Role-BasedAccessControl



Similar documents
Role-Based Access Controls

Predictive and Descriptive Approaches to Learning Game Rules from Vision Data

n n n n Doctor Patient Nurse / Clerk

! PRIVATE!PAGES! DRUPAL!7!WEB!CONTENT!MANAGEMENT!

NORTHEAST HISTORIC FILM / MAINE TELEVISION STATIONS

Curriculum Policy of the Graduate School of Engineering

Tetrahedron 68 (2012) 6018e6031. Contents lists available at SciVerse ScienceDirect. Tetrahedron. journal homepage:

TRANSERV GLOBAL SERVICE & SUPPORT MAINTENANCE CONTRACTS

HOKKAIDO UNIVERSITY. Graduate School of Medicine Guidebook of the Doctoral Program. www2.med.hokudai.ac.jp/en/

BLENDER INTRO BLENDER TIPS

Whilecertaintypesofregularities,suchasblock-structure,encapsulation,inheritanceandstrong

An EDI Testing Strategy Rosemary B. Abell Director, National HIPAA Practice Keane, Inc.

Traditional Medicine

APPLICATION FOR CANDIDACY FOR THE DOCTORAL or MFA DEGREE

Homework Assignment #3 Due 11/20 at 5:00pm EE122 Fall 2012

NDMS Risk Compliance Program

Presentation of the Euro-Ages Framework Standards

A Semantic Web Knowledge Base System that Supports Large Scale Data Integration

+

Course Schedule for Graduate School of Science. Special Integrated Science Course SISC International Physics Course IPC ( 2015.

Reducing)cycle)time)of)test,) development)and)analysis)with)data) virtualization)) May,%2015% David%Chang,%Senior%Vice%President,%Ac<fio%Inc.

Assessing the Quality of Doctoral Programs in Criminology in the United States*

ENERGY: MODULAR POWER SYSTEM SIMULATOR. BASIC MODULE

MAINE STATE LIBRARY. Published by MAINE LEAGUE FOR NURSING COMMITTEE OF CAREERS. In cooperation with BLUE CROSS-BLUE SHIELD

IBM MobileFirst Protect (MaaS360) Mobile Enterprise Gateway Migration Guide

Program Outcome 1 demonstrate an understanding of culture impacts international business.

PERSONAL ACCOUNT OPENING FORM - JOINT APPLICANT

Reaching adolescents through health services

Abstract. Animportantcharacteristicofthesoftwaredevelopmentprocessisthedegreeofreusabilityofsoftware.Simplyspeaking,knowledgeonceencoded

A Look at the New Converged Data Center

Faster, Cheaper, Better a Hybridization Methodology to Develop Linear Algebra Software for GPUs

Model-Based Design Environment for Clinical Information Systems

Security Rationale of Grid Data Management Systems Security Requirements Analysis, Derivation of Security Policies, and Rationale of Security Services

Graduate School of Informatics

Competency-based Education

HIV& AIDS BASIC FACTS. HIV & Drug Use. You are better off knowing if you have HIV. HIV & Sex. What are HIV & AIDS? HIV & Blood Products

MONPOLY: Monitoring Usage-control Policies

Enabling Legacy Applications on Heterogeneous Platforms

Standard #4. a. Program Outcomes for the Human Resources Program. Students will be able to

Strongly Agree or Agree Strongly Disagree or Disagree No response or felt item not applicable to degree

THE ROLE OF THE OCCUPATIONAL HEALTH PROVIDER IN PRE- EMPLOYMENT MEDICAL SCREENINGS AND POST WORK INJURY TREATMENT

Intelligent Service Trading and Brokering for Distributed Network Services in GridSolve

Customizing the Security Architecture

CryptographicallyEnforced

How To Talk to Your Doctor

CiteSeer x : A Cloud Perspective. Pradeep Teregowda, Bhuvan Urgaonkar, C. Lee Giles Pennsylvania State University

TIBCO MFT Platform Server for IBM i User Guide. Software Release April 2013

FLEETVIEW ONLINE THE NEW AND IMPROVED FLEETVIEW ONLINE, NOW INCLUDING:

Health & Government Module 5 i2p Expedition India

Introducing the product

VALUE ADDED SERVICES ON NAYATEL PHONE LINES Version 1.0

TRANSFER GUIDELINES TRANSFER GUIDELINES FOR MINISTRY OF HEALTH

Using Text Analytics to Accurately Segment Workers Compensation Injuries

Release Notes. Audit Integration Component 6.1. Notice. September 13, 2006

Medical Professionalism in Lebanon: Challenges and Aspirations. Kamal F Badr, MD Associate Dean for Medical Education American University of Beirut

For additional information on T.I.P.S. please call us at or

The Jini Proxy. 1. Purpose. Esmond Pitt and Neil Belford. White Paper

5. Graduate Degrees Awarded. Graduate School, Department

LUCA GAMMAITONI NiPS Laboratory Università di Perugia, Italy.

