Architectures and Models for Administration of User-Role Assignment in Role Based Access Control

Abstract

In role based access control systems (RBAC) permissions are associated with roles, and users are made members of appropriate roles thereby acquiring the roles’ permissions. This greatly simplifies management of permissions. Roles are created for the various job functions in an organization and users are assigned roles based on their responsibilities and qualifications. Users can be easily reassigned from one role to another. Roles can be granted new permissions as new applications and systems are incorporated, and permissions can be revoked from roles as needed. Role-role relationships can be established to lay out broad policy objectives. The principal motivation of RBAC is to simplify administration. In large organizations the number of roles can be in the hundreds or thousands, and users can be in the tens or hundreds of thousands, maybe even millions. To be effective, management and administration of RBAC in such systems need some form of decentralization and automation without loosing central control over broad policy. An appealing possibility is to use RBAC to manage itself. Our work looks at proposing models that would allow for decentralization and automation of user-role assignment. In this dissertation we identify architectures and models for decentralized administration of user-role assignment. Our work is performed in context of the OM-AM layered models framework. OM-AM stands for objectives, models, architectures and mechanisms. OM layer addresses security requirements and trade offs, essentially it represents “what” needs to be achieved. AM layer articulates “how” to meet the specified requirements. In this dissertation we use the terms architecture and models as they relate to OM-AM framework. Initially we focus our work on user-role assignment in a centralized system. Then we concentrate our work on user-role relationship as it pertains to distributed systems. Finally we look at how self-service and automation can be achieved in user-role assignment. We propose a model called URA97 for user-role assignment. This model provides the semantics for granting and revoking roles from users in a centralized system. URA97 achieves assignment and revocation of users to and from roles by means of simple and intuitive relations named can-assign and can-revoke. In URA97 grant and revoke operations are performed by administrators assigned to administrative roles. We explore some of the possible architectures in a distributed environment. These depend on how the resources, data and users are distributed and how they interact in a distributed environment. We then develop a push-based model for user-role assignment, which deals with two operations assignment of users to roles and revocation of roles from users. URA97 was developed in context of the RBAC96 model. URA97 was developed during early stages of RBAC96 when it was still an academic discipline, since then RBAC96 has received strong support from the research and practitioner communities and today is widely practiced as preferred form of access control. It is becoming clear that relying on manual intervention in all aspects of RBAC administration is cumbersome. Concurrently access control has started adopting emerging concepts like usage control, rate limits and accountability etc. To this effect we propose five founding principles for next-generation RBAC, summarized as ASCAA for Abstraction, Separation, Containment, Automation and Accountability. Finally we develop a framework for self service based RBAC called SSRBAC08 based on ASCAA principles. The SSRBAC08 is a modified version of RBAC96 model. The primary goal of SSRBAC08 as it pertains to our dissertation work is to show how automation, containment and accountability aspects can be achieved in user-role assignment.