Title:
Role-based access control
Personal Author:
Series:
Computer security series
Publication Information:
Norwood, MA : Artech House, 2003
ISBN:
9781580533706
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010020202 | QA76.9.A25 F47 2003 | Open Access Book | Book | Searching... |
Searching... | 30000010059073 | QA76.9.A25 F47 2003 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Securing networked and Web-based systems can be costly because these open and easy-to-access systems leave a myriad of unwanted openings for hackers and other intruders to break into. Role-based access control (RBAC) is a security mechanism that can greatly lower the cost and complexity of securing large networked and Web-based systems. This volume covers the basic components of RBAC as well as deploying, supporting and administering RBAC.
Author Notes
David Ferraiolo is a supervisory computer scientist in the Systems and Networks Security Group at the National Institute of Standards and Technology (NIST), Gaithersburg, MD. In addition to managing three access control and security management projects, he is leading research to improve operational assurance, security authentication, intrusion detection, and authorization.
050
Table of Contents
| Preface | p. xv |
| Acknowledgments | p. xvii |
| 1 Introduction | p. 1 |
| 1.1 The purpose and fundamentals of access control | p. 2 |
| 1.1.1 Authorization versus authentication | p. 3 |
| 1.1.2 Users, subjects, objects, operations, and permissions | p. 4 |
| 1.1.3 Least privilege | p. 5 |
| 1.2 A brief history of access control | p. 6 |
| 1.2.1 Access control in the mainframe era | p. 6 |
| 1.2.2 Department of Defense standards | p. 8 |
| 1.2.3 Clark-Wilson model | p. 9 |
| 1.2.4 Origins of RBAC | p. 9 |
| 1.3 Comparing RBAC to DAC and MAC | p. 16 |
| 1.4 RBAC and the enterprise | p. 18 |
| 1.4.1 Economics of RBAC | p. 18 |
| 1.4.2 Authorization management and resource provisioning | p. 20 |
| References | p. 23 |
| 2 Access Control Policy, Models, and Mechanisms--Concepts and Examples | p. 27 |
| 2.1 Policy, models, and mechanisms | p. 27 |
| 2.2 Subjects and objects | p. 30 |
| 2.3 Reference monitor and security kernel | p. 31 |
| 2.3.1 Completeness | p. 33 |
| 2.3.2 Isolation | p. 33 |
| 2.3.3 Verifiability | p. 34 |
| 2.3.4 The reference monitor--necessary, but not sufficient | p. 35 |
| 2.4 DAC policies | p. 35 |
| 2.5 Access control matrix | p. 36 |
| 2.5.1 ACLs and capability lists | p. 37 |
| 2.5.2 Protection bits | p. 38 |
| 2.6 MAC policies and models | p. 39 |
| 2.7 Biba's integrity model | p. 41 |
| 2.8 Clark-Wilson model | p. 42 |
| 2.9 The Chinese wall policy | p. 44 |
| 2.10 The Brewer-Nash model | p. 45 |
| 2.11 Domain-type enforcement model | p. 46 |
| References | p. 48 |
| 3 Core RBAC Features | p. 51 |
| 3.1 Roles versus ACL groups | p. 53 |
| 3.2 Core RBAC | p. 55 |
| 3.2.1 Administrative support | p. 55 |
| 3.2.2 Permissions | p. 56 |
| 3.2.3 Role activation | p. 58 |
| 3.3 Mapping the enterprise view to the system view | p. 59 |
| 3.3.1 Global users and roles and indirect role privileges | p. 62 |
| 3.3.2 Mapping permissions into privileges | p. 63 |
| 4 Role Hierarchies | p. 67 |
| 4.1 Building role hierarchies from flat roles | p. 68 |
| 4.2 Inheritance schemes | p. 69 |
| 4.2.1 Direct privilege inheritance | p. 69 |
| 4.2.2 Permission and user membership inheritance | p. 70 |
| 4.2.3 User containment and indirect privilege inheritance | p. 72 |
| 4.3 Hierarchy structures and inheritance forms | p. 75 |
| 4.3.1 Connector roles | p. 76 |
| 4.3.2 Organization chart hierarchies | p. 79 |