This doesn t seem like much water. Until it s this deep in your offi ce.

Annual Information Returns Dos and Don ts

Question 1 Question 2. Question 3 How many online classes have you taken here at The University of West Florida? answered question skipped question

MSME Program Educational Objectives

Financial Advisory Services & Training Financial Services Department

Security Management System Wiring Diagram Portfolio

GROUP ASSURANCE APPLICATION FOR DISABILITY BENEFITS

PROVIDING NATIVE SUPPORT FOR FEDERATED IDENTITY MANAGEMENT IN A BUSINESS-PROCESS-MANAGEMENT SYSTEM

Displaying an innovative approach towards port management

The Statement of Fitness for Work from sick note to fit note

Content&Security RECOMMENDED(BEST(PRACTICES

Kāhuna Lapaÿau Healers & Food Science

BEING MOBILE WITH WINDOWS 8.1

CARING IN PLACE WEB USER GUIDE

Workforce Development for People with Intellectual Disabilities

Fighting autism spectrum disorder: A mother s story

Department of Defense

2016 Hospital National Patient Safety Goals

State of the EHR: The Vendor Perspective

FORMAL METHOD TO IMPLEMENT FUZZY REQUIREMENTS MÉTODO FORMAL PARA IMPLEMENTAR REQUERIMIENTOS DIFUSOS

HEALTH ADMINISTRATION

Snapshot REPORT DEGREE ATTAINMENT. S&E Degrees Becoming More Prevalent. Science and Engineering Degrees as Percentage of All Degrees (2004, 2014)

What are research, evaluation and audit?

INFORMATION ON DOCTORATE PROGRAMS

Dawn Christie PSYCHIC RETREAT & SPA BALANCING SPIRIT, MIND & BODY

Recent&DSU&Successes&

Department. CardholderGuide. Citi Commercial Cards Department of Defense

December 2011 LearningPoint System Learner Workbook Page 1 Center for Learning and Professional Development CLPD

Fees. Fees for certificates of approval, registration of representatives, and

Select the right solution for identity and access governance

How To Get Insurance In Finland

Guide to the San Diego County Medical Society Records. No online items

Allied Health Professions

TRANSAS DP SIMULATOR

Contents. Before you begin. How to work through this learner guide Assessment

MODULE 1: Introduction

DUAL DEGREE PROGRAMS

Allied Health Professions. PRESENTED BY: Harry E. Douglas, III, DPA Interim President Charles R. Drew University of Medicine and Science

An Approach to Eliminate Semantic Heterogenity Using Ontologies in Enterprise Data Integeration

7 Ways OpenStack Enables Automation & Agility for KVM Environments

How LAPACK library enables Microsoft Visual Studio support with CMake and LAPACKE

Transcription:

