S1000 (called object idetity) has ultiple properties for exaple, ae ad age. Here we focus just o the ae property. S1000, which correspods to the user aed Joh, has bee grated Key Cocepts Network objects, perissios, ad roles are the three key cocepts. Network object. A etwork object defies a etwork etity that either stores data, perfors specific services, or represets a piece of etwork hardware. Etities ca be active, such as hua users, or iactive, such as a database server or Web server. A etwork object has a uique idetity i the etwork ad has a perissio, a property, ad a value associated with it. A perissio is a set of privileges that a object has i regard to the itraet s resources. A property is a set of attributes describig the characteristics of the etwork object (for exaple, the object s ae, IP address, ad creatio date). A value represets the object s state: the actual data value for each attribute of the object s property. Security iforatio ca be attached to a etwork object as a list, recordig a group of trusted etwork objects that are authorized to access other etwork objects. This is a Access Cotrol List (ACL). Perissio. A perissio is a set of attributes describig the kid of privileges that deterie what a etwork object ca do. The itraet adiistrator assigs perissios to a etwork object. For clarity, we assue that a perissio set cotais oly the followig privileges: Supervisor (S) grats all sorts of rights to a idividual etwork object or group of objects Create (C) allows the creatio or reaig of a etwork object Delete (D) eables the deletio of a etwork object Read (R) allows a etwork object to read the cotet of a object value all privileges except S ad X to access the etwork objects j ail (which is the etwork object represetig his e-ail) ad j project. oly the R privilege to access the etwork object To. Table 1 also shows that the etwork object Mary grats Read ad Write privileges to access ay available etwork object. Ay available object is represeted as a asterisk (*). Role. A role is a higher level represetatio of access cotrol. 2,3 It ca relate to either a sigle etwork object or a group of the ad is associated with differet perissios. All etwork objects assiged a give role share the sae privileges as the perissio associated with that role. All the privileges associated with roles ad their accessible etwork objects i the Access Cotrol Lists are recorded i a role table (Rtbl), which is used to check the authorizatios of users. A role table is a triple (r,p,l ), where r refers to role, p refers to perissio set, ad l is the ACL cotaiig accessible etwork objects. The role is specified as a row, while the perissio set ad the ACL are specified as colus. Table 2 is a exaple role table. Note that the roles Project, Adiistrator, ad Marketig are assiged to access etwork objects Mail-object (of the Mail Server) ad Fileobject (of the File Server) with differet perissio assiget, respectively. A user object assiged a Project role will have all privileges to access Mail-object i Mail-Server role, except the Supervisor privilege, ad have Read, Write, ad Execute privileges to access File objects i File-Server role. Role Hierarchy The otio of hierarchy of roles lets us ore clearly structure authorizatios. A role hierarchy will ultiately be aalogous to a orgaizatio s logical authority ad resposibil- SEPTEMBER OCTOBER IEEE INTERNET COMPUTING 26

4 A C C E S S C O N T R O L Table 2. A exaple of a role table. Role Perissio Set ACL Project [-,C,D,R,W,X] Mail-object Adiistrator [-,C,D,R,W,X] Mail-object Marketig [-,-,-,R,W,X] Mail-object Project [-,-,-,R,W,X] File-object Adiistrator [-,C,D,R,W,X] File-object Marketig [-,C,D,R,W,X] File-object Role cotais has ity structure. The higher positio a role has i the hierarchy, the ore privileges it has, ad vice versa. Accordig to Figure 1, a cobiatio of etwork objects with perissios are attached to a role. This cobiatio is called a category 6 ad it provides specificatios of (coplex) authorizatios withi itraet eviroets. Recall that i Table 2, the etwork object Mail-object had a list of perissios specified as [-,C,D,R,W,X] (that is, Mail-object.type = {C,D,R,W,X}). Furtherore, the role Project had two istaces of the category ivolvig Network-object ad Perissio: oe istace was (Mail-object, [-,C,D,R,W,X]) ad the other oe was (File-object [-,-,-,R,W,X]). The acyclic is a relatioship graph, defied betwee roles, defies the differet specializatio (or geeralizatio) of