| 4.3.3 Geographical regions | p. 81 |
| 4.4 Accounting for role types | p. 83 |
| 4.5 General and limited role hierarchies | p. 84 |
| 4.6 Accounting for the Stanford model | p. 87 |
| References | p. 89 |
| 5 SoD and Constraints in RBAC Systems | p. 91 |
| 5.1 Types of SoD | p. 94 |
| 5.1.1 Static SoD | p. 94 |
| 5.1.2 Dynamic SoD | p. 98 |
| 5.1.3 Operational SoD | p. 99 |
| 5.1.4 History and object-based SoD | p. 100 |
| 5.2 Using SoD in real systems | p. 101 |
| 5.2.1 SoD in role hierarchies | p. 102 |
| 5.2.2 Static and dynamic constraints | p. 103 |
| 5.2.3 Mutual exclusion | p. 104 |
| 5.2.4 Effects of privilege assignment | p. 105 |
| 5.2.5 Assigning privileges to roles | p. 107 |
| 5.2.6 Assigning roles to users | p. 108 |
| 5.3 Temporal constraints in RBAC | p. 112 |
| 5.3.1 Need for temporal constraints | p. 112 |
| 5.3.2 Taxonomy of temporal constraints | p. 113 |
| 5.3.3 Associated requirements for supporting temporal constraints | p. 116 |
| References | p. 117 |
| 6 RBAC, MAC, and DAC | p. 121 |
| 6.1 Enforcing DAC using RBAC | p. 122 |
| 6.1.1 Configuring RBAC for DAC | p. 123 |
| 6.1.2 DAC with grant-independent revocation | p. 124 |
| 6.1.3 Additional considerations for grant-dependent revocation | p. 125 |
| 6.2 Enforcing MAC on RBAC systems | p. 125 |
| 6.2.1 Configuring RBAC for MAC using static constraints | p. 126 |
| 6.2.2 Configuring RBAC for MAC using dynamic constraints | p. 127 |
| 6.3 Implementing RBAC on MLS systems | p. 130 |
| 6.3.1 Roles and privilege sets | p. 132 |
| 6.3.2 Assignment of categories to privilege sets | p. 133 |
| 6.3.3 Assignment of categories to roles | p. 134 |
| 6.3.4 Example of MLS to RBAC mapping | p. 134 |
| 6.4 Running RBAC and MAC simultaneously | p. 136 |
| References | p. 138 |
| 7 NIST's Proposed RBAC Standard | p. 141 |
| 7.1 Overview | p. 141 |
| 7.2 Functional specification packages | p. 142 |
| 7.3 The RBAC reference model | p. 144 |
| 7.4 Functional specification overview | p. 145 |
| 7.5 Functional specification for core RBAC | p. 146 |
| 7.5.1 Administrative functions | p. 146 |
| 7.5.2 Supporting system functions | p. 146 |
| 7.5.3 Review functions | p. 147 |
| 7.6 Functional specification for hierarchical RBAC | p. 147 |
| 7.6.1 Hierarchical administrative functions | p. 147 |
| 7.6.2 Supporting system functions | p. 149 |
| 7.6.3 Review functions | p. 149 |
| 7.7 Functional specification for SSD relation | p. 150 |
| 7.7.1 Administrative functions | p. 150 |
| 7.7.2 Supporting system functions | p. 151 |
| 7.7.3 Review functions | p. 151 |
| 7.8 Functional specification for a DSD relation | p. 152 |
| 7.8.1 Administrative functions | p. 152 |
| 7.8.2 Supporting system functions | p. 152 |
| 7.8.3 Review functions | p. 153 |
| Reference | p. 153 |
| 8 Role-Based Administration of RBAC | p. 155 |
| 8.1 Background and terminology | p. 155 |
| 8.2 URA02 and PRA02 | p. 158 |
| 8.3 Crampton-Loizou administrative model | p. 162 |
| 8.3.1 Flexibility of administrative scope | p. 163 |
| 8.3.2 Decentralization and autonomy | p. 164 |
| 8.3.3 A family of models for hierarchical administration | p. 164 |
| 8.4 Role control center | p. 169 |
| 8.4.1 Inheritance and the role graph | p. 170 |
| 8.4.2 Constraints | p. 172 |
| 8.4.3 Role views | p. 172 |
| 8.4.4 Delegation of administrative permissions | p. 173 |
| 8.4.5 Decentralization and autonomy | p. 176 |
| References | p. 178 |
| 9 Enterprise Access Control Frameworks Using RBAC and XML Technologies | p. 179 |
| 9.1 Conceptual view of EAFs | p. 179 |
| 9.2 Enterprise Access Central Model Requirements | p. 182 |