Role-BasedAccessControl Proceedingsof15thNationalComputerSecurityConference,1992 NationalInstituteofStandardsandTechnology DavidFerraioloandRichardKuhn Gaithersburg,Maryland20899 Reprintedfrom thatrelianceondacastheprincipalmethodofaccesscontrolisunfoundedandinappropriateformanycommercialandciviliangovernmentorganizations.thepapeitaryapplications,discretionaryaccesscontrols(dac)areoftenperceivedasmeeting thesecurityprocessingneedsofindustryandciviliangovernment.thispaperargues WhileMandatoryAccessControls(MAC)areappropriateformultilevelsecuremil- Abstract describesatypeofnon-discretionaryaccesscontrol-role-basedaccesscontrol(rbac) 1Introduction TheU.S.governmenthasbeeninvolvedindevelopingsecuritytechnologyforcomputerand communicationssystemsforsometime.althoughadvanceshavebeengreat,itisgenerally perceivedthatthecurrentstateofsecuritytechnologyhas,tosomeextentfailedtoaddress -thatismorecentraltothesecureprocessingneedsofnon-militarysystemsthendac. theneedsofall.[1],[2]thisisespeciallytrueoforganizationsoutsidethedepartmentof Defense(DoD).[3] outofresearchanddevelopmenteortsonthepartofthedodoveraperiodoftwenty plusyears.todaythebestknownu.s.computersecuritystandardisthetrustedcomputer exclusivelyderived,engineeredandrationalizedbasedondodsecuritypolicy,createdto SystemEvaluationCriteria(TCSEC[4]).Itcontainssecurityfeaturesandassurances, information.theresultisacollectionofsecurityproductsthatdonotfullyaddresssecurity meetonemajorsecurityobjective-preventingtheunauthorizedobservationofclassied Thecurrentsetofsecuritycriteria,criteriainterpretations,andguidelineshasgrown securitymechanismshavebeenpartiallysuccessfulinpromotingsecuritysolutionsoutside issuesastheypertaintounclassiedsensitiveprocessingenvironments.althoughexisting ofamoreappropriatesetofcontrols. ofthedod[2],inmanyinstancesthesecontrolsarelessthenperfect,andareusedinlieu 1

(DAC)andMandatoryAccessControls(MAC).SincetheTCSEC'sappearanceinDecember (RBAC),thatcanbemoreappropriateandcentraltothesecureprocessingneedswithin of1983,dacrequirementshavebeenperceivedasbeingtechnicallycorrectforcommercial andciviliangovernmentsecurityneeds,aswellasforsingle-levelmilitarysystems.macis premiseofthispaperisthatthereexistsacontrol,referredtoasrole-basedaccesscontrol usedformulti-levelsecuremilitarysystems,butitsuseinotherapplicationsisrare.the TheTCSECspeciestwotypesofaccesscontrols:DiscretionaryAccessControls needsofcommercialandciviliangovernmentorganizations.itisapparentthatsignicant Recently,considerableattentionhasbeenpaidtoresearchingandaddressingthesecurity industryandciviliangovernmentthanthatofdac,althoughtheneedfordacwillcontinue andbroadsweepingsecurityrequirementsexistoutsidethedepartmentofdefense.[2], toexist. 2AspectsofSecurityPolicies impact.likedodagencies,civiliangovernmentandcommercialrmsareverymuchconcernedwithprotectingthecondentialityofinformation.thisincludestheprotectionoclosure,ortheftofcorporateresourcescoulddisruptanorganization'soperationsandhave immediate,seriousnancial,legal,humansafety,personalprivacyandpubliccondence datanetworksaremajorconcernsthroughoutallsectors.thecorruption,unauthorizeddis- [5],[6]Civiliangovernmentandcorporationsalsorelyheavilyoninformationprocessing ments.theintegrity,availability,andcondentialityofkeysoftwaresystems,databases,and systemstomeettheirindividualoperational,nancial,andinformationtechnologyrequirevelopmenttechniques.butmanyoftheseorganizationshaveevengreaterconcernforintegrity.[1curitythancondentiality.integrityisparticularlyrelevanttosuchapplicationsasfunds transfer,clinicalmedicine,environmentalresearch,airtraccontrol,andavionics.theimportanceofintegrityconcernsindefensesystemshasalsobeenstudiedinrecentyears.[7], privateorganizations.anorganizationalmeaningofsecuritycannotbepresupposed.each Withinindustryandciviliangovernment,integritydealswithbroaderissuesofse- personneldata,marketingplans,productannouncements,formulas,manufacturingandde- [8]Awidegamutofsecuritypoliciesandneedsexistwithinciviliangovernmentand traditionalmacanddaccontrols. organizationhasuniquesecurityrequirements,manyofwhicharediculttomeetusing mechanismthatpermitssystemuserstoallowordisallowotherusersaccesstoobjects undertheircontrol: groupstowhichtheybelong.thecontrolsarediscretionaryinthesensethat Ameansofrestrictingaccesstoobjectsbasedontheidentityofsubjectsand/or AsdenedintheTCSECandcommonlyimplemented,DACisanaccesscontrol 2