authorizatios withi a corporate eterprise. This eables further security specificatios o the differet perissios that etwork objects ca have. For exaple, r 1 is a r 2 (where r 1 is called a subrole ad r 2 is a superrole) eas that r 1 iherits all the perissios defied i r 2 ad itroduces additioal perissios o other etwork objects. Perissio has Network object type ae IPaddress Figure 1. Key eleets of the I-RBAC. Supervisig Iheritace. Figure 2 illustrates a exaple of role iheritace. I this acyclic graph represetatio, the ost juior prograer has a role. The Testig ad Aalyst roles are specializatios of a higher level, geeric role. A etwork object (i this case, a user) assiged as either Testig or Aalyst iherits all perissios. Siilarly, the Supervisig role iherits perissios fro both Testig ad Aalyst, ad it itroduces additioal perissios. We call such iheritace of ultiple roles ultiple iheritace. Multiple iheritace ay preset soe coflicts. For exaple, the Supervisig ay iherit differet perissios, say ACL 1 ad ACL 2, about the etwork object X fro the Testig ad Aalyst roles, respectively. Eve though there are differet perissios for X withi these two lists, the Supervisig will iherit ACL 1 ACL 2 perissios for X. Role iheritace i a role-based access cotrol provides a better way of structurig user authorizatios tha those access Testig Figure 2. A role iheritace hierarchy. Aalyst cotrols that do ot support role iheritace. However, a role hierarchy ca be probleatical regardig scope of iheritace of perissios ad the use of private perissios. 2 Private roles. Perissio assiget through iheritace siplifies overall itraet aageet, but the scope of perissio iheritace ust be liited. For exaple, certai IEEE INTERNET COMPUTING SEPTEMBER OCTOBER

5 I N T R A N E T S Testig ' Supervisig S 1 Supervisig S 2 Testig Aalyst T 1 Testig P 2 S 2 Aalyst P 3 Figure 3. Role iheritace hierarchy with private perissios. P 1 P 2 P P 3 privileges should ot flow dow fro the top of the role hierarchy to the botto. Liitig iheritace thus requires ew cocepts for subrole assiget. I Figure 3, the Supervisig role iherits authorizatios of the roles Testig ad Aalyst, ad itroduces additioal specific authorizatios. However, a Testig will probably wat the Supervisig to iherit oly soe of its perissios. For istace, a Testig does ot wat the Supervisig to access icoplete work files. To solve the proble of iheritig private perissios, i Figure 3 we itroduce Testig. This private role, which is also a subrole, cotais oly those private authorizatios of Testig. The Supervisig thus has oly liited authorizatios; its iheritace does ot reflect Testig authorizatios. Private-role hierarchy. Because private roles restrict perissios withi a hierarchy, the set of all private roles ay result i a ew, private-role hierarchy. This is useful wheever orgaizatios wat to liit the iheritace of perissios. Figure 4 illustrates a private-role hierarchy, depictig seve roles that could be assiged to differet etwork objects. These roles are P (for projects), P 1, P 2, ad P 3 (for subroles of P), S 1 (for Supervisig ), S 2 (for Aalyst ), ad T 1 (for Testig ). The roles P, P 2, P 3, ad S 2 are a private subhierarchy withi the existig hierarchy because S 1 is ot allowed to iherit soe of their perissios. Each affected role is specialized i order to odel the required private perissios. Therefore, as the figure shows, we created ew private roles (for exaple, P, P 2, P 3, ad S 2). I additio to the private roles, the syste replicated the is a relatioships betwee the origial roles, thus creatig a etire subhierarchy ivolvig all the private roles. The perissios of the private hierarchy caot be iherited by the other etwork objects, such as S 1. P Project Figure 4. A exaple of a role hierarchy ad its extesio with private roles. LOCAL ROLE HIERARCHY Local roles specify the perissios that a etwork object has to access idividual itraet resources. Global roles, which we discuss later, specify the perissios to access resources throughout the itraet. The Model A itraet s 6 architecture varies depedig o orgaizatioal requireets, resultig i varyig security requireets. A geeric role-based access cotrol odel lets a eterprise specify differet security requireets to reflect differet user authorizatios. Local-role hierarchies are the idividual role hierarchies o a itraet s copoet servers. Local-role odels are defied uch as was show i Figure 1. Each local role has a set of privileges for local etwork objects. The itraet adiistrator uses a local-role hierarchy to costruct a access privilege hierarchy. Such a hierarchy helps a adiistrator track authorized activities of etwork objects withi the itraet. Figure 5 shows the local-role hierarchies for a corporate eterprise itraet. Local-Role Database The local-role database (LRdb) stores the access iforatio of a server s etwork objects withi a itraet. A LRdb cotais differet ubers of perissio doai tables to express all accessible etwork objects that a role ca access. A perissio doai table represets which roles ca access etwork objects i a specific privilege doai. Sice SEPTEMBER OCTOBER IEEE INTERNET COMPUTING 28

