TRBAC: A Temporal RoleBased Access Control Model

1
TRBAC A Temporal Role-Based Access Control Model

• Elisa Bertino
• CERIAS and CS Department
• Purdue University

2
What is TRBAC?
RBAC Model Sandhu 98
Temporal constraints on role activations/deactiva
tions
3
What is TRBAC?

• An active role is a role that a user can activate
  during a session (that is,the user can acquire
  the roles)
• A role can be active in certain time periods and
  non active in other
• Role activation non active active
• Role deactivation active non active

4
Why TRBAC?

• Often roles are characterized by a temporal
  dimension
• Job functions may have limited or periodic time
  duration
• There may be activation dependencies among roles

5
TRBAC Main Features

• Periodic activations/deactivations of roles
• Temporal dependencies among role
  activations/deactivations

6
TRBAC Main Features

• Role triggers may cause either
• Immediate activations/deactivations, or
• Deferred activations/deactivations
• Run-time requests to dynamically change the
  status of a role

7
TRBAC Main Features

• Priorities for
• Periodic activations/deactivations
• Role triggers
• Runt-time requests
• Priorities are used for conflict resolution

8
TRBAC Periodic Events

• Definition (Periodic Event)
• A periodic event is a tuple (I,P,pE) where I
  is a time interval, P is a periodic expression,
  pE is a prioritized event expression, E Î
  activate R, deactivate R, RÎ Roles

(7/1/00,12/31/00, night-time, VH activate,
doctor-on-night-duty) (7/1/00,12/31/00,
day-time, VH deactivate, doctor-on-night-duty)
9
TRBAC Role Triggers
Definition (Role Trigger) Role triggers
are of the form E1,En,C1,Ck pE
after Dt where Eis are event expressions, Ei
Î activate R, deactivate R, Cjs are role
status expressions, Cj Î active R, not active
R, RÎ Roles, pE is a prioritized event
expression and Dt is a temporal displacement
10
Role Triggers Example
activate doctor-on-night-duty VH activate
nurse-on-nigth-duty activate nurse-on-day-duty
H activate nurse-on-training after 2 Hours
11
Role Activation Base
RAB Periodic Events Role Triggers
12
TRBAC Runtime Request Expressions

• Definition (Runtime Request Expression)
• A runtime request expression has the form
• pE after Dt
• where pE is a prioritized event expression
  and Dt is a temporal displacement

deactivate nurse-on-training after 2
Hours activate emergency-doctor
13
TRBAC Formal Aspects

• The Execution Model of a RAB specifies, for each
  istant t, the set of events that should occur at
  time t according to
• periodic events triggers in the RAB
• runtime request expressions
• priorities

14
TRBAC Formal Aspects

• Some specifications may yield no execution model,
  while some ambiguos specifications may admit two
  or more models

15
TRBAC Formal Aspects

• Safeness condition that guarantees that a given
  RAB has exactly one model
• It exploits the notion of dependency graph
• No cycles involving conflicting events
• Safeness check is polynomial in the RAB dimension

16
TRBAC Architectural Aspects

• At each time it is necessary to know which are
  the active roles, on the basis of the RAB and
  runtime requests
• A request by a user to activate a role is
  authorized if
• The user has the authorization to play that role
• The role is active at the time of the request

17
A Possible Architecture
18
Generalized TRBAC (GTRBAC)

• Motivations
• TRBAC does not distinguish between a role being
  enabled and a role being active
• A role is enabled if the temporal conditions
  associated with it are satisfied
• A role is active if a user has logged in the role
• Only enabled roles can be activated
• Because of such limitations, TRBAC cannot support
  some forms of constraints, such as the maximum
  number of activations of a role by a user in a
  given time interval

19
GTRBAC

• GTRBAC extends TRBAC by introducing temporal
  conditions on
• User-role assignments
• Role-permission assignments
• A large number of constraints can thus be
  supported

20
GTRBAC Examples of Constraints

• Constraints on the number of concurrent
  activations
• there can be at most 10 users activating the
  role DayDoctor at a time
• Constraints on the number of total activations in
  a given period
• the role HeadNurse can be activated at most 2
  times per day

21
X-GTRBAC - Motivations

• Role Based Access Control Model
• Many benefits over traditional access control
  models when applied to emerging applications
• XML is a uniform platform for information
  interchange
• Our Goal
• XML RBAC extension
• To provide access control framework for
  Web-Services environments

22
X-GTRBAC - why XML?

• XML - main benefits
• Uniform, vendor-neutral representation of
  enterprise data
• Mechanism for interchange of information across
  heterogeneous systems
• Extensible syntax and semantics
• Widespread support from main platforms and tool
  vendors

23
X-RBAC Language

• Modeling RBAC Elements

XML User Sheet (XUS)

• Users

- credential types
XML CredType Definition
XML Role Sheet (XRS)

• Roles

- separation of duty
XML SoD Definition
- temporal constraints
XML TempConst Definition
- triggers
XML Trigger Definition
XML Permission Sheet (XPS)