revokeaccesstoanyoftheobjectsundertheircontrolwithouttheintercessionofasystem asubjectwithacertainaccesspermissioniscapableofpassingthatpermission administrator. belefttothediscretionoftheindividualusers.adacmechanismallowsuserstograntor (perhapsindirectly)ontoanyothersubject(unlessrestrainedbymandatory accesscontrol).[4] areallowedaccess.fortheseorganizations,thecorporationoragencyistheactual\owner" ofsystemobjectsaswellastheprogramsthatprocessit.controlisoftenbasedonemployee Inmanyorganizations,theendusersdonot\own"theinformationforwhichthey DAC,asthenameimplies,permitsthegrantingandrevokingofaccessprivilegesto includedoctor,nurse,clinician,andpharmacist.rolesinabankincludeteller,loanocer, aspartofanorganization.thisincludesthespecicationofduties,responsibilities,and qualications.forexample,therolesanindividualassociatedwithahospitalcanassume functionsratherthandataownership. andaccountant.rolescanalsoapplytomilitarysystems;forexample,targetanalyst, situationanalyst,andtracanalystarecommonrolesintacticalsystems.arolebased accesscontrol(rbac)policybasesaccesscontroldecisionsonthefunctionsauserisallowed Accesscontroldecisionsareoftendeterminedbytherolesindividualuserstakeon toperformwithinanorganization.theuserscannotpassaccesspermissionsontoother forprivacyassociatedwiththediagnosisofailments,treatmentofdisease,andtheadministeringofmedicinewithahospital.tosupportsuchpolicies,acapabilitytocentrallycontrol andmaintainaccessrightsisrequired.thesecurityadministratorisresponsibleforenforcing policyandrepresentstheorganization. Securityobjectivesoftensupportahigherlevelorganizationalpolicy,suchasmain- usersattheirdiscretion.thisisafundamentaldierencebetweenrbacanddac. tainingandenforcingtheethicsassociatedwithajudge'schambers,orthelawsandrespect notpossesstheauthoritytopassthattransactionontoanurse. Forexample,adoctorcanbeprovidedwiththetransactiontoprescribemedicine,butdoes policiesarenon-discretionaryinthesensethattheyareunavoidablyimposedonallusers. arederivedfromexistinglaws,ethics,regulations,orgenerallyacceptedpractices.these somuchinaccordancewithdiscretionarydecisionsonthepartofasystemadministrator, butratherincompliancewithorganization-specicprotectionguidelines.thesepolicies Thedeterminationofmembershipandtheallocationoftransactionstoaroleisnot securityrequirements.asdenedinthetcsec,macis Ameansofrestrictingaccesstoobjectsbasedonthesensitivity(asrepresentedby (i.e.clearance)ofsubjectstoaccessinformationofsuchsensitivity.[4] alabel)oftheinformationcontainedintheobjectsandtheformalauthorization RBACisinfactaformofmandatoryaccesscontrol,butitisnotbasedonmultilevel withaccesstofunctionsandinformationthanstrictlywithaccesstoinformation. Rolebasedaccesscontrol,inmanyapplications(e.g.[9],[10],[11]isconcernedmore 3

