Role-Based Access Control (RBAC) Lecture Notes (PDF)

Summary

These lecture notes cover Role-Based Access Control (RBAC), a specific security model for access control where users' access is tied to their roles within the system. The author, Prof.dr. Ferucio Laurențiu Tiplea from the “Alexandru Ioan Cuza” University of Iaşi, introduces the fundamental concepts of RBAC, including its various models and implementation in different contexts.

Full Transcript

Access Control
Role-based Access Control

Prof.dr. Ferucio Laurenţiu Ţiplea
Fall 2023

Department of Computer Science
“Alexandru Ioan Cuza” University of Iaşi
Iaşi 700506, Romania
e-mail: [email protected]
Outline

Introduction to RBAC

Base RBAC model

Hierarchical RBAC model

Constrained RBAC

Consolidated RBAC

RBAC, DAC, and MAC

RBAC Implementations

Concluding remarks
Introduction to RBAC
Role-based Access Control

RBAC: Access to objects is regulated by the role user has in an
organization.

A bit of history:

ˆ Formal approaches to access control were initiated in the early 1970s
through DAC and MAC:
ˆ MAC was introduced based on military security needs, which
sometimes makes it unsuitable for civilian applications. For example,
MAC cannot properly enforce access control based on competencies,
conflict-of-interest rules, or a strict concept of least privilege;
ˆ DAC has a focus on civilian applications, but it assumes that subjects
own the resources. However, the resources are not owned by subjects
in companies (organizations, corporations, agencies, enterprises);

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 2 / 30
Role-based Access Control

A bit of history (cont.):

ˆ A solution to meet these needs was proposed by Ferraiolo and Kuhn
(1992) in the form of a non-discretionary access control model called
role-based access control (RBAC);
ˆ Later, Sandhu et al. (1996) introduced a framework for RBAC
models, commonly known as RBAC96, also establishing a modular
structure;
ˆ Following a NIST initiative to reach an international consensus for
the use of RBAC, Sandhu et al. (2000) proposed an RBAC standard.
The standard was approved in 2004 and adopted as INCITS
359-2004 (NIST model for RBAC);
ˆ The revision initiated in 2010 by NIST adds attributes to RBAC
(Kuhn et al. (2010)). The latest version of the standard is INCITS
359-2012.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 3 / 30
Base RBAC model
RBAC components

An RBAC model can be viewed as consisting of two separate but
dependent classes of components:

ˆ Static components: users, roles, permissions, and the relations
between them;

ˆ Dynamic components: subjects, role authorization, and object
access authorization.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 4 / 30
Users, roles, permissions

User – any person who interacts directly with a computer
system;
Role – a set of actions and responsibilities associated with a
particular working activity;
Permission – a description of (a type of) authorized access to
resources or to do something:

ˆ The RBAC model accommodates many
interpretations for permissions. The nature of a
permission depends on system and implementation;
ˆ Permissions are positive: they confer the ability to
perform actions in system;
ˆ Constraints will model the prohibition to execute an
action (some authors name them negative
permissions).
Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 5 / 30
The static components of an RBAC model

users roles permissions

u1 r1 p1
user-role role-permission
··· ··· ···
assignment assignment
un rm pk

ˆ U: set of users; We may view a permission as an
abstract concept binding operations
ˆ R: set of roles;
and objects
ˆ P: set of permissions;
ˆ UR ⊆ U × R: user-role p ⊆ Op × O,
assignment;
where Op is a set of operations and O
ˆ RP ⊆ R × P: role-permission
is a set of objects.
assignment.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 6 / 30
Roles vs. groups and compartments

