WUJNS
Vol. 11
No. 1 2006
185-187
Wuhan University Journal of Natural Sciences
Article ID: 1007-1202(2006)01 0185-03
Least Privileges and Role's Inheritance of RBAC 0 [ ] HAN Lan-sheng t , HONG Fan ~t , Asiedu Baffour Kojo 2 1. College of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074 , Hubei, China; 2. Computer Science and Technology Department, School of Computer Science and Engineering, Kumasi(P. (). l~x: 3327), (;hana
Abstract: The main advantages of role-based access con trol (RBAC) are able to support the well known security principles and roles' inheritance. But for there remains a lack of specific definition and the necessary formalization for RBAC, it is hard to realize RBAC in practical work. Our contribution here is to formalize the main relations of RBAC and take first step to propose concepts of action closure and data closure of a role, based on which we gnt the specification and algorithm for the least privileges of a role. We propose that roles' inheritance should consist of inheritance of actions and inheritance of data, and then we got the inheritance of privileges among roles, which can also be supported hy existing exploit tools. Key words:
rolebased access control; least privileges; role' s inheritance
CLC number: TP 309.5
Received date; 2005-03-31 Foundation item= Supported by the National Natural Seit'nt'e Foun dation of China (60403027). Biography: HAN l.an sheng (1972), male, Ph.D. candidate, re search direction: information security. E-mail=hanlansheng@ hotmail. corn 1"To whom correspondence should be addressed. E-mail: xxyul@pub lic. wh. hb. cn
Introduction
ole-based access control (RBAC) has been considered as an alternative and supplement to the traditional discretionary and mandatory access controls (DAC and MAC). In RBAC, permissions are associated with roles, and users are made members of appropriate roles thereby acquiring the roles' permissionsF14n. Unfortunately, since there is still lack of specific definition and the necessary formalization for RBACr~l , the well-known security principles and the inheritance of roles cannot be really put into practice. Therefore, some RBAC systems have to take many constrains as indispensable components in RBAC I~'7~. While these constrains are not logically put together, which would probably be a new threat to the stability of RBAC. Least privileges, data abstraction and inheritance of roles are considered as three key issues of Role-based 'access control. Least privileges mean that roles of RBAC can be configured so that only those permissions required for tasks of the roles. Data abstraction means RBAC supports abstract privileges such as credit and debit for an account object besides typically privileges provided by the operating system. Inheritance of roIes means that an advanced role can inherit privileges of a general role. From the above rough concepts, we can see that privilege is the key concept and ro{e is the focus of our concerns. If privileges and roles are well defined, the definitions itself can embody the data abstraction principles. This will make it easier to seek the least privileges of a role and to realize the inheritance of roles. In practice task is the base on which we set out to analysis.
R
185
1
Sets and Main Relations of RBAC
Definition 1 @ In a system, we denote T = {tl, h , " ' , t . } as the set of tasks, A = {a~, az, "", a,, } as the set of actions such as methods, operations or processes by which the task can be done, D = {d,,de,...,d,, } as the set of data which is the object of the action A, U = {Ul , u2 , "" , u, } as the set of users who are the sponsors of the action. @ R ={q,r2,''',r.}GP(T) XP(A) XP(D) • P(U) is the set of roles in a system, where P(T) is the power set of T; P(A) is the power set of A; P(D) is the power set of D; P(U) is the power set of U. Element r~ =(Ti,A~,D~,U~) is a set of Ui who can use A~ to visit or operate on D~ in order to finish Ti. (~) Q= {ql, q2,'", q. }GA X D is the set of privileges in a system, element qi = (a: ,dj ) is an ordered pair from A to D~<. @ Let ~ f f P ( A ) , ~ f f P ( D ) and rriffP(T) be the set of actions, the set of data and the set of tasks of role r~ respectively. @ Let Tt (D~) denote the set of data Di required by task Tj. Suppose Tt (D~) is a proposition, then if Tj (Di) --1, we say D; is enough for Tt to be finished, if (Di)=0, we say D, is not enough for Tj to be finished. @ Let T) (Ai) denote the set of data A~ required by task T). Suppose Tt (A~) is a proposition, then if Tj (A~)-- 1, we say A~ is enough for T) to be finished, if Tt (A~)--0, we say A, is not enough for ~ to be finished.