principalconcernisprotectingtheintegrityofinformation:\whocanperformwhatactson onbothreadsandwritesareinsupportofthatrule.withinarole-basedsystem,the ofinformationfromahighleveltoalowlevelistheprincipalconcern.assuch,constraints operationalsensitivities)ofobjectswithinthedod.themilitarypolicyiswithrespecttoone typeofcapability:whocanreadwhatinformation.forthesesystemstheunauthorizedow analogoustotheprocessofclearingusers(grantingmembership)andthelabeling(associate Theactofgrantingmembershipandspecifyingtransactionsforaroleisloosely whatinformation." administrator.suchtransactionsincludetheabilityforadoctortoenteradiagnosis,prescribemedication,andaddaentryto(notsimplymodify)arecordoftreatmentsperformed onapatient.theroleofapharmacistincludesthetransactionstodispensebutnotprescribeprescriptiondrugs.membershipinaroleisalsograntedandrevokedbyasystem Arolecanbethoughtofasasetoftransactionsthatauserorsetofuserscanperformwithinthecontextofanorganization.Transactionsareallocatedtorolesbyasystem maintained.atransactioncanbethoughtofasatransformationprocedure[1](aprogram associatedsetofindividualmembers.asaresult,rbacsprovideameansofnamingand orportionofaprogram)plusasetofassociateddataitems.inaddition,eachrolehasan describingmany-to-manyrelationshipsbetweenindividualsandrights.figure1depictsthe relationshipsbetweenindividualusers,roles/groups,transformationprocedures,andsystem objectsṫhetermtransactionisusedinthispaperasaconveniencetorefertoabindingof Rolesaregrouporiented.Foreachrole,asetoftransactionsallocatedtheroleis transformationprocedureanddatastorageaccess.thisisnotunlikeconventionalusageof thetermincommercialsystems.forexample,asavingsdeposittransactionisaprocedure thatupdatesasavingsdatabaseandtransactionle.atransactionmayalsobequitegeneral, transactions,requiringexactlythesamereadandwriteaccesstothesamelesastheteller. here,becausethereadisnotboundtoaparticulardataitem,as\readsavingsle"is. e.g.\readsavingsle".notehowever,that\read"isnotatransactioninthesenseused Thedierenceistheprocessexecutedandthevalueswrittentothetransactionlogle. leandatransactionlogle.anaccountingsupervisormaybeabletoexecutecorrection access,canbeseenbyconsideringtypicalbankingtransactions.tellersmayexecutea savingsdeposittransaction,requiringreadandwriteaccesstospeciceldswithinasavings TheapplicabilityofRBACtocommercialsystemsisapparentfromitswidespread Theimportanceofcontrolovertransactions,asopposedtosimplereadandwrite use.baldwin[9]describesadatabasesystemusingrolestocontrolaccess.nashandpoland theserolebasedsystemshavebeendevelopedbyavarietyoforganizations,withnocom- [10]discusstheapplicationofrolebasedaccesscontroltocryptographicauthenticationdevicescommonlyusedinthebankingindustry.Workingwithindustrygroups,theNationaquirementsforCryptographicModules,"(FederalInformationProcessingStandard140-1) InstituteofStandardsandTechnologyhasdevelopedaproposedstandard,\SecurityRe- [11]thatwillrequiresupportforaccesscontrolandadministrationthroughroles.Todate, 4

User 4 Object 1 trans_a describedinthispaperaddresssecurityprimarilyforapplication-levelsystems,asopposed Figure1:RoleRelationships 1 User 5 3FormalDescriptionofRBAC togeneralpurposeoperatingsystems. monlyagreedupondenitionorrecognitioninformalstandards.rolebasedaccesscontrols trans_b Toclarifythenotionspresentedintheprevioussection,wegiveasimpleformaldescription, intermsofsetsandrelations,ofrolebasedaccesscontrol.noparticularimplementation Object 2 User 6 Eachsubjectmaybeauthorizedtoperformoneormoreroles: mechanismisimplied. Foreachsubject,theactiveroleistheonethatthesubjectiscurrentlyusing: Eachrolemaybeauthorizedtoperformoneormoretransactions: Subjectsmayexecutetransactions.Thepredicateexec(s,t)istrueifsubjectscanexecute transactiontatthecurrenttime,otherwiseitisfalse: AR(s:subject)=ftheactiveroleforsubjectsg RA(s:subject)=fauthorizedfoelsforsubjectsg Threebasicrulesarerequired: 1.Roleassignment:Asubjectcanexecuteatransactiononlyifthesubjecthasselectedor TA(fr:roleg)=ftransactionsauthorizedforrolerg beenassignedarole: exec(s:subject;t:tran)=trueisubjectscanexecutetransactiont. 5 8s:subject;t:tran(exec(s;t))AR(s)6=;) (1)

