:::{image} ../fig/csc603/05-rbac/basic_rbac.png :alt: Basic RBAC illustration :class: bg-primary mb-1 :height: 500px :align: center :::
RBAC3: RBAC1 + RBAC2
:::{image} ../fig/csc603/05-rbac/rbac0.png :alt: RBAC0 :class: bg-primary mb-1 :height: 500px :align: center :::
:::{image} ../fig/csc603/05-rbac/rbac1.png :alt: RBAC1 :class: bg-primary mb-1 :height: 500px :align: center :::
:::{image} ../fig/csc603/05-rbac/rbac3.png :alt: RBAC3 :class: bg-primary mb-1 :height: 500px :align: center :::
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
## NIST RBAC
- RBAC System and Administrative Functional Specifications
- Three categories:
- Administrative functions: create, delete, maintain RBAC elements and relations
- Supporting system functions: session management, access control decisions
- Review functions: query operations on RBAC elements and relations
- Four components:
- Core RBAC: similar to RBAC<sub>0</sub>
- Hierarchical RBAC: similar to RBAC<sub>1</sub>
- Static Separation of Duty (SSD):
- Prevent conflict of interest
- Cardinality constraints (e.g., maximum number of roles)
- Mutually exclusive roles
- Dynamic Separation of Duty (DSD):
- Similar to SSD but activated within session
- Temporary conflict of interest (e.g., author and PC member of a conference)
:::{image} ../fig/csc603/05-rbac/nist_rbac.png
:alt: NIST RBAC
:class: bg-primary mb-1
:height: 500px
:align: center
:::
- Scalability
- Authentication
- Negative permissions
- Nature of permissions
- Discretionary role activation
- Role engineering
- Constraints
- RBAC administration
- Role revocation
:::{image} ../fig/csc603/05-rbac/case1.png :alt: role and functions :class: bg-primary mb-1 :height: 400px :align: center :::
:::{image} ../fig/csc603/05-rbac/case2.png :alt: Role, applications, and access rights :class: bg-primary mb-1 :height: 400px :align: center :::
:::{image} ../fig/csc603/05-rbac/case3.png :alt: Assume B inherits A :class: bg-primary mb-1 :height: 400px :align: center :::
:::{image} ../fig/csc603/05-rbac/case4.png :alt: Architecture :class: bg-primary mb-1 :height: 500px :align: center :::
```