2
Least Privileges of Roles
2.1 Action Closure, Data Closure and Least Privi. leges of a Role in RBAC In traditional way, Software programmers usually provide users with more modules than necessary to ensure the tasks to be done, never thinking of whether those modules are necessary, or even perhaps a threat to the security. Therefore we propose action closure and data closure of a role. Definition 2 @ Suppose in r~, T, ff P(T) ,A; ff P(A), if 7",.(A~) = 1, for V Aj ff P(A), whenever 7",-(Aj) = 1 there is Ai G A j , then we say A; is the action closure of T~, denoted by A(Ti). @ Suppose in r;,T;ffP(T),D~ffP(D),if T:(D~) 186
= 1 , for V Dj ~ P ( D ) , where P(T) is the power set of T, whenever T ~ ( D j ) = I there is DIGD t , then we say Di is the data closure of Ti, denoted by D(Ti). From the definition we get the properties of action closure and data closure of a role. Theorem 1 Suppose in r~, T~ ~ P ( T ) , A~, At E P(A), Ai =A(7",. ),if T, (Aj) = 1 then A~GA t. Theorem 2 Suppose in ri , T~ , Tt ~ P( T) , Ai =
A(Ti) if g t G T i , then Tj(A~)=I. Proof As A~=A(T~), so T ~ ( A i ) = I , that is to say, A~ is enough to finish the task 7",.in terms of action, since 7")G Ti, i.e. task T) is a subset of T,, so A: is enough to finish the task T: in terms of action, so Tj(AI)=I. Theorem3 Suppose T~ , Tt ~ P ( T), A:, A t E
P(A), Ai=A(Ti), A j = A ( T t ) if T:GT t then AiC__At. Similarly, we can also get the properties of the data closure of a role. Theorem 3 implies that task is the basis of our analysis. Since the action and the data of a role are determined by its task, so is to the privilege of a role. Thus, if we get the action closure and the data closure of a role, it is easy to get its least privileges. 2. 2 Algorithmof the Least Privileges of a Role @ Suppose ~ , ~ , rlr are the rough actions, data and tasks of r~ got in the stage of requirement analysis, if TiC_rT ,then by the above theorems we have Ti (raii)= 1, Ti(~)--1. In a real system, the actions and data are finite for any role. Let ~ = {al,ae , ' " , a, }, ~ = { d l , d2, 9",d,}, for ValUta:, if T i ( ~ - { a i } ) = l , then remove al from ~ ,or else keep ai in ~ . By applying similar operations on V d~ ~-~ ,in finite steps, we will get each task's action closure A(7",-) and data closure D(7",.) in role rg. @ Suppose T1, T 2 , ' " , T, are all the tasks of ri (here we assume one role can have more than one tasks), by step @ we can get the action closure and data closure for each Ti in r~ such as.A(T1), A(T2), "" ,A(T,,) and D(T1), D(Te), "'" ,D(Tm). Let Q be the privileges of the system set by the requirement, then Q ["1 ((A(T1) • )) U (A(T2) • D(T2)) O "'" U (A(T,,) • D(T,,))) is the least privileges of the role r~.
3
Inheritance of Roles
By the definition of roles, we know that a role is a set of users who have the same set of actions and act on
the same set of data. So the inheritance of roles should consist of the inheritance of actions and the inheritance of data. Since a privilege is defined as an ordered pair of action and data, then we will get the inheritance of privileges among roles. Definition 3 @ Suppose Vrl ,rzffR, if ~ c ~ , then we say re can inherit the action of rl, denoted by rl ~A re, rl can be called action father of re, re can be called the action son of r l . @ Suppose V r l , r 2 ~ R , if ~ C ~ , then we say re can inherit the data of rl, denoted by rl < ~ rz, rl can be called the data father of rz ; r2 can be called the data son of r I .