Theidenticationandauthenticationprocess(e.g.login)isnotconsideredatransaction. 2.Roleauthorization:Asubject'sactiverolemustbeauthorizedforthesubject: Allotheruseractivitiesonthesystemareconductedthroughtransactions.Thusallactive usersarerequiredtohavesomeactiverole. With(1)above,thisruleensuresthatuserscantakeononlyrolesforwhichtheyare authorizedforthesubject'sactiverole: authorized. 3.Transactionauthorization:Asubjectcanexecuteatransactiononlyifthetransactionis 8s:subject(AR(s)RA(s)) (2) With(1)and(2),thisruleensuresthatuserscanexecuteonlytransactionsforwhichthey notguaranteeatransactiontobeexecutablejustbecauseitisinta(ar(s)),thesetof thatadditionalrestrictionsmaybeplacedontransactionexecution.thatis,theruledoes transactionspotentiallyexecutablebythesubject'sactiverole.forexample,atraineefora areauthorized.notethat,becausetheconditionalis\onlyif",thisruleallowsthepossibility 8s:subject;t:tran(exec(s;t))t2TA(RA(s))) (3) supervisoryrolemaybeassignedtheroleof\supervisor",buthaverestrictionsappliedto forthesupervisorrole. hisorheruserrolethatlimitaccessibletransactionstoasubsetofthosenormallyallowed transaction. intothetransaction.securityissuesareaddressedbybindingoperationsanddataintoa transactionatdesigntime,suchaswhenprivacyissuesareaddressedinaninsurancequery cedure,plusasetofdataitemsaccessedbythetransformationprocedure.accesscontrolin therulesabovedoesnotrequireanychecksontheuser'srighttoaccessadataobject,oron thetransformationprocedure'srighttoaccessadataitem,sincethedataaccessesarebuilt Intheprecedingdiscussion,atransactionhasbeendenedasatransformationpro- onlytothetransformationprocedure,withoutincludingabindingtoobjects.thiswould requireafourthruletoenforcecontroloverthemodesinwhichuserscanaccessobjects throughtransactionprograms.forexample,afourthrulesuchas Itisalsopossibletoredenethemeaningof\transaction"intheaboverulestorefer couldbedenedusingatransaction(redenedtotransformationprocedure)toobjectaccess functionaccess(r;i;o;x)whichindicatesifitispermissibleforasubjectinrolertoaccess objectoinmodexusingtransactiont,wherexistakenfromsomesetofmodessuchasread, write,append.notethattheclark-wilsonaccesscontroltriplecouldbeimplementedby lettingthemodesxbetheaccessmodesrequiredbytransactiont,andhavingaone-to-one 8s:subject;t:tran;o:object(exec(s;t))access(AR(s);t;o;x)) (4) 6

ClarkandWilsonaccesscontrolasaspecialcase. relationshipbetweensubjectsandroles.rbac,aspresentedinthispaper,thusincludes requiresbindingthetransactionprogramtanddataobjectsthattcanaccess,andonly doctorcouldbeprovidedwithread/writeaccesstoaprescriptionle,whilethehospital pharmacistmighthaveonlyreadaccess.(recallthatuseoftherstthreerulesalone controlsaccesstothetransactions.)thisalternativeapproachusingthefourthrulemight behelpfulinenforcingcondentialityrequirements. Useofthisfourthrulemightbeappropriate,forexample,inahospitalsetting.A formanyrealsystems,andrbacshouldbeapplicabletosuchsystems. onlyinauthorizedwaysbyauthorizedusers.thisseemstobeareasonablesecurityobjective authorizedwayscanbeascomplexasthetransactionthatdidthemodication.forthis reason,thepracticalapproachisfortransactionstobecertiedandtrusted.iftransactions ofways,butoneaspect[8]ofintegrityisarequirementthatdataandprocessesbemodied Ingeneral,theproblemofdeterminingwhetherdatahavebeenmodiedonlyin AnotheruseofRBACistosupportintegrity.Integrityhasbeendenedinavariety mustbetrustedthenaccesscontrolcanbeincorporateddirectlyintoeachtransaction. inclusionofatransactiontoobjectaccesscontrolfunctioninrbacwouldbeusefulin signicantoverheadforalimitedbenetinenforcingintegrityrequirements.therefore, Requiringthesystemtocontrolaccessoftransactionprogramstoobjectsthroughtheaccess 4CentrallyAdministeringSecurityUsingRBAC some,butnotallapplications. functionusedinrule(4)mightthenbeausefulformofredundancy,butitcouldinvolve RBACisexibleinthatitcantakeonorganizationalcharacteristicsintermsofpolicyand structure.oneofrbac'sgreatestvirtuesistheadministrativecapabilitiesitsupports. tendtoremainrelativelyconstantorchangeslowlyovertime.theadministrativetask consistsofgrantingandrevokingmembershiptothesetofspeciednamedroleswithin membershiptoanexistingrole.whenaperson'sfunctionchangeswithintheorganization, theusermembershiptohisexistingrolescanbeeasilydeletedandnewonesgranted.finally, thesystem.whenanewpersonenterstheorganization,theadministratorsimplygrants whenapersonleavestheorganization,allmembershipstoallrolesaredeleted.foran OncethetransactionsofaRoleareestablishedwithinasystem,thesetransactions organizationthatexperiencesalargeturnoverofpersonnel,arole-basedsecuritypolicyis theonlylogicalchoice. canbecomposedoftheroleshealer,intern,anddoctor.figure2depictsanexampleof membershiptotheinternrole,thisimpliestransactionsoftheinternandhealernotthe sucharelationship. denedbyinternandhealer,aswellasthoseofadoctor.ontheotherhand,bygranting Inaddition,rolescanbecomposedofroles.Forexample,aHealerwithinahospital BygrantingmembershiptotheRoleDoctor,itimpliesaccesstoalltransactions 7