ˆ Organizations operate based on roles: identifying roles (as sets of
permissions) in a system is more priority than identifying groups (as
sets of users). This leads to the advantage of simplifying the
understanding and management of permissions in the system. For
instance, enumerating all permissions for roles is easy;
ˆ Roles add a useful level of abstraction and may be more stable than
groups;
ˆ Groups are implementation-specific. For example, a file can be
associated with only one group in some operating systems, while in
others, a file can be associated with several groups. But the role is
defined by permissions offered to users who receive it, which makes
the role independent of implementation;
ˆ The compartments in a lattice-based model allow one-way
information flow based on a specific policy. Roles are not associated
with any policy.
Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 7 / 30
Subjects and sessions

ˆ A session is an instance of a user’s dialog with a system;

ˆ A subject is a running computer program (process) acting on behalf
of a user;

ˆ As user’s actions on a computer system are performed through some
programs running on the computer, we often identify subjects and
sessions.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 8 / 30
The dynamic components of an RBAC model

users roles permissions

u1 r1 p1
UR RP
··· ··· ···
un rm pk
su

sr
s1 ,...,sℓ subjects/sessions

subject-to-user mapping su : S → U subject-to-role mapping sr : S → P(R)

u’s roles

UR
u s’s roles sr (s) ⊆ UR(su(s))
su
sr

s

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 9 / 30
Role authorization and object access authorization

Role authorization: a subject can never have an active role that is not
authorized for its user

(∀s ∈ S)(∀r ∈ R)(r ∈ sr (s) ⇒ (su(s), r ) ∈ UR)

Object access authorization: A subject s can perform an operation op on
object o only if there exists a role r that is included in the subject’s
active role set and there exists a permission that is assigned to r such
that the permission authorizes the performance of op on o

access(s, op, o) ⇒ (∃r ∈ R)(∃p ∈ P)(r ∈ sr (s) ∧ (r , p) ∈ PR ∧ (op, o) ∈ p)

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 10 / 30
Conceptual level vs. system level

users

roles permissions

r,w
professor Grade records
Conceptual level

r
Old Bob ···
secretary Records history
r

Alice

r
System level

Alice.Secretary
r Records history.dbf
Bob.Professor r, w

subjects/sessions
Grade records.xlsx

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 11 / 30
Hierarchical RBAC model
Role hierarchies

Individual roles within an organization often have overlapping functions!

Professor Associate Professor

Teaching staff

Faculty member Secretary

Staff

ˆ A role inheritance relation/scheme is a partial order relation ≥ on
the set R of roles;

ˆ If r1 ≥ r2 we say that r1 inherits r2.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 12 / 30
Inheritance schemes

Role inheritance schemes may be defined in various ways, such as:

ˆ Permission-based inheritance – here, the role is viewed just as a set
of permissions. Then,

r1 ≥ r2 ⇔ RP(r2 ) ⊆ RP(r1 )

ˆ User- and permission-based inheritance – here, the role is viewed
both as a set of permissions and a set of users. Then,

r1 ≥ r2 ⇔ RP(r2 ) ⊆ RP(r1 ) ∧ UR −1 (r1 ) ⊆ UR −1 (r2 )

ˆ User-based inheritance – here, permissions are assigned to groups
and groups are mapped to roles. Then,

r1 ≥ r2 ⇔ UR −1 (r1 ) ⊆ UR −1 (r2 )

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 13 / 30
Role authorized users and permissions

An user u is authorized for a role r if u has assigned a role r ′ that
inherits r. The set of users authorized for the role r is

{u ∈ U | ∃r ′ : (u, r ′ ) ∈ UR ∧ r ′ ≥ r }.

Users with more powerful roles may play less powerful roles!

A permission p is authorized for a role r if p is assigned to a role r ′
inherited by r. The set of permissions authorized for the role r is

{p ∈ P | ∃r ′ : (r ′ , p) ∈ RP ∧ r ′ ≤ r }.

Permissions of less powerful roles are available to more powerful roles!

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 14 / 30
The hierarchical RBAC model

role hierarchy

users permissions

u1 r1 p1
UR RP
··· ··· ···
un rm pk
su

sr
roles
s1 ,... , sℓ
subjects/sessions

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 15 / 30
Constrained RBAC
Constraints

Constraints play an essential role in shaping a system. They can

ˆ simplify the design;

ˆ create a better view on the system;

ˆ bring more power.

