Formalization of RBAC Policy with Object Class Hierarchy

1
Formalization of RBAC Policy with Object Class
Hierarchy

• Junghwa Chae
• Nematollaah Shiri

2
Outline

• Introduction
• Overview of Different Models
• Modified Role-Based Access Control Model
• Description Logic and Reasoning
• A Logic for Reasoning about Access Control
• Example
• Conclusion and Future Work

3
Introduction

• Objective
• The use of an additional hierarchical model,
  which allows objects to be grouped into
  classes in the context of role-based access
  control (RBAC)

• Motivation
• The number of objects is usually much lager than
  the number of users
• Original RBAC model user role hierarchy
  
  No object hierarchy

4
Overview of the Different Models

• Discretionary Policies
• Identity of the user
• Access Matrix

5
Overview of the Different Models

• Mandatory Policies
• Access Class
• Security level TS gt S gt C gt UC
• Set of categories Army, Nuclear,
• Control Information flow
• Secrecy
• Integrity

TS,Army,Nuclear
S,Army,Nuclear
TS,Army
TS,Nuclear
TS,
S,Nuclear
S,Army
S,
An example of security lattice
6
Overview of the Different Models

• Role-Based Access Control
• Each users are assigned to roles
• Permissions are given to roles
• Roles are associated with objects

Users
Roles
Resources
Object 1
Object 2
Object 3
7
Overview of the Different Models
RH
PA
UA
Users (U)
Roles (R)
Permissions (P)
SU
SR
UA user assignment PA permission assignment RH
role hierarchy SU mapping from sessions to
users SR mapping from sessions to roles
Constraints
Sessions (S)
Role-Based Access Control Model
8
Modified RBAC Model
Users
Roles
Classes
Resources
Class 1
Class 2
Class 3
9
Modified RBAC Model
CH
RH
PA
UA
OA
Users (U)
Roles (R)
Classes (C)
Objects (O)
SU
SR
Constraints
Sessions (S)
10
Introduction to DL
Architecture of a knowledge representation system
based on description logics
Domain of interest
Individuals
Concepts
Roles
TBox
Description Language
Reasoning
ABox
KB
Application Programs
Rules
11
Formalization of RBAC with DL
- atomic concepts User, Role, Class, Object, and
Session
- atomic concept R for each role r, r Roles
- atomic concept C for each class c, c
Classes
- atomic role assign, classify, activate
- atomic role canRead, canWrite, canExecute
- atomic role authorizeRead, authorizeWrite,
authorizeExecute
Role concept assertions
User concept assertions
Role inclusion axioms
Class concept assertions
Class inclusion axioms
Session concept assertions
TBox
ABox
Role activation assertions
Permission assignment axioms
User role assignment assertions
Authorization axioms
Object class classification assertions
Session creation assertions
12
Formalization of RBAC with DL
Permission Assignment
Authorization Axiom
13
Reasoning Procedures ALC Tableaux Rules
14
Example RBAC Policies in DL
System-admin
Manager
OS-developer
Local-client
Remote-client
15
Example RBAC Policies in DL
16
Example RBAC Policies in DL
17
Reasoning Based on Tableaux
User assignment
Object classification
User request
18
(No Transcript)
19
(No Transcript)
20
Conclusion Future Work
Conclusion

• Classified objects into groups
• Organized class hierarchies
• Formalized using description logic
• Reasoning about access control policy via
  tableaux
• Simplified in the security management
• Provided greater control and flexibility

Future Work

• Formalization of constraints