Object 1 trans_a User 1 Healer User 2 Object 2 trnas_b User 3 Object 3 trans_c User 4 Intern User 5 Object 4 Figure2:Mult-RoleRelationships trans_d Object 5 trans_e Doctor 8 Object 6 trans_f User 6 User 7 User 8 User 9

Doctor.However,bygrantingmembershiptotheHealerrole,thisonlyallowsaccesstothose jectives.[8]theprincipleofleastprivilegerequiresthatauserbegivennomoreprivilege Theprincipleofleastprivilegehasbeendescribedasimportantformeetingintegrityob- resourcesallowedundertherolehealer. 5PrincipleofLeastPrivilege thannecessarytoperformajob.ensuringleastprivilegerequiresidentifyingwhattheuser's jobis,determiningtheminimumsetofprivilegesrequiredtoperformthatjob,andrestrictingtheusertoadomainwiththoseprivilegesandnothingmore.bydenyingtosubjects ofleastprivilegecurrentlyexistswithinthecontextofthetcsec,requirementsrestrict transactionsthatarenotnecessaryfortheperformanceoftheirduties,thosedeniedprivilegescannotbeusedtocircumventtheorganizationalsecuritypolicy.althoughtheconcept thoseprivilegesofthesystemadministrator.throughtheuseofrbac,enforcedminimum ofduties.separationofdutiesisconsideredvaluableindeterringfraudsincefraudcan 6SeparationofDuties RBACmechanismscanbeusedbyasystemadministratorinenforcingapolicyofseparation occurifanopportunityexistsforcollaborationbetweenvariousjobrelatedcapabilities. privilegesforgeneralsystemuserscanbeeasilyachieved. allowedtoexecutealltransactionswithintheset.themostcommonlyusedexamplesare Separationofdutyrequiresthatforparticularsetsoftransactions,nosingleindividualbe theseparatetransactionsneededtoinitiateapaymentandtoauthorizeapayment.no singleindividualshouldbecapableofexecutingbothtransactions.separationofdutyis animportantconsiderationinrealsystems.[1],[12],[13],[14]thesetsinquestion willvarydependingontheapplication.inrealsituations,onlycertaintransactionsneed toberestrictedunderseparationofdutyrequirements.forexample,wewouldexpecta toadministrator"wouldnotbe. transactionfor\authorizepayment"toberestricted,butatransaction\submitsuggestion individualwhocanserveaspaymentinitiatorcouldalsoserveaspaymentauthorizer.this siderthecaseofinitiatingandauthorizingpayments.astaticpolicycouldrequirethatno wherecompliancewithrequirementscanonlybedeterminedduringsystemoperation.the objectivebehinddynamicseparationofdutyistoallowmoreexibilityinoperations.con- allocationoftransactionstoroles.themoredicultcaseisdynamicseparationofduty tionrequirementscanbedeterminedsimplybytheassignmentofindividualstorolesand Separationofdutycanbeeitherstaticordynamic.Compliancewithstaticsepara- couldbeimplementedbyensuringthatnoonewhocanperformtheinitiatorrolecouldalso performtheauthorizerrole.suchapolicymaybetoorigidforcommercialuse,makingthe exibilitycouldbeallowedbyadynamicpolicythatallowsthesameindividualtotakeon costofsecuritygreaterthanthelossthatmightbeexpectedwithoutthesecurity.more 9

