Presentation on theme: "Lecture 8 Access Control (cont)"— Presentation transcript:

1 Lecture 8 Access Control (cont)

This chapter focuses on access control enforcement within a computer system. The chapter considers the situation of a population of users and user groups that are able to authenticated to a system and are then assigned access rights to certain resources on the system. A more general problem is a network or Internet-based environment, in which there are a number of client systems, a number of server systems, and a number of users who may access servers via one or more of the client systems. This more general context introduces new security issues and results in more complex solutions than those addressed in this chapter. We cover these topics in Chapter 23. modified from slides of Lawrie Brown



2 Mandatory Access Control (MAC)

Top Secret Labeling Mechanism is used Prevent any illegal flow of information through the enforcement of multilevel security Secret Military Security Confidential Require a strict classification of subjects and objects in security levels Drawback of being too rigid Applicable only to very few environments user with ‘secret’ label is not allowed to read a file with label of ‘top secret’. Unclassified dominance  can-flow Adopted from : Role-Based Access Control by Prof.Ravi Sandhu



3 Compartments and Sensitivity Levels

Information access is limited by the need-to-know Compartment: Each piece of classified information may be associated with one or more projects called compartments Top Secret Compartment 1 Secret Compartment 2 Confidential Compartment 3 Restricted Unclassified



4 Classification & Clearance

<rank; compartments> class of a piece of information Clearance: an indication that a person is trusted to access information up to a certain level of sensitivity clearance of a subject



5 Dominance Relation We say that s dominates o (or o is dominated by s) if o <= s For a subject s and an object o, o <= s if and only if rank(o) <= rank(s) and compartments(o) is subset of compartments(s) A subject can read an object if the subject dominates the object.



6 Example Information classified as <secret; {Sweden}>

Which of the following subject clearances can read the above information? <top secret; {Sweden}> <secret; {Sweden, crypto}> <top secret; {crypto}> <confidential; {Sweden}> <secret; {France}>



7 Role-Based Access Control (RBAC)

Traditional DAC systems define the access rights of individual users and groups of users. In contrast, RBAC is based on the roles that users assume in a system rather than the user’s identity. Typically, RBAC models define a role as a job function within an organization. RBAC systems assign access rights to roles instead of individual users. In turn, users are assigned to different roles, either statically or dynamically, according to their responsibilities. RBAC now enjoys widespread commercial use and remains an area of active research. The National Institute of Standards and Technology (NIST) has issued a standard, Security Requirements for Cryptographic Modules (FIPS PUB 140-2, May 25, 2001), that requires support for access control and administration through roles. The relationship of users to roles is many to many, as is the relationship of roles to resources, or system objects (Figure 4.7). The set of users changes, in some environments frequently, and the assignment of a user to one or more roles may also be dynamic. The set of roles in the system in most environments is relatively static, with only occasional additions or deletions. Each role will have specific access rights to one or more resources. The set of resources and the specific access rights associated with a particular role are also likely to change infrequently.



8 Access Control Matrix We can use the access matrix representation to depict the key elements of an RBAC system in simple terms, as shown in Figure 4.8. The upper matrix relates individual users to roles. Typically there are many more users than roles. Each matrix entry is either blank or marked, the latter indicating that this user is assigned to this role. Note that a single user may be assigned multiple roles (more than one mark in a row) and that multiple users may be assigned to a single role (more than one mark in a column). The lower matrix has the same structure as the DAC access control matrix, with roles as subjects. Typically, there are few roles and many objects, or resources. In this matrix the entries are the specific access rights enjoyed by the roles. Note that a role can be treated as an object, allowing the definition of role hierarchies. RBAC lends itself to an effective implementation of the principle of least privilege, referred to in Section 4.1. Each role should contain the minimum set of access rights needed for that role. A user is assigned to a role that enables him or her to perform only what is required for that role. Multiple users assigned to the same role, enjoy the same minimal set of access rights.