6 A C C E S S C O N T R O L Applicatio server (GS 1 ) LRH 1 SQL server (GS 2 ) LRH 2 Table 3. A write perissio doai table. Network Mail-object File-object Role Object (fro Mail server) (fro File server) Project 1 1 Adiistrator 1 1 Marketig 1 0 Web server (GS 4 ) Terial LRH 4 LRH 5 LRH 3 Legacy Iteret docuetatio server (GS 5 ) Database server (GS 3 ) Figure 5. Local-role hierarchies withi a corporate eterprise itraet. a perissio set cotais six types of privilege, a LRdb the has six perissio doai tables, oe for each type of perissio (such as Supervisor, Create, Delete, Read, Write, ad Execute). Buildig a perissio doai table. To build a perissio doai table, the syste uses iforatio i the role table. This iforatio deteries the etwork objects that ca be accessed by other etwork objects, alog with the types of perissios delegated to it. Whe a itraet adiistrator assigs a user, X, to a role, r, the object iherits specific perissio to access soe etwork objects (Ys) specified i r. Withi the perissio doai table for LRdb, we record 1 for etry Ys of X. If the object Y is ot cocered with r, the the etry for Y will be 0. Table 3 shows a write perissio doai table (WDtbl). The first row refers to the roles, while the colus refer to etwork objects. I this case, a user assiged to a Marketig role has a Write privilege to the cotet of Mail-object oly i the local Mail Server. Thus, we record a 1 i the colu of the etwork object Mail-object ad a 0 for the etwork object File-object. Recoputatio of privileges. Whe a privilege is take away fro oe role ad assiged to aother, the syste ust recopute privileges to update the local-role database. Recoputatio perfors the differece of perissios withi a local-role hierarchy to deterie the correspodig Access Cotrol List for the role. For exaple, to update a doai table for the Write perissio, the syste first iserts objects ito the perissio doai table resultig fro the differece for a Write perissio. The the syste iserts etwork objects accessible fro the role table. Other doai tables for other perissios are created siilarly. Updatig the LRdb. The local-role database ust be costatly adjusted whe perissios chage for a itraet role or object. The syste updates all the tables affected by the chage i perissio. This avoids havig to update all the required tables of a LRdb. If a role or a etwork object is reoved fro the eterprise itraet, the the syste ust also delete it fro the affected doai tables. GLOBAL-ROLE HIERARCHY Global privileges i a itraet are specified ad aaged by eas of global roles ad a global-role hierarchy. The Model All itraet servers aitai a local-role database o each copoet server to check perissios before a give etwork object perfors a operatio. However, the etwork object ca attept other operatios o other servers. The etwork object thus behaves globally, havig both local ad global perissios allowig the use of differet resources. Such a etwork object is called a global etwork object. Fro a desig stadpoit, the ai differece betwee global ad local object etworks is that a global etwork object has a uique idetity kow throughout the itraet. A local etwork object has a idetity kow oly with the correspodig local server. To authorize secure access to itraet resources, we itroduce global roles. Global roles let a itraet adiistrator specify authorizatios for etwork objects across ultiple servers. These roles take idividual local roles ito accout; thus, a global role ca have ultiple local roles i ultiple servers. Together, the set of all relevat local roles defies the global perissios of the global etwork object. A exaple illustratig the defiitio of global roles i ters of local roles is give i Table 4 o the followig page. IEEE INTERNET COMPUTING SEPTEMBER OCTOBER