In RBAC, constraints play a significant role. They can help

ˆ create roles or permissions with mutual exclusion;
ˆ control the assignment of roles per user or permissions per role:
ˆ number or roles/permissions;
ˆ prerequisite roles/permissions;
ˆ etc.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 16 / 30
Enforcing constraints

role hierarchy

users permissions
roles
u1 r1 p1
UR RP
··· ··· ···
un rm pk
su

sr

s1 ,... , sℓ
Constraints
subjects/sessions

Static constraints – applied to the static components (UR, RP, role
hierarchy)

Dynamic constraints – applied to the dynamic components (sessions, sr )

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 17 / 30
Separation of duty

American National Standards Institute: Separation of Duty (SoD) means
“Dividing responsibility for sensitive information so that no individual
acting alone can compromise the security of the data processing system.”

There exists a great variety of SoD models (see Simon and Zurko
(1997)). Two broad categories of SoD methods are:

ˆ static (SSD) – place constraints on roles at the time users are
authorized for roles, and

ˆ dynamic (DSD) – are invoked when the users are actively using the
system.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 18 / 30
Static SoD

role hierarchy
SSD

users permissions
roles
u1 r1 p1
UR RP
··· ··· ···
un rm pk
su

sr

s1 ,... , sℓ

Example 1
Professor Bob cannot be a member of both the Examination Board and
Appeal Examination Board.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 19 / 30
Dynamic SoD

role hierarchy

users permissions
roles
u1 r1 p1
UR RP
··· ··· ···
un rm pk
su

sr

s1 ,... , sℓ
DSD

Example 2
Bob can be a member both of the Examination Board and Appeal
Examination Board, but not both roles can be active in the same
session.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 20 / 30
Operational SoD

role hierarchy
Static OSD

users permissions
roles
u1 r1 p1
UR RP
··· ··· ···
un rm pk
su

sr

s1 ,... , sℓ
Dynamic OSD

Operational SoD (OSD) – no single user is allowed to perform all
operations required to a critical function.

OSD can be enforced as an SSD/DSD with additional constraints on RP.
Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 21 / 30
Consolidated RBAC
Consolidated RBAC

Consolidated RBAC combines hierarchical and constrained RBAC

Consolidated RBAC

Hierarchical RBAC Constrained RBAC

Basic RBAC

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 22 / 30
RBAC, DAC, and MAC
RBAC, DAC, and MAC

RBAC is neither DAC nor MAC! However, RBAC can be configured to do
both DAC and MAC (details, which are more of a theoretical interest,
can be found in Osborn et al. (2000)).

DAC MAC
Fixed
owner’s discretion one-way IF
Policy

RBAC
Flexible
policy-independent

In practice, we never simulate DAC or MAC through RBAC (it is too
costly). However, we often combine DAC, MAC, and RBAC.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 23 / 30
RBAC Implementations
Integrating RBAC with enterprise IT infrastructures

RBAC can be integrated with technologies such as:

ˆ Workflow management systems (Kandala and Sandhu (2001));
ˆ Web applications (Park et al. (2001));
ˆ Windows and UNIX OS;
ˆ Distributed or network file systems (Dekker et al. (2008));
ˆ Java;
ˆ Oracle API Gateway, which is a comprehensive platform for
managing, delivering, and securing Web APIs, uses the RBAC
model. It is available on Windows, Linux, and Solaris;
ˆ Microsoft Azure RBAC, which provides fine-grained access to Azure
resources (see Microsoft Azure RBAC doc);
ˆ Windows 365 (see Microsoft Windows 365 Enterprise doc);
ˆ etc.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 24 / 30
RBAC in Windows 365

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 25 / 30
RBAC UNIX-like OSs

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 26 / 30
Concluding remarks
Concluding remarks