| 9.2.1 EAM's multiple-policy support requirement | p. 183 |
| 9.2.2 EAM's ease of administration requirement | p. 183 |
| 9.3 EAM specification and XML schemas | p. 184 |
| 9.4 Specification of the ERBAC model in the XML schema | p. 186 |
| 9.4.1 XML schema specifications for ERBAC model elements | p. 187 |
| 9.4.2 XML schema specifications for ERBAC model relations | p. 190 |
| 9.5 Encoding of enterprise access control data in XML | p. 193 |
| 9.6 Verification of the ERBAC model and data specifications | p. 197 |
| 9.7 Limitations of XML schemas for ERBAC model constraint representation | p. 198 |
| 9.8 Using XML-encoded enterprise access control data for enterprisewide access control implementation | p. 202 |
| 9.9 Conclusion | p. 208 |
| References | p. 208 |
| 10 Integrating RBAC with Enterprise IT Infrastructures | p. 211 |
| 10.1 RBAC for WFMSs | p. 212 |
| 10.1.1 Workflow Concepts and WFMSs | p. 212 |
| 10.1.2 WFMS components and access control requirements | p. 213 |
| 10.1.3 Access control design requirements | p. 214 |
| 10.1.4 RBAC model design and implementation requirements for WFMSs | p. 216 |
| 10.1.5 RBAC for workflows--research prototypes | p. 219 |
| 10.2 RBAC integration in Web environments | p. 220 |
| 10.2.1 Implementing RBAC entirely on the Web server | p. 221 |
| 10.2.2 Implementing RBAC for Web server access using cookies | p. 222 |
| 10.2.3 RBAC on the Web using attribute certificates | p. 224 |
| 10.3 RBAC for UNIX environments | p. 231 |
| 10.3.1 RBAC for UNIX administration | p. 231 |
| 10.3.2 RBAC implementation within the NFS | p. 236 |
| 10.4 RBAC in Java | p. 239 |
| 10.4.1 Evolution of Java security models | p. 240 |
| 10.4.2 JDK 1.2 security model and enhancement | p. 241 |
| 10.4.3 Incorporating RBAC into JDK 1.2 security model with JAAS | p. 244 |
| 10.5 RBAC for FDBSs | p. 246 |
| 10.5.1 IRO-DB architecture | p. 247 |
| 10.5.2 RBAC model implementation in IRO-DB | p. 248 |
| 10.6 RBAC in autonomous security service modules | p. 249 |
| 10.7 Conclusions | p. 251 |
| References | p. 251 |
| 11 Migrating to RBAC--Case Study: Multiline Insurance Company | p. 255 |
| 11.1 Background | p. 256 |
| 11.2 Benefits of using RBAC to manage extranet users | p. 256 |
| 11.2.1 Simplifying systems administration and maintenance | p. 258 |
| 11.2.2 Enhancing organizational productivity | p. 259 |
| 11.3 Benefits of using RBAC to manage employees (intranet users) | p. 259 |
| 11.3.1 Reduction in new employee downtime | p. 259 |
| 11.3.2 Simplified systems administration and maintenance | p. 260 |
| 11.4 RBAC implementation costs | p. 260 |
| 11.4.1 Software and hardware expenses | p. 261 |
| 11.4.2 Systems administrators' labor expenses | p. 261 |
| 11.4.3 Role engineering expenses | p. 261 |
| 11.5 Time series of benefits and costs | p. 262 |
| Reference | p. 264 |
| 12 RBAC Features in Commercial Products | p. 265 |
| 12.1 RBAC in relational DBMS products | p. 266 |
| 12.1.1 Informix Dynamic Server version 9.3 (IBM) | p. 267 |
| 12.1.2 Oracle Enterprise Server version 8i (Oracle) | p. 269 |
| 12.1.3 Sybase adaptive server version 12.5 (Sybase) | p. 271 |
| 12.2 RBAC in enterprise security administration software | p. 274 |
| 12.2.1 Control-SA (BMC software) | p. 276 |
| 12.2.2 DirXmetaRole version 1.0 (Siemens) | p. 280 |
| 12.2.3 SAM Jupiter (Systor) | p. 284 |
| 12.2.4 Tivoli Identity Manager version 1.1 (IBM) | p. 289 |
| 12.3 Conclusions | p. 292 |
| References | p. 293 |
| Appendix A | p. 295 |
| Appendix B | p. 299 |
| About the Authors | p. 303 |
| Index | p. 305 |
