An RBACBased Policy Information Base

1
An RBAC-Based Policy Information Base
PUC-PR Pontifícia Universidade Católica do
Paraná
CELEPAR Companhia de Informática do Paraná
Timothy Edwin Squair, Edgard Jamhour, Ricardo C.
Nabhen

• Brazil

2
Objective

• Presents a framework for representing and
  distributing access control policies in
  distributed heterogeneous systems
• Access Control polices based on model RBAC (Role
  Based Access Control) proposed by NIST
• Framework based on Provisioning (PDP/PEP)
  strategy defined by IETF (Internet Engineering
  Task Force)
• The RBAC information represented by PIB (Policy
  Information Base)
• Distribution to enforcement element using COPS-PR

3
Summary

• Provisioning Framework
• RBAC Policy Information Model (RBPIM)
• RBAC Policy Information Base (RBAC-PIB)
• Evaluation
• Conclusion and Future Works

4
RBAC Provisioning Framework

• Client Server approach
• Server (Policy Server)
• Responsible for interpreting and distributing the
  policy information to the policy clients
• Client
• A PEP, component of client, is responsible for
  communicating with the PDP and installing the
  configuration into device
• Communication between PEP and PDP implemented by
  standard COPS-PR protocol
• LDAP Server (Policy Repository)
• Stores Policy and CIM information

5
RBAC Provisioning Framework
6
Framework Approach

• RBAC-PIB interpreted by API to applications
• Responsible for serving a large number of clients
• In our implementation the server application
  communicates to RBAC framework through RBAC-based
  API
• RBAC-PIB translated into configuration commands
  to systems or network devices
• Uses gateway for translation
• SNMPv3
• CLI

7
Implementation Framework
8
Adopted Framework
9
Provisioning Approach Main Elements

• A device-independent Policy Information Model for
  representing policies that can be reused among
  different devices
• A Policy Information Base (PIB), which represents
  the policy assigned to a specific device
• A protocol (COPS-PR) specially designed for
  supporting policy provisioning using the PIB
  structure

10
NIST RBAC Model
11
RBAC Policy Information Model (RBPIM)
12
RBACRole
If the conditions imposed the user attributes
are satisfied then the role and corresponding
permission can be assigned to the user
13
RBACPermission
If the conditions imposed to objects attributes
are satisfied then the operation can be performed
on the object
14
RBAC-PIB

• RBAC-PIB stands for Role Based Access Control
  Policy Information Base
• Based on framework PIB definitions (RFC 3318)
• Represents information transferred from PDP to
  PEP in provisioning process
• Actually implemented in XML (eXtensible Markup
  Language)
• OID (Object IDentifier) attribute assigned to
  branches defined according RFC 3159
• OID Prefix 1.3.6.1.2.2.2 Framework PIB
  definition
• OID Prefix 1.3.6.1.2.2.2.6 RBAC Group Extensions

15
RBAC-PIB Structure
16
Structural Association Classes Mapping
17
RBAC-PIB UserAssignment (UA)

• Associates Users to Roles (OID1.3.6.1.2.2.6.1)
• Table Users
• Represents Users Characteristics
• Table Roles
• Represents RBAC Roles
• Table UserRoles
• Associates by pointers Users to Roles
• Table RoleTimeFilter
• Associates by pointers Roles to Time Filters

18
RBAC-PIB UserAssignment (UA)
19
RBAC-PIB PermissionAssignment (PA)

• Associates Roles to Permissions
  (OID1.3.6.1.2.2.6.2)
• Table Objects
• Represents the controlled objects
• Table Permissions
• Define permissions by mapping an Operation to an
  Object
• Table RolePermissions
• Associates by pointer Roles to Permissions
• Table PermissionsIPHeaderFilter
• Associates by pointer Permissions to IP Filters
• Table PermissionsTimeFilter
• Associates by pointer Permissions to Time Filter

20
RBAC-PIB PermissionAssignment (PA)
21
RBAC-PIB SeparationOfDuty (DSD)

• Represents Sets of Separation Of Duty Elements
  (OID1.3.6.1.2.2.6.3)
• Table DSD
• Defines the DSD cardinality
• Table DSDEntries
• Defines the roles constrained by the DSD

22
RBAC-PIB SeparationOfDuty (DSD)
23
RBAC-PIB RBACCapabilities

• Contains the elements pointed by the
  CapabilitiesSet from the Framework PIB
  (OID1.3.6.1.2.2.6.5)
• RbacCoreCaps
• Is a mandatory capability that defines the
  support to the basic access control
  functionalities, as defined by the NIST
• RbacDSDCaps
• Defines the support of Dynamic Separation of Duty
  constraints
• RbacIPFilterCaps and RbacTimeFiltersCaps
• Defines the support for network and time
  constraints imposed to RBAC permissions and roles
  activation
• RbacUAIncrementalUploadCaps
• Defines an optional framework feature and
  corresponds to capacity of device in accepting
  incremental upload of User Assignment Objects

24
RBAC-PIB RbacCapabilities
25
RBAC-PIB Evaluation
26
Provisioning Sequence
27
RBAC-PIB Evaluation
28
Provisioning x Outsourcing
29
Conclusion and Future Works

• Specialized PIBs can be easily created by
  extending the Framework PIB
• The Capabilities concept is very useful for
  creating policies for heterogeneous systems and
  for deploying a complex model like RBAC (with
  many optional features)
• The COPS-PR protocol has been equally very useful
  for developing a method for installing and
  updating the RBAC configuration without
  overloading the device or application with
  unnecessary configuration
• The future work includes extending the
  provisioning approach for other access control
  languages, and building a SNMPv3 gateway for the
  RBAC PIB

30
Thanks! E-mail timothy_at_celepar.pr.gov.br tim
othy_at_ppgia.pucpr.br