• Permissions

24
X-RBAC Language

• Policy Administration

• User-to-Role Assignment

XUS
XRS
XURAS
XML User-to-Role Assignment Sheet (XURAS)
25
X-RBAC Language

• Policy Administration

• Permission-to-Role Assignment

XPS
XRS
XPRAS
XML Permission-to-Role Assignment Sheet (XPRAS)
26
XUS Grammar
lt/XUSgt lt!-- User Definitions gt lt/XUSgt lt!--
User Definitions gt ltUsersgt lt!-- User
Definitiongt lt/Usersgt
lt!-- User Definitiongt ltUser
user_id (id)gt ltUserNamegt (name) lt/UserNamegt
lt!--CredTypegt ltMaxRolesgt(number)lt/MaxRolesgt
lt/Usergt
lt!CredType gt ltCredType cred_type_id (id)gt

lttype_namegt (name)lt/type_namegt lt!--
Credential Expressiongt lt/CredTypegt
lt!-- Credential Expressiongt
ltCredExprgt lt(attribute name)gt
(attribute value) lt/(attribute
name)gt lt/CredExprgt
27
An XML instance of XUS
ltXUSgt ltUser user_idj1"gt ltUserName
gtJohnlt/ UserName gt ltCredType cred_type_id
"C100"gt lt type_name
gtNurselt/type_namegt ltCredExprgt
ltagegt 30 lt/agegt ltfieldgt
opthalmology lt/fieldgt ltlevelgt 5
lt/levelgt ltstatusgt single lt/statusgt
lt/CredExprgt lt/CredTypegt lt
MaxRolesgt2lt/MaxRolesgt lt/User gt ltUser
gt lt/User gt . lt/XUSgt
28
XRS Grammar
lt!-- XML Role Sheetgt ltXRS xrs_id (id) gt
lt!-- Role Definitionsgt lt/XRSgt
lt!-- Role Definitionsgt ltRolesgt ltRole
role_id (id) ltRoleNamegt (role name)gt
ltRoleNamegt lt!--EnDisabling
Constraintgt lt!--DeActivation
Constraintgt ltSSDRoleSetIDgt (id)
lt/SSDRoleSetIDgt ltDSDRoleSetIDgt (id)
lt/DSDRoleSetIDgt ltJuniorgt (name)
lt/Juniorgt ltSeniorgt (name) lt/Seniorgt ltCardi
nalitygt(number)lt/Cardinalitygt lt/Rolegt
ltRolegt .. lt/Rolegt .. ltRolesgt
29
An XML instance of XRS
ltXRSgt ltRoles gt ltRole role_id "R100"gt
ltRoleNamegt Nurse lt/ RoleName gt ltSeniorgt
Eye_Doctor lt/ Seniorgt ltCardinalitygt 8 lt/
Cardinality gt lt/Rolegt
ltRole role_id "R200"gt ltRoleNamegt
Eye_Doctor lt/RoleNamegt lt DSDRoleSetIDgtDSD1lt/
DSDRoleSetID gt lt JuniorgtNurselt/
Juniorgt ltSeniorgt Eye_Surgeon lt/Seniorgt ltCardinal
itygt 6 lt/Cardinalitygt lt/Rolegt
lt/Rolesgt lt/XRS gt
30
XPS Grammar
lt!-- XML Permission Sheetgt ltXPS xps_id
(id) gt lt!-- Permission Definitionsgt lt/XPSgt
lt!-- Permission Definitionsgt ltPermission
perm_id id prop (prop op) gt
ltObject type(type name) id(id)/gt ltOperationgt
(access op) lt/Operationgt lt/Permissiongt
31
An XML instance of XPS
ltXPSgt ltPermission perm_id "P1"gt
ltObject type Schema id XS101
/gt ltOperationgt alllt/operationgt lt/Permission
gt ltPermission perm_id "P2"gt ltObject
type Instance id XI100 /gt ltOperationgt
alllt/operationgt lt/Permission gt
ltPermission perm_id "P3"gt ltObject type
Element id XE100 /gt ltOperationgt navigate
lt/operationgt lt/Permission gt lt/XPSgt
32
Example of XURAS
ltXURASgt ltURA_id"URA1"gt ltRoleNamegt
Eye_Doctorlt/ RoleNamegt ltUsersgt ltUser
user_ids1 /gt ltUser user_ids2 /gt lt/Users
gt ltCredConditionsgt ltCredConditiongt
ltCredTypegt Doctor lt/CredTypegt
ltLogicalExpr op"AND"gt
ltPredicategt ltoperatorgteqlt/operatorgt
ltname_paramgtfieldlt/name_paramgt
ltvalue_paramgt Eye lt/value_paramgt
lt/Predicategt ltPredicategt
ltLogicalExpr op"OR"gt
ltPredicategt ltoperatorgt lt
lt/operatorgt ltname_paramgt age
lt/name_paramgt ltvalue_paramgt 60
lt/value_paramgt lt/Predicategt
ltPredicategt ltoperatorgt gt
lt/operatorgt ltname_paramgt
level lt/name_paramgt ltvalue_paramgt 7
lt/value_paramgt lt/Predicategt
lt/LogicalExprgt lt/Predicategt
lt/LogicalExpr gt lt/CredConditiongt
lt/CredConditions gt lt/URAgt lt/XURASgt
33
Example of XPRAS
ltXPRASgt ltPRA pra_id"PRA1"gt ltRoleNamegt
Nurse lt/RoleNamegt ltPermissionsgt
ltperm_idgt P3 lt/perm_idgt lt/Permissionsgt
lt/PRAgt ltPRA pra_id"PRA2"gt ltRoleNamegt
Eye_Doctor lt/RoleNamegt ltPermissionsgt
ltperm_idgt P1 lt/perm_idgt ltperm_idgt P2
lt/perm_idgt lt/Permissionsgt lt/PRAgt lt/XPRASgt
34
X-RBAC System Architecture
Document Composition Module
X-RBAC Module
UR ,PR DataSet TRIG DataSet
Policy Loader
XML Policy Base
XML Parser
Policy Validation Module
RBAC Module
Authorization
XML/SOAP
Access Request
Sessions DataSet
XML Sessions Log
Legend
DOM
XML/SOAP
Data Item
Functional Module
RBAC Processor
XML Processor
35
On-going Work

• Extension of the constraint language
• Constraints on the set of roles a user can
  activate
• Obbligations Duties
• Development of graphical tools for TRBAC
  administration
• Testing on an Healthcare information system