7 I N T R A N E T S Global role cotais ID Table 4. A exaple of a global-role table. Global Roles Global Perissios ACL R 1 r 11, r 12 GS 1 R 2 r 11, r 13 GS 1 R 3 r 11, r 15 GS 1 R 1 r 31 GS 3 Perissio has Network object type ae IPaddress cotais belogs Local role withi Server Figure 6. Key eleets of a global role ad its relatioships with local roles. r 11 :[-,-,-,R,W,X] {o 11,o 12 } r 12 :[-,C,D,R,W,X] {o 11 }[*]{o 12 } R 13 :[-,-,-,R,-,-] {o 11 } r 31 r 31 :[-,-,-,R,-,-] {*} r 33 :[-,C,D,R,W,X] {o 32 } r 35 :[-,C,D,R,W,X] {o 31 } LRH 1 r 11 r 12 r 13 LRH 3 r 35 r 33 Applicatio server (GS 1 ) SQL server (GS 3 ) Figure 7. A exaple of global role appigs. 1 Replicated GRH R 1 R 3 Replicated GRH R 3 Figure 6 illustrates a global role ad its relatioships with local roles. A global role cotais a list of local roles for each itraet server. Each local role has a Access Cotrol List cotaiig a perissio set for accessible local etwork objects. A server ca cotai ore tha oe of these objects. Like local roles, global roles also have is a relatioships that defie a global-role hierarchy depictig perissio iheritace. Perissio assiget to global roles is, as we oted earlier, through a set of perissios to servers. A global role thereby specifies local roles for each itraet server. This idetifies the access privileges of etwork objects to differet servers. The global-role hierarchy specifies a overall logical authority hierarchy for a itraet. This hierarchy lets the syste lear about a role i ters of its authorized etwork object access. The hierarchy provides a higher level of abstractio for security aageet ad, together with roles, siplifies the task of authorizatio assiget. Global-Role Database As with local-role hierarchies, a global-role database (GRdb) records all the accessible etwork objects fro ay itraet server. Withi a GRdb, a global-role table (GRtbl) stores all the authorizatios for the correspodig global roles. Forally, a GRtbl is siilar to that of a local-role table. It is a triple (r g,p g,l g ), where r g specifies global roles; p g specifies the global perissios ad l g is for the ACL. To avoid the iefficiecy that would result fro cetralizig the GRdb s iforatio access or update, the syste replicates the GRdb i each server to icrease availability of global security iforatio. A proble ay arise whe oe copy of the replica is updated withi a local server, as we will see. R 2 R 1 :[r 11,r 12 ]{GS 1 }[r 31 ]{GS3} R 2 :[r 11,r 13 ]{GS 1 }[r 33 ]{GS3} R 3 :[r 11,r 15 ]{GS 1 } R 1 R 2 R 1 :[r 11,r 12 ]{GS 1 }[r 31 ]{GS 3 } R 2 :[r 11,r 13 ]{GS 1 }[r 33 ]{GS 3 } R 3 :[r 11,r 15 ]{GS 1 } Buildig the global-role database. The global-role database, defied fro the global-role table, is built by the itraet adiistrator usig the local-role databases. This database specifies all possible authorizatios o etwork objects for global roles through specifyig the set of local roles. The itraet security adiistrator selects the locatio where the global-role database will be (physically) located i oe of the itraet servers. Figure 7 shows a exaple of global roles i a itraet. The global role R 1 has a set of perissios defied i ters of local perissios o differet servers. A global etwork object assiged a role R 1 will have a access privilege r 11 ad r 12 to server GS 1. It has Write, Read, ad Execute perissios o etwork objects o 11 ad o 12 of server GS 1. SEPTEMBER OCTOBER IEEE INTERNET COMPUTING 30

8 A C C E S S C O N T R O L a access privilege r 31 i server GS 3, eaig that it has oly Read perissio o all objects of SQL server GS 3. As the figure idicates, this eas that it has oly Read perissio o all objects of GS 3. Table 4 shows the database GRdb for the global roles R 1, R 2, ad R 3. Updatig the global-role database. The global-role database is autoatically updated by the syste whe roles are added to or deleted fro the eterprise itraet. After updatig the global-role database, the server (where the database is physically located) also broadcasts the update to other servers. This keeps replicas cosistet withi every server. Database replica cosistecy is crucial for itraet security: To eforce the required perissios o available resources, each server ust be aware of all ew roles ad subroles. Replicatig the global-role database has two key advatages. Oe is reduced itraet traffic plus provisio of a quick authorizatio validatio, usig both the local ad the replicated role hierarchy databases. The secod advatage is the availability of the global-role database. If ay oe server fails, the other servers ca still access the global database. Because of possible couicatio delays i the etwork, however, ot all replica updates ay be curret. Cosequetly, soe replicas ay ot reflect the itraet s latest security requireets. To avoid such probles, our proposed approach itroduces a executio orderig of updates to the replicas called total orderig. Our approach exteds the techique proposed by Colouris ad colleagues. 