9 Role-Based Access Control

Role Hierarchies Usrer-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS Health-Care Provider Physician Primary-Care Specialist ... Sessions Users are human beings or other active agents Business function the user perform is role A user can be a member of many roles Each role can have many users as members A user can invoke multiple sessions In each session a user can invoke any subset of roles that the user is a member of A permission can be assigned to many roles Each role can have many permissions read, write, append, execute Adopted from : Role-Based Access Control by Prof.Ravi Sandhu



10 Role-Based Access Control

A variety of functions and services can be included under the general RBAC approach. To clarify the various aspects of RBAC, it is useful to define a set of abstract models of RBAC functionality. The solid lines in Figure 4.9b indicate relationships, or mappings, with a single arrowhead indicating one and a double arrowhead indicating many. Thus, there is a many-to-many relationship between users and roles: One user may have multiple roles, and multiple users may be assigned to a single role. Similarly, there is a many-to- many relationship between roles and permissions. A session is used to define a temporary one-to-many relationship between a user and one or more of the roles to which the user has been assigned. The user establishes a session with only the roles needed for a particular task; this is an example of the concept of least privilege. The many-to-many relationships between users and roles and between roles and permissions provide a flexibility and granularity of assignment not found in conventional DAC schemes. Without this flexibility and granularity, there is a greater risk that a user may be granted more access to resources than is needed because of the limited control over the types of access that can be allowed. The NIST RBAC document gives the following examples: Users may need to list directories and modify existing files without creating new files, or they may need to append records to a file without modifying existing records.



11 Scope RBAC Models [SAND96] defines a family of reference models that has served as the basis for ongoing standardization efforts. This family consists of four models that are related to each other as shown in Figure 4.9a. and Table 4.3. RBAC0 contains the minimum functionality for an RBAC system. RBAC1 includes the RBAC0 functionality and adds role hierarchies, which enable one role to inherit permissions from another role. RBAC2 includes RBAC0 and adds constraints, which restrict the ways in which the components of a RBAC system may be configured. RBAC3 contains the functionality of RBAC0, RBAC1, and RBAC2. Base Model—RBAC0 Figure 4.9b, without the role hierarchy and constraints, contains the four types of entities in an RBAC0 system: • User: An individual that has access to this computer system. Each individual has an associated user ID. Role: A named job function within the organization that controls this computer system. Typically, associated with each role is a description of the authority and responsibility conferred on this role, and on any user who assumes this role. • Permission: An approval of a particular mode of access to one or more objects. Equivalent terms are access right, privilege, and authorization. • Session: A mapping between a user and an activated subset of the set of roles to which the user is assigned.



12 Example of Role Hierarchy

Role hierarchies provide a means of reflecting the hierarchical structure of roles in an organization. Typically, job functions with greater responsibility have greater authority to access resources. A subordinate job function may have a subset of the access rights of the superior job function. Role hierarchies make use of the concept of inheritance to enable one role to implicitly include access rights associated with a subordinate role. Figure 4.10 is an example of a diagram of a role hierarchy. By convention, subordinate roles are lower in the diagram. A line between two roles implies that the upper role includes all of the access rights of the lower role, as well as other access rights not available to the lower role. One role can inherit access rights from multiple subordinate roles. For example, in Figure 4.10, the Project Lead role includes all of the access rights of the Production Engineer role and of the Quality Engineer role. More than one role can inherit from the same subordinate role. For example, both the Production Engineer role and the Quality Engineer role include all of the access rights of the Engineer role. Additional access rights are also assigned to the Production Engineer Role and a different set of additional access rights are assigned to the Quality Engineer role. Thus, these two roles have overlapping access rights, namely the access rights they share with the Engineer role.