@ Suppose V r~ ,re fiR, if ~ c @ and r~)Gr~~,then we say re can inherit r~, denoted by rl ~ r 2 , rl can be called the father of re, re can be called the son of r~. By the definition, the inheritance of roles is a binary relation on the set of roles. Thus, we only need to discuss the how to realize the inheritance of two roles, and then generalize it to all the roles in a real system. Algorithm of role's inheritance Suppose V r~, r~ ~ R. @ if ~ =r~ > and ~ = ~ , then we say r I and r2 are equal in terms of inheritance, denoted by r~--re. @ if ~ ["l d = .(2)"and ~ [') ~ = ~ , then we say r, and r2 have no inheritance relation. @ if r~ ~ r ~ , then all the data (rl9) and actions ( ~ ) of rl can he inherited by r2. For the privileges rl~=Q["I ( ~ X~)), where Q is the set of privileges in the system. While in r2, the data set and actions set only need to contain r~-r~ ~, ~ - ~ respectively and r ~ = Q ~ ( ~ X r~))--r?.
@ if r2<~I)rl and rl~
g=gand for the privileges
?=QN
As the above algorithm imply roles inheritance is a partial order, however in general, all the roles in a system can form more than one lattice instead of one chain.
4 Summary This paper has proposed the concepts of action closure and data closure of a role, based on which we got the specification and algorithm for the least privileges of a role. We proposed that roles' inheritance should consist of inheritance of actions and inheritance of data, and then we got the inheritance of privileges among roles, which can be supported by the existing exploit toolsE~.
References [-11 Ferraiolo D, Cugini J, Kuhn R. Role-Based Access Control, Features and Motivations. Proceedings o f 1 lth Annual Computer Security Application ConJ)'rence. New Orleans: IEEE Computer Society Press, 1995. 241-48. [21 Ferraiolo I), Kuhn R. Role-Based Access Controls. Proceed ings oj 15th NIST-N('S(" National Computer Security ConJerence. Bahimore: IEEE Computer Society Press, 1992. 554-563. E3~ Cuiri I. G. A New Model for Role-Based Access Control. Proceedings o f 1lth Annual Computer Security Application (7onJ)'rence. New (Means: IEEE Computer Society Press, 1995. 249 255. [4] Sandhu R, Coyne E, Feinstein H L, et al. Role-Based Access Control Models. I.osAlamito: IEEE Computer Society Press, 1996,29(2) :38-47. ~5~ Ferrak)lo D, Sandhu R, Gavrila S, el al. Proposed NIST Standard for Rok~Based Access Control. ACM Transactions on Injormation and Systems Security ( TISSE(!), 2001,4 (3) :43-57. [6~ Park J, Sandhu R, Ahn G J. Role~Based Access Control on the Web. ACM Transactions on Information and Systems Security ( T I S S E C ) , 2001,4( 1 ) : 1-12. [-71 Cuiri I. (;, lglio P. A Formal Model for Role-Based Access Control with Constrainls. Proceedings oJ 9th IEEE (hml purer Security Foundations Workshop. Ireland Kenmare, June 1996. 136 145. [8~ Nyanchama M, ()shorn S. Access Rights Administration in Role-Based Security Systems. Database Security VIII : Status and Prospects. North-Holland, Amsterdam, December 1995. 30-41. ~9~ Solms S H, Merwe I. The Management of Computer Securi ty Profiles Using a Role-Oriented Approach. A('M Transac lions mt lnJ~rmation and S.yslem Security ( T I S S E C ) , [996,4(1) :37-7I.
[] 187