thatheorshehadinitiated.thestaticpolicycouldbeimplementedbycheckingonlyroles bothinitiatorandauthorizerroles,withtheexceptionthatnoonecouldauthorizepayments ofusers;forthedynamiccase,thesystemmustusebothroleanduseridincheckingaccess totransactions. system.theclark-wilson[1]schemeincludestherequirementthatthesystemmaintainthe aper-userbasis,usingtheuseridfromtheaccesscontroltriple.asdiscussedabove,user separationofdutyrequirementexpressedintheaccesscontroltriples.enforcementison functionscanbeconvenientlyseparatedbyrole,sincemanyusersinanorganizationtypically performthesamefunctionandhavethesameaccessrightsontpsanddata.allocating accessrightsaccordingtoroleisalsohelpfulindeningseparationofdutyinawaythatcan Separationofdutyisnecessarilydeterminedbyconditionsexternaltothecomputer oragencyistheactual\owner"ofsystemobjects,anddiscretionaryaccesscontrolmay 7SummaryandConclusions beenforcedbythesystem. Inmanyorganizationsinindustryandciviliangovernment,theendusersdonot\own" theinformationforwhichtheyareallowedaccess.fortheseorganizations,thecorporation notbeappropriate.role-basedaccesscontrol(rbac)isanondiscretionaryaccesscontrol mechanismwhichallowsandpromotesthecentraladministrationofanorganizationalspecic ofanorganization.arolespeciesasetoftransactionsthatauserorsetofuserscan securitypolicy. performwithinthecontextofanorganization.rbacprovideameansofnamingand describingrelationshipsbetweenindividualsandrights,providingamethodofmeetingthe secureprocessingneedsofmanycommercialandciviliangovernmentorganizations. Accesscontroldecisionsareoftenbasedontherolesindividualuserstakeonaspart ofaccesscontrolsbasedonuserroles. encompassingrbac.assuch,evaluationandtestingprogramsforthesesystemshavenot beenestablishedastheyhaveforsystemsconformingtothetrustedcomputersecurity commercialsystemstoday,butthereisnocommonlyaccepteddenitionorformalstandards EvaluationCriteria.ThispaperproposedadenitionofTherequirementsandaccesscontrol rulesforrbacproposedinthispapercouldbeusedasthebasisforacommondenition Variousformsofrolebasedaccesscontrolhavebeendescribedandsomeareusedin 8References 1D.D.ClarkandD.R.Wilson.AComparisonofCommercialandMilitaryComputer SecurityPolicies.InIEEESymposiumonComputerSecurityandPrivacy,April1987. (draft).computersystemslaboratory,nist,january271992. 2ComputersatRisk.NationalResearchCouncil,NationalAcademyPress,1991. 3MinimumSecurityFunctionalityRequirementsforMulti-UserOperatingSystems 10

ofdefense,1985. Technology,1987. DataIntegrity.SP500-168.Natl.Inst.ofStds.andTechnology,1989. IntegrityPolicyinComputerInformationSystems.SP500-160.Natl.Inst.ofStds.and 4TrustedComputerSecurityEvaluationCriteria,DOD5200.28-STD.Department 5Z.G.RuthbergandW.T.Polk,Editors.ReportoftheInvitationalWorkshopon 6S.W.KatzkeandZ.G.Ruthberg,Editors.ReportoftheInvitationalWorkshopon inlargedatabases.inieeesymposiumoncomputersecurityandprivacy,1990. September1991. EmbeddedSystems.InstituteforDefenseAnalyses,HQ89-034883/1,October1989. 10K.R.PolandM.J.Nash.SomeConundrumsConcerningSeparationofDuty.In 8IntegrityinAutomatedInformationSystems.NationalComputerSecurity,Center, 9R.W.Baldwin.NamingandGroupingPrivilegestoSimplifySecurityManagement 7J.E.Roskos,S.R.Welke,J.M.Boone,andT.Mayeld.IntegrityinTacticaland Standard140-1,NationalInstituteofStandardsandTechnology,1992. Technology.InProceedingsof11thNationalComputerSecurityConference,October1988. IEEESymposiumonComputerSecurityandPrivacy,1990. AerospaceComputerSecurityApplicationsConference,December1988. 12W.R.Shockley.ImplementingtheClark/WilsonIntegrityPolicyUsingCurrent 11SecurityRequirementsforCryptographicModules.FederalInformationProcessing ComputerSecurityandPrivacy,May1989. 13R.Sandhu.TransactionControlExpressionsforSeparationofDuties.InFourth 14S.WisemanP.Terry.A'New'SecurityPolicyModel.InIEEESymposiumon 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information