3 A descriptio of our total orderig approach follows. Give servers S 1,..., S of a itraet, each server aitais a copy of the global-role database. We deote the copies by cp 1,..., cp. To keep the copies up-to-date, the updates ust be received ad applied i the sae order i every copy. Therefore, the updates ust be uiquely idetified to eable each server to eforce the order. We propose a distributed approach, with each itraet server geeratig tie-stap idetifiers for update operatios. Each server will have a froted (FE) service resposible for geeratig update idetifiers. Each server has two defied values: F ax (which is the last axiu idetifier agreed by all the servers) ad P ax (the proposed idetifier by the frot ed). Whe a frot ed receives a update, say FE i, this does three thigs: Icreets the value of P ax by oe to ifor other servers that a ew update ust be applied to the replica. Broadcasts the value of P ax to all the reaiig servers of the itraet. Whe a server, say S j, receives the broadcasted essage, it will copute a (local) axiu idetifier based o the axiu-agreed idetifier. The forula to copute such a idetifier is ax(f ax,p i ax) / The icreet by 1 i this forula eables the frot ed (or the server) to ifor other itraet servers about the ew update. The value 1/ akes the geerated idetifier uique across the itraet. Whe the idetifiers are coputed by each of the servers, these will sed it back to the frot-ed FE i. Coputes the axiu of all idetifiers proposed by servers aitaiig the replica. Whe this has bee coputed, FE i will broadcast it to each itraet server. This will ifor all the servers of the update operatio s idetifier, ad it will update the axiu-agreed idetifier (that is, F ax ) i every server. With this proposed replicatio algorith, replicas of the global-role database will be autoatically ad cosistetly updated across the itraet. Global- ad local-role database appig. Whe a etwork object with a give role wats to access itraet resources, the object s idetity ust first be validated. The syste checks its role idetity by eas of the global-role database. If the object s global role exists, the the syste will derive its global perissios, defied as appigs of global authorizatios to local authorizatios. Later, the syste will use the six perissio doai tables i the localrole databases (of the differet servers) to verify the global role s derived local authorizatios. I-RBAC IMPLEMENTATION We have ipleeted the proposed role-based access cotrol for itraets with s. 8 These are active etwork objects that ipleet the differet security procedures by checkig the user s authorizatios (global ad local) for ay access, update, or use of the itraet s resources. I a siple way, our s refer to a active etity that ca perfor specific tasks withi a itraet eviroet. The s cotai two ai parts, a iterface ad a ipleetatio. The iterface, which is defied usig the CORBA (Coo Object Request Broker Architecture) IDL (Iterface Defiitio Laguage), 9 specifies the required security procedures to be eforced withi a itraet. These procedures ivolve, for exaple, user autheticatio, global perissio checkig, local perissio checkig, ad so o. The ipleetatio part of the describes how the security procedures ca be perfored withi a itraet s server to support the specified s iterface. Rather tha usig a sigle to eforce all the required security procedures, we have desiged the curret ipleetatio of I-RBAC to use differet s for differet resposibilities i aitaiig a itraet i a secure state. We distiguish betwee three types of s: coordiatio s, task s, ad database s. Figure 8 shows IEEE INTERNET COMPUTING SEPTEMBER OCTOBER

