Constraint Generation for Separation of Duty

1
Constraint Generation for Separation of Duty

• Hong Chen Ninghui Li
• Department of Computer Science
• Purdue University

2
Overview

• Separation of Duty (SoD) is important in access
  control
• In Role-Based Access Control (RBAC)
• SoD objectives encoded by Static Separation of
  Duty (SSoD) policies
• SSoD policies often enforced by Statically
  Mutually Exclusive Role (SMER) constraints
• Study how to generate SMER constraints that
• Enforce a set of SSoD policies
• Are nice with respect to the role hierarchy
• Are the best choices

3
Outline

• Problem Definition
• Our Solution

4
Role-Based Access Control

• Components
• U (user set), P (permission set), R (roles set)
• PA ? P x R (permission assignment)
• RH ? R x R (role hierarchy)
• UA ? U x R (user assignment)

5
Static Separation of Duty Policy

• SSoD
• SSoD policy
• Any users should not acquire all
  permissions in
• an RBAC state is safe
  wrt. SSoD policy
• Example
• RBAC state is safewrt. the policy

6
Statically Mutual Exclusive Roles

• SMER
• t-m SMER constraint
• No single user can be a member of or more
  roles in an RBAC state
  satisfies a SMER constraint
• Example
• RBAC state satisfiesthe constraint

7
Use SMER to Enforce SSoD

• Results in On mutually-exclusive roles and
  separation of duty Li, Bizri, and Tripunitara,
  CCS 2004
• To check if an RBAC state is safe wrt. a set of
  SSoD policies is coNP-Complete
• To check if an RBAC state satisfies a set of SMER
  constraints is in P
• To verify whether a given set of SMER constraints
  enforce a set of SSoD policies is coNP-Complete

Generating SMER constraints from SSoD policies
seems promising
8
Generation Problem

• How to generate a set of SMER constraints to
  enforce an SSoD policy?

?
Enforce
9
Restrictiveness

• One constraint can be more restrictive than
  another Ex c1 is more restrictive than c2
• We prefer less restrictive constraints

10
Minimal Enforcement
Space of RBAC states
Unsafe RBAC states
11
Current Results Li et al. 04

• An algorithm to generate singleton sets of SMER
  constraints that minimally enforce the policies

12
Problem 1

• No consideration of interaction with the role
  hierarchy
• Compatibility
• Implementation compatible enforcement

13
Problem 2

• Singleton constraints are not enough

14
Our Objectives

• Generate sets of constraints that
• enforce a given set of SSoD policies
• are compatible with the existing role hierarchy
• are not more restrictive than any other
  constraint sets that also satisfy 1 2

15
Outline

• Problem Definition
• Our Solution

16
Our Contributions

• Define the notion that a set C of SMER
  constraints implements a set E of SSoD policies
• C enforces E and C is compatible with E
• Show how to check whether C is compatible with E
• Show that size-k1 SMER adds additional
  expressive power over size-k SMER
• Show how to compare the restrictiveness of
  constraint sets
• Give two algorithms for generating constraint sets

17
Constraint Generation

• An algorithm to generate all sets of SMER
  constraints that minimally implement a set of
  SSoD policies
• Algorithm
• C ?
• Repeatedly
• Find an user assignment UA which satisfies C but
  is not safe wrt. E
• Create a constraint c s.t. UA violates c (2 ways)
• Add c to C
• Until C implements E
• Return C

18
Example
Constraint set
19
Summary

• Enforce (implement) SSoD policies by SMER
  constraints
• Two problems in current solution
• Constraints not compatible with role hierarchy
• Only generate singleton constraints
• New algorithms
• Generate compatible constraints
• Generate all constraints that minimally implement
  the policies

20

• Thank you ?
• Questions?

21
Testcase 1
22
Testcase 2