ˆ RBAC simplifies security administration by using roles, hierarchies,
and constraints;

ˆ RBAC reduces costs within an organization because it takes into
account that employees change much more frequently than the
duties within positions;

ˆ RBAC can be configured to support a large variety of access control
policies, including DAC and MAC policies;

ˆ RBAC is suited to a large variety of applications and software system
environments.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 27 / 30
Readings

In addition to the materials indicated so far, I recommend:

ˆ Ferraiolo et al. (2007);

ˆ Chapters 6 and 7 of Conrad et al. (2016);

ˆ Chapters 3 and 4 of Andress (2014);

ˆ Chapter 11 of Collins (2014);

ˆ Chapter 23 of Bertino (2012);

ˆ Samarati and de Capitani di Vimercati (2001).

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 28 / 30
References

References

Andress, J. (2014). The Basics of Information Security. Understanding the Fundamentals of
Infosec in Theory and Practice. Syngress, Elsevier, Boston, 2nd edition.
Bertino, E. (2012). Chapter 23 - Policies, access control, and formal methods. In Das, S. K.,
Kant, K., and Zhang, N., editors, Handbook on Securing Cyber-Physical Critical Infrastructure,
pages 573–594. Morgan Kaufmann, Boston.
Collins, L. (2014). Chapter 11 - Access controls. In Vacca, J. R., editor, Cyber Security and IT
Infrastructure Protection, pages 269–280. Syngress, Boston.
Conrad, E., Misenar, S., and Feldman, J. (2016). CISSP Study Guide. Singress, Elsevier, 3rd
edition.
Dekker, M., Crampton, J., and Etalle, S. (2008). Rbac administration in distributed systems. In
Proceedings of the 13th ACM Symposium on Access Control Models and Technologies,
SACMAT ’08, page 93–102, New York, NY, USA. Association for Computing Machinery.
Ferraiolo, D. and Kuhn, R. (1992). Role-based access controls. In 15th National Computer
Security Conference Proceedings “Information Systems Security: Building Blocks to the
Future”, pages 554–563, Baltimore, Maryland, US. National Institute of Standards and
Technology, National Computer Security Center.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 29 / 30
References (cont.)

Ferraiolo, D. F., Kuhn, D. R., and Chandramouli, R. (2007). Role-Based Access Control. Artech
House, Inc., USA, 2nd edition.
Kandala, S. and Sandhu, R. S. (2001). Secure role-based workflow models. In DBSec.
Kuhn, D. R., Coyne, E. J., and Weil, T. R. (2010). Adding attributes to role-based access control.
Computer, 43(6):79–81.
Osborn, S., Sandhu, R., and Munawer, Q. (2000). Configuring role-based access control to enforce
mandatory and discretionary access control policies. ACM Transactions on Information and
System Security, 3(2):85–106.
Park, J. S., Sandhu, R., and Ahn, G.-J. (2001). Role-based access control on the web. ACM
Trans. Inf. Syst. Secur., 4(1):37–71.
Samarati, P. and de Capitani di Vimercati, S. (2001). Access control: Policies, models, and
mechanisms. In Focardi, R. and Gorrieri, R., editors, Foundations of Security Analysis and
Design, pages 137–196, Berlin, Heidelberg. Springer Berlin Heidelberg.
Sandhu, R., Ferraiolo, D., and Kuhn, R. (2000). The NIST model for role-based access control:
Towards a unified standard. In Proceedings of the Fifth ACM Workshop on Role-Based Access
Control, RBAC ’00, page 47–63, New York, NY, USA. Association for Computing Machinery.
Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. (1996). Role-based access
control models. Computer, 29(2):38–47.
Simon, R. and Zurko, M. (1997). Separation of duty in role-based environments. In Proceedings
10th Computer Security Foundations Workshop, pages 183–194.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlRBAC Fall 2022 30 / 30