9 I N T R A N E T S Applicatio server (GS 1 ) Database Local replica aager Coordiatio Task Database Local role aager Local-role database Replica of GR database Network Local role aager Local replica aager Global role aager User User SQL server (GS 2 ) Database Local-role Replica database of GR database Global replica aager Database Autheticator Global-role database Security server Figure 8. The differet s required to ipleet I-RBAC. these s, ad Figure 9 illustrates their itercouicatio. Here we briefly describe soe fuctioalities. Coordiatio Agets These aage a itraet s differet activities, icludig security policy eforceet ad user autheticatio, for exaple. As show i Figure 8, the Global Role Maager (GRM) ad Global Replicatio Maager (GrM) are the coordiatio s that secure the overall ruig of a itraet. The GRM coordiates the security activity, whereas the GrM is cocered with iforatio availability withi the differet role databases whe a etwork proble occurs. Whe users first coect to a itraet, they are autheticated by the Global Autheticator. The the GRM checks the user s perissios ad couicates with the active Local Role Maager (LRM) s to see if there is ay violatio of security policies. The fial decisio of gratig the user either access or update to the itraet resources depeds o the iforatio about the user s roles recorded withi the local-role ad global-role databases. Because the itraet is a evolvig eviroet, the local-role or global-role database is updated wheever, for exaple, the user s perissios are chaged i a orgaizatio. To keep the role databases ad their replicas cosistet with itraet chages, the LRM or GRM s sed ay operatio o the role database to the GrM. The GrM s ai fuctio is to eforce the total orderig of operatios o the replicas, usig the algorith we preseted earlier. Whe the operatio s idetifiers are geerated, GrM the broadcasts the geerated total order to be applied o every replica by the Local Replica Maager (LrM) s. Task Agets These are resposible for specific activities withi a itraet, for exaple, the optiizatio of the user s queries ad the checkig of the user s authorizatio. Figures 8 ad 9 show two task s, the LRM ad the LrM. The LRM cotais the security procedures that check the local user s perissios ad couicate to the GRM whether or ot the user ca be grated the right to perfor a operatio. The LrM s ai fuctio of course is to keep the differet replicas of the role databases cosistet. Whe a LrM receives the total order fro the GrM, it trasits the operatios, oe by oe, to the Database. SEPTEMBER OCTOBER IEEE INTERNET COMPUTING 32

10 A C C E S S C O N T R O L User Global replica aager 1. Operatio o itraet 3. Get global roles 3. Ask to eforce total orderig 2. Autheticate the user Global role aager Global perissios Database 4. Trasit perissio set 5. Get local roles Local role aager Local perissios 6. Check the local perissios agaist the operatio type 7. Perfor the operatio 1. Update operatio o a role database Server 4. Sed the order of operatio executio Local replica aager 2. Delegate 5. Perfor a update operatio Coordiatio Task Database Messages related to security aageet Messages related to replicatio aageet Flow of data Figure 9. Couicatio betwee s. Database Agets These perfor typical database fuctios icludig, for exaple, updatig the local-role ad global-role databases. A Database, prior to perforig a operatio o the appropriate database, first asks the Autheticator to autheticate the requestig the database update. If the autheticatio succeeds, the the Database perfors the operatio ad duly ifors the requester. CONCLUSION AND FUTURE WORK The proposed I-RBAC access cotrol eables efficiet security aageet withi itraets. Our experiece shows that a corporate eterprise itraet s security depeds largely o access cotrol aageet. Oe advatage of the proposed I-RBAC is flexibility i tailorig security requireets to eet differet security access policies of a corporate eterprise itraet. This is achieved by icludig withi I-RBAC a efficiet user authorizatio echais based o user-to-role assiget, ad also by providig a echais to structure authority resposibility for differet servers. The ipleetatio we ve discussed ca be used by ay corporate eterprise to protect their itraet s server-based resources fro itruders. The security s will filter aoyous access ad thereby stop ay illegal or isecure use of etwork resources. Fro the stadpoit of corporate eterprises, I-RBAC ay have a couple of liitatios: Oe ajor proble cocers cosistecy betwee roles. This ca be expressed i ters of local-role ad globalrole databases. Because a itraet is a evolvig eviroet, the evolutio of roles ust be aaged to keep the differet databases cosistet to reflect ew security requireets. Solutios to this proble will be based o static ad dyaic separatio of duties. 