arbac99 (model for administration of roles) ravi sandhu qamar munawer george mason university...

ARBAC99 (Model for Administration of Roles)

Ravi Sandhu

Qamar Munawer

George Mason University

Laboratory for Information Security Technology

www.list.gmu.edu

2© Ravi Sandhu 1999

RBAC96 (simplified)

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

ROLE HIERARCHIES


ARBAC97 DECENTRALIZES

user-role assignment (URA97) permission-role assignment (PRA97) role-role hierarchy (RRA99)


ARBAC99 EXTENDS ARBAC97

URA99 mobile and immobile membership prerequisite-based revocation

PRA99 dual of URA99

RRA99 no change


EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1


EXAMPLE ADMINISTRATIVE ROLE HIERARCHY

Senior Security Officer (SSO)

Department Security Officer (DSO)

Project SecurityOfficer 1 (PSO1)



Motivation for ARBAC99

URA97 consequences Users can use permissions of the role

and junior roles. User become eligible for assignment to

other roles.


Motivation for ARBAC99

Examples that require decomposition of these two aspects: trainee visitor consultant


New Concepts in URA99

Mobile Users: user ‘u’ can use permissions of role x and

administrative role can use this membership to put user ‘u’ in another role.

Immobile Users: user ‘u’ can use permissions of role x but

administrative role cannot use this membership to put user ‘u’ in another role.


URA99 Model

Builds upon the concept of mobile and immobile membership of users.

To formalize this we consider a role x as consisting of two sub-roles Mx and IMx.

The membership in Mx in mobile where as in IMx is immobile.


Role in URA99

Definition: For a given set of roles R1 we define a role in URA99 as R = {Mx, IMx | x R1}


User Memberships in URA99

There are four kinds of user-role memberships in URA99. Explicit Mobile Member EMx

u EMx (u, Mx) UA

Explicit Immobile Member EIMx u EIMx (u, IMx) UA

Implicit Mobile Member ImMx u ImMx ( x’ > x) (u, Mx’) UA

Implicit Immobile Member ImIMx u ImIMx ( x’ > x) (u, IMx’) UA


Precedence Rule in URA99

URA99 allows a user to have all four kinds of memberships in a role at the same time.

only one will be effective by the following strict precedence rule EMx > EIMx > ImMx > ImIMx


Inheritance of Mobility and Immobility

X1

X2

X1

X3

X2 X3

X1 X2

Single Multiple Divergent


Prerequisite condition for URA99 Grant Model

URA97 prerequisite condition is quite straight forward.

In URA99 it is evaluated for a user u by interpreting x to be true if u EMx ( u ImMx u EIMx)

and x to be true if u EMx uEIMx uImMx uImIMx


Can-assign relations for URA99 Grant Model

Assignment as Mobile membership is authorized by can-assign-M AR CR 2R

Assignment as Immobile membership is authorized by can-assign-IM AR CR 2R


EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1


EXAMPLE ADMINISTRATIVE ROLE HIERARCHY

Senior Security Officer (SSO)

Department Security Officer (DSO)




Can-assign-M

Admin. Role Pre. Cond. Role RangePSO1 ED [E,PL1)PSO2 ED [E2,PL2)DSO ED PL2 [PL1,PL1]DSO ED PL1 [PL2,PL2]SSO ED (D,DIR]SSO E [ED,ED]


Can-assign-IM

Admin. Role Pre. Cond. Role RangePSO1 ED [E,PL1)PSO2 ED [E2,PL2)DSO ED PL2 [PL1,PL1]DSO ED PL1 [PL2,PL2]SSO ED (D,DIR]SSO E [ED,ED]DSO E [ED,ED]


URA99 Grant Model authorizations

no implication in general that authority to grant mobile membership implies authority to grant immobile memberships.


URA99 - Revoke Model

URA99 revoke model fixes a lack of symmetry between grant and revoke models.

It deals with revocation of mobile and immobile memberships.

URA99 introduces two relations to authorize revocation.


Can-revoke relations for URA99 Revoke Model

Revocation as Mobile membership is authorized by can-revoke-M AR CR 2R

Revocation as Immobile membership is authorized by can-revoke-IM AR CR 2R


Can-revoke-M

Admin. Role Prereq. Role Role RangePSO1 E [E,PL1)PSO2 E [E2,PL2)DSO E [ED,DIR]SSO E [ED,DIR]

PSO1 E1 [E2,PL2)PSO2 E2 [E1,PL1)


Can-revoke-IM

Admin. Role Prereq. Role Role RangePSO1 E [E,PL1)PSO2 E [E2,PL2)DSO E [ED,DIR]SSO E [ED,DIR]

PSO1 E1 [E2,PL2)PSO1 E2 [E1,PL1)DSO E [ED,ED]


Prerequisite condition for URA99 - Revoke Model

For revoke model we do not distinguish the mobile and immobile memberships

We interpret x to be true iff u EMx u ImMx u IMx u ImIMx

and x to be true iff u Emx u EIMx u ImMx u ImIMx


Relation between URA97 and URA99

If all users are restricted to be mobile then URA99 is identical with URA97.

This can be achieved by setting can-assign-IM and can-revoke-IM to be empty.


PRA99 - Model

Like user, permissions can also be assigned to roles as mobile and immobile.

PRA99 is exact dual of URA99. In PRA99 the implicit permission is

inherited upwards in the hierarchy.


Conclusion

ARBAC99 is first model that incorporates mobile and immobile users and permissions

Basic intuition of ARBAC97 is not altered

It is a useful extension to ARBAC97

arbac99 (model for administration of roles) ravi sandhu qamar munawer george mason university...

Documents

user u

ura99 u ura99

u emx u immx u eimx

arbac97 u ura99

ura99 u definition

immobile memberships

u immobile users

pra99 model u