RBAC: Role-based Access Control

Overview

:::{image} ../fig/csc603/05-rbac/basic_rbac.png :alt: Basic RBAC illustration :class: bg-primary mb-1 :height: 500px :align: center :::

• RBAC₀: minimum functionalities
• RBAC₁: RBAC₀ + role hierarchies
• RBAC₂: RBAC₀ + constraints

• RBAC₃: RBAC₁ + RBAC₂

• Users: individuals with access to the system
• Role: named job function within the org
• Permission: approval of a particular mode of access to objects
• Session: mapping between a user and a subset of roles

:::{image} ../fig/csc603/05-rbac/rbac0.png :alt: RBAC0 :class: bg-primary mb-1 :height: 500px :align: center :::

• Reflect hierarchical structure of roles in org
• Mathematically, partial order (reflexive, transitive, antisymmetric)

:::{image} ../fig/csc603/05-rbac/rbac1.png :alt: RBAC1 :class: bg-primary mb-1 :height: 500px :align: center :::

• Reflect higher-level organizational policy
• Mutually exclusive roles
• Cardinality: maximum numbers with respect to role
• Pre-requisite:
  • can assign role only if already assigned prerequisite role
  • Not hierarchical
• Consolidation

:::{image} ../fig/csc603/05-rbac/rbac3.png :alt: RBAC3 :class: bg-primary mb-1 :height: 500px :align: center :::

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 
## NIST RBAC


- RBAC System and Administrative Functional Specifications
- Three categories:
  - Administrative functions: create, delete, maintain RBAC elements and relations
  - Supporting system functions: session management, access control decisions
  - Review functions: query operations on RBAC elements and relations
- Four components:
  - Core RBAC: similar to RBAC<sub>0</sub>
  - Hierarchical RBAC: similar to RBAC<sub>1</sub>
  - Static Separation of Duty (SSD):
    - Prevent conflict of interest
    - Cardinality constraints (e.g., maximum number of roles)
    - Mutually exclusive roles
  - Dynamic Separation of Duty (DSD):
    - Similar to SSD but activated within session
    - Temporary conflict of interest (e.g., author and PC member of a conference)

:::{image} ../fig/csc603/05-rbac/nist_rbac.png
:alt: NIST RBAC
:class: bg-primary mb-1
:height: 500px
:align: center
:::



- Scalability
- Authentication
- Negative permissions
- Nature of permissions
- Discretionary role activation
- Role engineering
- Constraints
- RBAC administration
- Role revocation
 

Role Engineering

• Definition of role can be difficult
  • Requirement engineering process
• Basic steps:
  • Collect activities
  • Group into clusters
  • Name clusters
  • Describe
  • Remove duplicates
  • Indentify minimal set of permissions
  • Simulate activities
  • Role candidates
• Migrating from old local access control files
• Application now query security for authorization profiel
• Role = (official position, job function)

:::{image} ../fig/csc603/05-rbac/case1.png :alt: role and functions :class: bg-primary mb-1 :height: 400px :align: center :::

:::{image} ../fig/csc603/05-rbac/case2.png :alt: Role, applications, and access rights :class: bg-primary mb-1 :height: 400px :align: center :::

:::{image} ../fig/csc603/05-rbac/case3.png :alt: Assume B inherits A :class: bg-primary mb-1 :height: 400px :align: center :::

:::{image} ../fig/csc603/05-rbac/case4.png :alt: Architecture :class: bg-primary mb-1 :height: 500px :align: center :::

```