13 mutually exclusive roles

Constraints - RBAC provide a means of adapting RBAC to the specifics of administrative and security policies of an organization a defined relationship among roles or a condition related to roles mutually exclusive roles cardinality prerequisite roles Constraints provide a means of adapting RBAC to the specifics of administrative and security policies in an organization. A constraint is a defined relationship among roles or a condition related to roles. [SAND96] lists the following types of constraints: mutually exclusive roles, cardinality, and prerequisite roles. Mutually exclusive roles are roles such that a user can be assigned to only one role in the set. This limitation could be a static one, or it could be dynamic, in the sense that a user could be assigned only one of the roles in the set for a session. The mutually exclusive constraint supports a separation of duties and capabilities within an organization. This separation can be reinforced or enhanced by use of mutually exclusive permission assignments. With this additional constraint, a mutually exclusive set of roles has the following properties: 1. A user can only be assigned to one role in the set (either during a session or statically). 2. Any permission (access right) can be granted to only one role in the set. Thus the set of mutually exclusive roles have non-overlapping permissions. If two users are assigned to different roles in the set, then the users have non-overlapping permissions while assuming those roles. The purpose of mutually exclusive roles is to increase the difficulty of collusion among individuals of different skills or divergent job functions to thwart security policies. Cardinality refers to setting a maximum number with respect to roles. One such constraint is to set a maximum number of users that can be assigned to a given role. For example, a project leader role or a department head role might be limited to a single user. The system could also impose a constraint on the number of roles that a user is assigned to, or the number of roles a user can activate for a single session. Another form of constraint is to set a maximum number of roles that can be granted a particular permission; this might be a desirable risk mitigation technique for a sensitive or powerful permission. A system might be able to specify a prerequisite, which dictates that a user can only be assigned to a particular role if it is already assigned to some other specified role. A prerequisite can be used to structure the implementation of the least privilege concept. In a hierarchy, it might be required that a user can be assigned to a senior (higher) role only if it is already assigned an immediately junior (lower) role. For example, in Figure 4.10 a user assigned to a Project Lead role must also be assigned to the subordinate Production Engineer and Quality Engineer roles. Then, if the user does not need all of the permissions of the Project Lead role for a given task, the user can invoke a session using only the required subordinate role. Note that the use of prerequisites tied to the concept of hierarchy requires the RBAC3 model. a user can only be assigned to one role in the set (during a session or statically) any permission can be granted to only one role in the set setting a maximum number with respect to roles dictates that a user can only be assigned to a particular role if it is already assigned to some other specified role



14 administrative functions supporting system functions

RBAC System administrative functions supporting system functions review functions provide the capability to create, delete, and maintain RBAC elements and relations provide functions for session management and for making access control decisions provide the capability to perform query operations on RBAC elements and relations In 2001, NIST proposed a consensus model for RBAC, based on the original work in [SAND96] and later contributions. The model was further refined within the RBAC community and has been adopted by the American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS) as ANSI INCITS 359–2004. The main innovation of the NIST standard is the introduction of the RBAC System and Administrative Functional Specification, which defines the features required for an RBAC system. This specification has a number of benefits. The specification provides a functional benchmark for vendors, indicating which capabilities must be provided to the user and the general programming interface for those functions. The specification guides users in developing requirements documents and in evaluating vendor products in a uniform fashion. The specification also provides a baseline system on which researchers and implementers can build enhanced features. The specification defines features, or functions, in three categories: • Administrative functions: Provide the capability to create, delete, and maintain RBAC elements and relations • Supporting system functions: Provide functions for session management and for making access control decisions • Review functions: Provide the capability to perform query operations on Examples of these functions are presented in the following discussion.



15 NIST RBAC Basic Definitions

object any system resource subject to access control, such as a file, printer, terminal, database record operation an executable image of a program, which upon invocation executes some function for the user permission an approval to perform an operation on one or more RBAC protected objects The elements of core RBAC are the same as those of RBAC0 described in the preceding section: users, roles, permissions, and sessions. The NIST model elaborates on the concept of permissions by introducing two subordinate entities: operations and objects. The following definitions are relevant: • Object: Any system resource subject to access control, such as a file, printer, terminal, database record, and so on • Operation: An executable image of a program, which upon invocation executes some function for the user • Permission: An approval to perform an operation on one or more RBAC protected objects



16 NIST RBAC Model The NIST RBAC model comprises four model components (Figure 4.11): core RBAC, hierarchical RBAC, static separation of duty (SSD) relations, and dynamic separation of duty (DSD) relations. The last two components correspond to the constraints component of the model of Figure 4.9.



