rabac : role-centric attribute-based access control mmm-acns 2012
DESCRIPTION
Institute for Cyber Security. RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012 Xin Jin , Ravi Sandhu , Ram Krishnan U niversity of Texas at San Antonio San Antonio , TX, USA. World-Leading Research with Real-World Impact!. OUTLINE. Motivation Proposed Model - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/1.jpg)
1
RABAC : Role-Centric Attribute-Based Access Control
MMM-ACNS 2012Xin Jin, Ravi Sandhu, Ram KrishnanUniversity of Texas at San Antonio
San Antonio, TX, USA
World-Leading Research with Real-World Impact!
Institute for Cyber Security
![Page 2: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/2.jpg)
OUTLINE
Motivation
Proposed Model
XACML Profile
Conclusion
World-Leading Research with Real-World Impact!
![Page 3: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/3.jpg)
Role Based Access Control
World-Leading Research with Real-World Impact!
Role ExplosionRole number is supposed to be much than users.
Role Explosion : Different roles have to be defined for slightly different sets of permissions.
![Page 4: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/4.jpg)
Example
Doctor Patient
Patient Document
Visit Doctor
Attending Doctor
prj1
prj2
prj3
prjn
Time and devices constraints, etc.
Revealed for specific project.
One doctor role for each set of patients.
One VisitDoctor role for each project.
World-Leading Research with Real-World Impact!
![Page 5: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/5.jpg)
Related Work
Role Template, Parameterized Role, Attributed role, etc
Two level RBAC (SACMAT 12)
Environment Role, Object Role
Automatic user-role assignment, TrustBAC
Relationship based access control (ReBAC)
Role and organization based access control (ROBAC)
World-Leading Research with Real-World Impact!
They need modification in user-role and role-permission assignment. Role engineering is the most costly work in constructing RBAC system.
Why can’t we design a solution which can be enforced with least impact to current deployment?
![Page 6: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/6.jpg)
Motivation
World-Leading Research with Real-World Impact!
![Page 7: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/7.jpg)
Motivation
NIST proposed three alternative revisions to RBAC standard
Attribute Centric
Totally attribute based, role as a user attribute
Related work: ABAC–alpha model [Jin, DBSEC12], etc
Dynamic Roles
Automatically user-role assignment [Kahtani & Sandhu],etc
Role Centric RBAC
Not too much research.
World-Leading Research with Real-World Impact!
With previous work in ABAC-alpha, We provide a formal model for Role-Centric attribute based access control.
![Page 8: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/8.jpg)
OUTLINE
Motivation
Proposed Model
XACML Profile
Conclusion
World-Leading Research with Real-World Impact!
![Page 9: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/9.jpg)
Model Components
World-Leading Research with Real-World Impact!
![Page 10: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/10.jpg)
Model Components
World-Leading Research with Real-World Impact!
![Page 11: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/11.jpg)
Filtering Policy
World-Leading Research with Real-World Impact!
![Page 12: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/12.jpg)
Filtering Policy
World-Leading Research with Real-World Impact!
How to specify?
![Page 13: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/13.jpg)
Language for Policy
World-Leading Research with Real-World Impact!
Common Policy Language (CPL) :
LCondition, used to specify each condition, is an instance of CPL where:
type(o) = studentrecord (owner(o) ⋀ GameClub ( reader reader(o). ∈ ⋁ ∃ ∈reader = user3))
Example:
![Page 14: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/14.jpg)
Language for Policy
World-Leading Research with Real-World Impact!
LFilter, used to specify each filter, is an instance of CPL where:
Example:
major(u) = major(o) (location(u)= utsa project⋀ ⋁ ∃ involvedprj(u). ∈project=proj(o))
![Page 15: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/15.jpg)
Access Checking
World-Leading Research with Real-World Impact!
Apply policy and get final available permissions in session
Check against user request
![Page 16: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/16.jpg)
World-Leading Research with Real-World Impact!
Package Building Path
![Page 17: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/17.jpg)
World-Leading Research with Real-World Impact!
Advantage
Doctor Visit DoctorPatient Documentdoctorof oproj
uproj,device,time.
Two role definitions are enough.
![Page 18: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/18.jpg)
OUTLINE
Motivation
Proposed Model
XACML Profile
Conclusion
World-Leading Research with Real-World Impact!
![Page 19: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/19.jpg)
XACML-Profile for RABAC
World-Leading Research with Real-World Impact!
XACML Profile for RBAC XACML
express permission filtering policy
![Page 20: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/20.jpg)
OUTLINE
Motivation
Proposed Model
Use Case
XACML Profile
Conclusion
World-Leading Research with Real-World Impact!
![Page 21: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/21.jpg)
Conclusion
Main contribution RABAC model: Extension to RBAC with filtering policy Define languages for specifying policy Modify functions for access checking
Advantages Without modification to original deployment while mitigating role
explosion problem. Retains the administration convenience of RBAC Offer flexibility and administration convenience.
Future work Distinguish user attribute and session attribute. Enhance policy language.
World-Leading Research with Real-World Impact!
![Page 22: RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012](https://reader035.vdocuments.site/reader035/viewer/2022070416/56815255550346895dc0890d/html5/thumbnails/22.jpg)
22World-Leading Research with Real-World Impact!
ThanksAny Questions?
Institute for Cyber Security