PBDM: A Flexible Delegation Model in RBAC - PowerPoint PPT Presentation

About This Presentation
Title:

PBDM: A Flexible Delegation Model in RBAC

Description:

A user can create delegation role by his discretion. ... A delegation role D3 owned by PL' and delegated to QE': Create a temporary delegation role D3 ... – PowerPoint PPT presentation

Number of Views:82
Avg rating:3.0/5.0
Slides: 18
Provided by: LEX14
Category:

less

Transcript and Presenter's Notes

Title: PBDM: A Flexible Delegation Model in RBAC


1
  • PBDM A Flexible Delegation Model in RBAC
  • Xinwen Zhang, Sejong Oh
  • George Mason University
  • Ravi Sandhu
  • George Mason University and NSD Security

2
Outline
  • Motivations
  • Related Works
  • PBDM0 user-to-user delegation
  • PBDM1 user-to-user delegation
  • PBDM2 role-to-role delegation
  • Conclusions and future work

3
Motivations
  • Permission level delegations are needed in many
    cases

4
Motivations(contd)
  • User-to-user delegations
  • John delegates some of his permissions to Jenny
    when he is out of town
  • Role-to-role delegations
  • A professor can delegate check-email permission
    to a TA
  • Multi-step delegation and revocation
  • Jenny can delegate some permissions from John to
    Jim

5
Related Works
  • RBDM0
  • E.Barka et al, NISSC 2000, ACSAC 2000
  • A delegation framework
  • User-to-user delegation
  • Role-level delegation
  • RDM2000
  • L.Zhang et al, SACMAT 2002
  • Role-level delegation
  • Multi-step delegation

6
PBDM0
  • Permission-based Delegation Model
  • A user-to-user delegation model
  • John creates a temporary delegation role D1.
  • John assigns the permission change_schedule" to
    D1 with permission-role assignment and role PE
    to D1 with role-role assignment.
  • John assigns Jenny to D1 with user-role
    assignment.

7
PBDM0
  • RR regular roles
  • DTR delegation roles
  • Controlled by security administrator
  • UAR user-regular role assignment
  • PAR permission-regular role assignment
  • Controlled by individual user
  • UAD user-delegation role assignment
  • PAD permission-delegation role assignment

8
PBDM0
9
PBDM1
  • Problems in PBDM0
  • A user can create delegation role by his
    discretion. Invalid permission flow can happen
    with malicious user. There reason is that there
    is no security administrator involvement in
    delegation.
  • Cannot support role-to-role delegation, since
    delegation role cannot be assigned to a regular
    role.
  • PBDM1
  • Extension from PBDM0
  • Permissions of a role are separated into two
    parts regular and delegatable.
  • Only delegatable permissions can be used to
    create delegation roles.
  • User-to-user delegation

10
PBDM1
  • RR regular roles
  • DBR delegatable roles
  • DTR delegation roles
  • One-to-one map between RR and DBR

11
PBDM1
12
PBDM1
  • UAR, UAB, PAR, and PAB are managed by security
    administrator.
  • UAD and PAD are managed by individual user.
  • Revocation options
  • By a user
  • Remove a user from delegatees, that is, revoke
    the user-delegation role assignment.
  • Remove one or more pieces of permissions from
    delegation role.
  • Revoke delegation role.
  • By a security administrator
  • Remove one or more pieces of permission from a
    delegatable role to its regular role.
  • Revoke a user from regular role and delegatable
    role.

13
PBDM2
  • Extension from PBDM1
  • A role-to-role delegation model
  • A role is separated into three layers
  • Regular role(RR) permissions cannot be
    delegated.
  • Fixed delegatable role(FDBR) permission can be
    delegated.
  • Temporal delegatable role(TDBR) inherit
    permissions from delegation roles with role-role
    assignment(RAD).
  • Delegation roles (DTR) are assigned to temporal
    delegatable role
  • Since there is no role hierarchy with TDBR,
    illegal permission flow will not happen.

14
PBDM2
  • A delegation role D3 owned by PL and delegated
    to QE
  • Create a temporary delegation role D3
  • assign the permission change_schedule" to D3
  • assign role PE to D3
  • Assign D3 to QE

15
PBDM2
  • RR, FDBR, TDBR, DTR
  • RRH, FDBRH
  • UAR, UAFB, UATB
  • PAR, PAFB, PADB
  • RAD delegation role-temporal delegatable role
    assignment

16
PBDM2
  • Revocation options
  • Remove one or more pieces of permissions from
    delegation role.
  • Revoke delegation role owned by a fixed
    delegatable role.
  • Remove one or more pieces of permission from a
    fixed delegatable role to its regular role.

17
Conclusions and Future Work
  • Conclusions
  • Present a permission-based delegation model
    family, PBDM0, PBDM1, and PBDM2.
  • Support user-to-user and role-to-role delegation
  • Support multi-step delegation
  • Support multi-option revocation
  • Flexible delegation administration
  • Future work
  • Constraints in RBAC delegation, such as
    separation of duty
  • Delegation management in decentralized
    environment
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "PBDM: A Flexible Delegation Model in RBAC" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!