17 administrative functions supporting system functions

Core RBAC administrative functions supporting system functions review functions add and delete users from the set of users add and delete roles from the set of roles create and delete instances of user-to-role assignment create and delete instances of permission-to-role assignment create a user session with a default set of active roles add an active role to a session delete a role from a session check if the session subject has permission to perform a request operation on an object enable an administrator to view but not modify all the elements of the model and their relations The administrative functions for Core RBAC include the following: add and delete users from the set of users; add and delete roles from the set of roles; create and delete instances of user-to-role assignment; and create and delete instances of permission-to-role assignment. The supporting system functions include the following: create a user session with a default set of active roles; add an active role to a session; delete a role from a session; and check if the session subject has permission to perform a request operation on an object. The review functions enable an administrator to view but not modify all the elements of the model and their relations, including users, roles, user assignments, role assignments, and session elements. Core RBAC is a minimal model that captures the common features found in the current generation of RBAC systems.



18 Hierarchical RBAC general role hierarchies limited role hierarchies

allow an arbitrary partial ordering of the role hierarchy impose restrictions resulting in a simpler tree structure supports multiple inheritance, in which a role may inherit permissions from multiple subordinate roles and more than one role can inherit from the same subordinate role role may have one or more immediate ascendants but is restricted to a single immediate descendant Hierarchical RBAC includes the concept of inheritance described for RBAC1. In the NIST standard, the inheritance relationship includes two aspects. Role r1 is said to be a descendant of r2 if r1 includes (inherits) all of the permissions from r2 and all users assigned to r1 are also assigned to r2.3 For example, in Figure 4.10, any permission allowed in the Project Lead 1 role is also allowed in the Director role, and a user assigned to the Director role is also assigned to the Project Lead 1 role. The NIST model defines two types of role hierarchies: General role hierarchies: Allow an arbitrary partial ordering of the role hierarchy. In particular, this type supports multiple inheritance, in which a role may inherit permissions from multiple subordinate roles and more than one role can inherit from the same subordinate role. • Limited role hierarchies: Impose restrictions resulting in a simpler tree structure. The limitation is that a role may have one or more immediate ascendants but is restricted to a single immediate descendant. The rationale for role hierarchies is that the inheritance property greatly simplifies the task of defining permission relationships. Roles can have overlapping permissions, which means that users belonging to different roles may have some shared permissions. In addition, it is typical in an organization that there are many users that share a set of common permissions, cutting across many organizational levels. To avoid the necessity of defining numerous roles from scratch to accommodate various users, role hierarchies are used in a number of commercial implementations. General role hierarchies provide the most powerful tool for this purpose. The standard incorporates limited role hierarchies, which are also useful, to allow for a simpler implementation of role hierarchies. Hierarchical RBAC adds four new administrative functions to Core RBAC: add a new immediate inheritance relationship between two existing roles; delete an existing immediate inheritance relationship; create a new role and add it as an immediate ascendant of an existing role; and create a new role and add it as an immediate descendant of an existing relationship. The hierarchical RBAC review functions enable the administrator to view the permissions and users associated with each role either directly or by inheritance.



19 Static Separation of Duty

enables the definition of a set of mutually exclusive roles, if a user is assigned to one role in the set, the user may not be assigned to any other role in the set can place a cardinality constraint on a set of roles defined as a pair (role set, n) where no user is assigned to n or more roles from the role set includes administrative functions for creating and deleting role sets and adding and deleting role members includes review functions for viewing the properties of existing SSD sets SSD and DSD are two components that add constraints to the NIST RBAC model. The constraints are in the form of separation of duty relations, used to enforce conflict of interest policies that organizations may employ to prevent users from exceeding a reasonable level of authority for their positions. SSD enables the definition of a set of mutually exclusive roles, such that if a user is assigned to one role in the set, the user may not be assigned to any other role in the set. In addition, SSD can place a cardinality constraint on a set of roles. A cardinality constraint associated with a set of roles is a number greater than one specifying a combination of roles that would violate the SSD policy. For example, the permissions associated with the purchasing function could be organized as a set of four roles, with the constraint the no user may be assigned more than three roles in the set. A concise definition of SSD is that SSD is defined as a pair (role set, n) where no user is assigned to n or more roles from the role set. SSD includes administrative functions for creating and deleting role sets and adding and deleting role members. It also includes review functions for viewing the properties of existing SSD sets.



20 Dynamic Separation of Duty

limit the permissions available to a user places constraints on the roles that can be activated within or across a user’s sessions define constraints as a pair (role set, n) with the property that no user session may activate n or more roles from the role set where n is a natural number n ≤ 2 enables the administrator to specify certain capabilities for a user at different, time spans includes administrative and review functions for defining and viewing DSD relations As with SSD, DSD relations limit the permissions available to a user. DSD specifications limit the availability of the permissions by placing constraints on the roles that can be activated within or across a user’s sessions. DSD relations define constraints as a pair (role set, n), where n is a natural number n 2, with the property that no user session may activate n or more roles from the role set. DSD enables the administrator to specify certain capabilities for a user at different, non-overlapping spans of time. As with SSD, DSD includes administrative and review functions for defining and viewing DSD relations.



21 Task Based Access Control

Classical subject-object access control P S x O x A TBAC view of access control P S x O x A x U x AS TBAC extensions P – Permission S – Subject O – Object A – Actions U – Usage and Validity Counts AS – Authorization step Active Security Model Dynamic authorization gives flexibility No Roles Involved Constraints for this model is still under study Every authorization-step maintains its own protection state. The initial value of a protection state is the set of permissions that are turned on (active) as a result of the authorization-step becoming valid. However, the contents of this set will keep changing as an authorization-step is processed and the relevant permissions are consumed. With each permission we associate a certain usage count. When a usage count has reached its limit, the associated permission is deactivated and the corresponding action is no longer allowed. Conceptually, we can think of an active permission as a check-in of the permission to the protection-state and a deactivation of a permission as a check out from the protection state. This constant and automated check-in and checkout of permissions as authorizations are being processed is one of the central features that make TBAC an active model. Further, the protection states of individual authorization-steps are unique and disjoint. What this means is that every permission in a protection state is uniquely mapped to an authorization-step instance and to the task or sub-task instance that is invoking the authorization. This ability to associate contextual information with permissions is absent in typical subject-object style access control models. For each authorization step consumes permission, usage count is incremented Usage Count reaches its limit, the associated permission is deactivated Adopted from Source: Task based authorization controls by R.S.Sandhu and R.K.Thomas



22 TBAC with Constraints Task Fundamental unit of business activity.

Users Tasks Workflow Alice Check Patient Non-Workflow Bob Do Physical Exam Write Prescription (T5) Out Patient Workflow Do Physical Exam (T1) Check Patient (T2) Perform Lab Test (T3) View Lab Results (T4) Task Fundamental unit of business activity. Assigned to users depending on the role and access rights are determined for executing assigned tasks. Start End Refer another specialist (T6) Non-Workflow View Current Patient List



23 TBAC with Constraints Non-Workflow Workflow

Objects – Health Records or Files. Task Instances Permissions Operations – Read, Update, Write, Copy, Print etc Check Patient task Alice Check Patient Josh Task Instance 1 Permission Authorization to perform an operation on an object. Bob Check Patient Grace Task Instance 2



24 Constraints Task constraints – Least Privilege User Instance

Users are not given more permission than is necessary to perform their duties Constraints Achieved through task instances Permissions Tasks Initiated Active Completed Revoked status Alice Check Patient Josh Least Privilege Users are given permissions selectively such that they are not given more permission than is necessary to perform their duties. Prevents the issue of the user to perform unnecessary and potentially harmful actions. Achieved through task instances Access permission starts when the task is initiated and the access control permissions are revoked when the task is completed. Task instance is created for each user and the user gets to see only certain information. Fine grained access control. Access Permissions starts when the instance is initiated Access Permissions end when the instance is completed or revoked Fine Grained Access Control



25 Static and Dynamic Separation of Duty

No single individual can execute all tasks within the workflow Do Physical Exam (T1) Check Patient (T2) Perform Lab Test (T3) View Lab Results (T4) Write Prescription (T5) End Start Nurse Physician Technician Alice Check Patient Josh Task Instance 1 Reduces the chance of collusion by distributing the responsibilities for tasks in a business process between multiple users. SOD is done at task definition and task instance levels. Task unit has a smaller scope of access rights than the role unit. Static SOD is done at task definition level and applies to tasks belonging to the same workflow. Dynamic SOD duty is done at task instances level. Task instances are created when the task is initiated and dynamic separation of duty prohibits concurrent execution of two or more exclusive tasks by the same role. Protects against fraudulent activities of users Static SOD - Defining the tasks in workflow or non workflow govern the administration or design-time associations between users and permissions. Dynamic SOD - permissions or task instances are granted at run-time.



26 Senior Physician (Jan)

Delegation of Tasks Initially assigned user is not available to complete the task Supervisor can delegate task to another junior user in the same hierarchy Access rights revoked once the task is completed Physician (Alice) Physician (Bob) Senior Physician (Jan) Alice Check Patient Josh Task Instance Jan can delegate task to Bob Bob Check Patient Josh Task Instance



27 Spatial and Temporal Constraints

Accessed from anywhere and at anytime User’s location and time is taken into consideration for granting access to a task Family Practice Physician Nurse Location Constraint (Reno Office) Time Constraint (8 - 5) Tasks



28 Passive and Active Access Control

Read View Current Patient List File 1 Passive Access Physician Write Write Prescription File 2 Active Access Start Do Physical Exam (T1) Check Patient (T2) Perform Lab Test (T3) View Lab Results (T4) Write Prescription (T5) Refer another specialist (T6) End Workflow Figure shows both passive and active access control. Physician may execute the ‘View Current Patient List’ task to accesses File1 information resource at any time. This non-workflow task assignment causes immediate activation of the access rights to read File1, a passive access control. On the other hand, the ‘Write Prescription’ task belongs to a workflow. Executing the tasks in the workflow is done in a defined order and is available for specific time period. Although the ‘Write Prescription’ task is assigned to physician, he/she can activate his/her access rights only when the prior ‘View Lab Results’ task is completed. In this case, as an active access control, authorization is separated from the activation of access rights.



29 Classification of Tasks

Non-Inheritable Inheritable Passive Access Control Private Supervision Active Access control Workflow Approval Family Practice Senior Physician (Jan) Physician (Alice) View Current Patient List Diagnosis Details Start Do Physical Exam (T1) Check Patient (T2) Perform Lab Test (T3) View Lab Results (T4) Write Prescription (T5) Refer another specialist (T6) End Workflow Class Private Class Supervision



30 Classification of Tasks

Class Workflow Family Practice Class Approval Senior Physician (Jan) Physician (Alice) Check Patient Start Do Physical Exam (T1) Check Patient (T2) Perform Lab Test (T3) View Lab Results (T4) Write Prescription (T5) Refer another specialist (T6) End Workflow Physician (Alice) Physician (Bob) Senior Physician (Jan) Same Hierarchy



31 Functions and Roles for Banking Example

Official Positions The Dresdner Bank has implemented an RBAC system that serves as a useful practical example [SCHA01]. The bank uses a variety of computer applications. Many of these were initially developed for a mainframe environment; some of these older applications are now supported on a client-server network while others remain on mainframes. There are also newer applications on servers. Prior to 1990, a simple DAC system was used on each server and mainframe. Administrators maintained a local access control file on each host and defined the access rights for each employee on each application on each host. This system was cumbersome, time- consuming, and error-prone. To improve the system, the bank introduced an RBAC scheme, which is systemwide and in which the determination of access rights is compartmentalized into three different administrative units for greater security. Roles within the organization are defined by a combination of official position and job function. Table 4.4a provides examples. This differs somewhat from the concept of role in the NIST standard, in which a role is defined by a job function. To some extent, the difference is a matter of terminology. In any case, the bank’s role structuring leads to a natural means of developing an inheritance hierarchy based on official position. Within the bank, there is a strict partial ordering of official positions within each organization, reflecting a hierarchy of responsibility and power. For example, the positions Head of Division, Group Manager, and Clerk are in descending order.



32 Functions and Roles for Banking Example

(b) Permission Assignments When the official position is combined with job function, there is a resulting ordering of access rights, as indicated in Table 4.4b. Thus, the financial analyst/Group Manager role (role B) has more access rights than the financial analyst/Clerk role (role A). The table indicates that role B has as many or more access rights than role A in three applications and has access rights to a fourth application. On the other hand, there is no hierarchical relationship between office banking/Group Manager and financial analyst/Clerk because they work in different functional areas. We can therefore define a role hierarchy in which one role is superior to another if its position is superior and their functions are identical.



33 Functions and Roles for Banking Example

(c) Permission Assignment with Inheritance The role hierarchy makes it possible to economize on access rights definitions, as suggested in Table 4.4c.



34 Example of Access Control Administration

In the original scheme, the direct assignment of access rights to the individual user occurred at the application level and was associated with the individual application. In the new scheme, an application administration determines the set of access rights associated with each individual application. However, a given user performing a given task may not be permitted all of the access rights associated with the application. When a user invokes an application, the application grants access on the basis of a centrally provided security profile. A separate authorization administration associated access rights with roles and creates the security profile for a use on the basis of the user’s role. A user is statically assigned a role. In principle (in this example), each user may be statically assigned up to four roles and select a given role for use in invoking a particular application. This corresponds to the NIST concept of session. In practice, most users are statically assigned a single role based on the user’s position and job function. All of these ingredients are depicted in Figure The Human Resource Department assigns a unique User ID to each employee who will be using the system. Based on the user’s position and job function, the department also assigns one or more roles to the user. The user/role information is provided to the Authorization Administration, which creates a security profile for each user that associates the User ID and role with a set of access rights. When a user invokes an application, the application consults the security profile for that user to determine what subset of the application’s access rights are in force for this user in this role. A role may be used to access several applications. Thus, the set of access rights associated with a role may include access rights that are not associated with one of the applications the user invokes. This is illustrated in Table 4.4b. Role A has numerous access rights, but only a subset of those rights are applicable to each of the three applications that role A may invoke. Some figures about this system are of interest. Within the bank, there are 65 official positions, ranging from a Clerk in a branch, through the Branch Manager, to a Member of the Board. These positions are combined with 368 different job functions provided by the human resources database. Potentially, there are 23,920 different roles, but the number of roles in current use is about This is in line with the experience other RBAC implementations. On average, 42,000 security profiles are distributed to applications each day by the Authorization Administration module.



35 Summary access control discretionary access controls (DAC)

prevent unauthorized users from gaining access to resources prevent legitimate users from accessing resources in an unauthorized manner enable legitimate users to access resources subjects, objects, access rights authentication, authorization, audit discretionary access controls (DAC) controls access based on identity mandatory access control (MAC) controls access based on security labels role-based access control (RBAC) controls access based on roles Chapter 4 summary.