6 Static separatio refers to the fact that a user caot be assiged to two related roles siultaeously, whereas dyaic separatio lets a user be assiged to ultiple related roles. The user caot, however, activate all these roles at the sae tie. The issue of operatio cocurrecy has ot bee addressed withi I-RBAC. I a itraet eviroet, there are ofte ultiple cocurret operatios executed by differet users. The proble occurs particularly whe the cocurret operatios update the sae iforatio withi a itraet. Solutios ca be borrowed fro work doe i distributed databases, such as lockig ad tie-stap protocols, to eforce cosistecy. Future work will cocer I-RBAC s extesio to deal with the two probles just described. Also, our proposed IEEE INTERNET COMPUTING SEPTEMBER OCTOBER

11 I N T R A N E T S ipleetatio will be exteded to iclude itraet federatios, thus eablig security policy eforceet withi large-scale distributed systes. Architecture ad Specificatios, rev. 2.2, Fraigha, Mass., 1995, (OMG docuetatio available at REFERENCES 1. S.L. Tellee, ItraNet Methodology: Cocepts ad Ratioale, tech. report, Adahl Corp., 1997; itra/cocepts1.htl. 2. R.W. Baldwi, Naig ad Groupig Privileges to Siplify Security Maageet i Large Databases, Proc. IEEE CS Syp. o Research i Security ad Privacy, Los Alaitos, Calif., 1990, pp G. Colouris, J. Dolliore, ad T. Kidberg, Distributed Systes: Cocepts ad Desig, 2d ed., Addiso-Wesley, Readig, Mass., R. Elasri, J. Weeldreyer, ad A. Hever, The Category Cocept: A Extesio of the Etity Relatioship Model, It l J. Data ad Kowledge Egieerig, Vol. 1, No. 1, May R.S. Sadhu ad P. Saarati, Access Cotrol: Priciple ad Practice, IEEE Co., Sept. 1994, pp R.S. Sadhu ad E.J. Coye, Role-Based Access Cotrol Models, Coputer, Feb. 1996, pp R.S. Sadhu ad H.L. Feistei, A Three-Tier Architecture for Role- Based Access Cotrol, Proc. 17th NIST-NCS Nat l Coputer Security Cof., Baltiore, Md., 1994, pp Z. Tari, Usig Agets for Secure Access to Data i the Iteret, IEEE Co., Jue 1997, pp Object Maageet Group, Coo Object Request Broker Zahir Tari is a seior lecturer at Royal Melboure Istitute of Techology i Australia. He is leadig the DOK (Distributed Object Kerel) project aied at the desig of a set of federated services o a CORBA platfor ( Tari eared a aster i operatioal research ad a PhD i coputer sciece, both fro the Uiversity of Greoble, Frace. He is the progra coittee co-chair of the IFIP Database Seatics 1998 iteratioal coferece. He is a eber of the IEEE, ACM, ad AIS (Associatio of Iforatio Systes). Shu-Wu Cha is a aster studet i iforatio techology at Royal Melboure Istitute of Techology (RMIT) i Australia. His aster research project relates to the desig ad ipleetatio of the I-RBAC for itraet security. Cha s research iterests are objectorieted databases ad advaced cliet-server architectures. Cha obtaied a bachelor degree i coputer sciece ad a aster degree i iforatio techology, both fro RMIT. Cotact the authors at Dept. of Coputer Sciece, RMIT, Budoora East Capus, VIC 3083 Australia; zahirt@cs.rit.edu.au; shuc@ubat. cs.rit.edu.au; edu.au/~shuc. Itercoectio Networks A Egieerig Approach by José Duato, Sudhakar Yalaachili, ad Lioel Ni Addresses the challeges ad basic uderlyig cocepts of itercoectio etworks. Itercoectio Network s egieerig approach cosiders the issues that desigers face ad presets a broad set of practical solutios. The authors establish ore accurate classificatios for a uber of differet issues: topologies, switchig techiques, routig algoriths ad probles that prevet essage delivery. The authors itroduce ew views that ake cocepts easier to uder-stad, like the uified view of direct ad idirect etworks, the uified theory of deadlock avoidace ad recovery. The book is orgaized to serve as a referece as well as a resource for learig. Supportig aterials icludig a etwork siulator will be available o the book s web site: cosiderably siplifyig the task of teachig courses o itercoectio etworks ad orgaizig lab classes. The web site will also serve as a foru for discussio ad exchage of ideas for itercoectio etworks. Cotets: Itroductio Message Switchig Layer Deadlock, Livelock, ad Starvatio Routig Algoriths Collective Couicatio Support Fault Tolerat Routig Network Architectures Message Layer Software Perforace Evaluatio Appedix Bibliography 536 pages. 8" x 10" Hardcover. Septeber ISBN Catalog # BP07800 $50.00 Mebers / $60.00 List Go to the Olie Bookstore ad order usig the olie shoppig cart ad the secure order for IEEE Coputer Society Los Vaqueros Circle Los Alaitos, CA Toll-Free CS.BOOKS Phoe: