Tuesday, May 20, 2008

On Formalizing and Normalizing Role-Based Access Control Systems

@article{power08formalizing
author = {David Power, Mark Slaymaker, Andrew Simpson},
title = {On Formalizing and Normalizing Role-Based Access Control Systems},
journal = {The Computer Journal},
year = {2008},
publisher = {Oxford University Press},
url = {http://comjnl.oxfordjournals.org/cgi/content/abstract/bxn016},
}

This paper presents a formal model using Z of core RBAC components as well as hierarchical RBAC and with exclusive role constraints. Different types of inheritance is discussed as well has how equivalence between RBAC systems can be defined using the model and how normalisation to produce simpler yet semantically equivalent RBAC systems can be performed.

The motivation for creating a new model formalization is based on limitations ANSI standard for RBAC as well as Li et al.'s model for RBAC[1]. Most of the work stems from Li et al.'s model, which is refactored using Z schema language and then manipulated.

The first manipulation that is explored is normalisation, the process of redefining the structure of the system to a simpler form without removing any meaning. The process for core RBAC is as follows:

  1. Reduce infrastructure to a flat user-permission relation

  2. Assign each user a unique role

  3. Merge roles with identical permission sets into one role


Role hierarchies are described (including role dominance, derived relationship, immediate predecessor and limited role hierarchy) and added to the schema. The normalisation for hierarchical RBAC is as follows:

  1. Reduce infrastructure to a flat user-permission relation

  2. Assign each user a unique role

  3. Merge roles with identical permission sets into one role

  4. Place two roles in an ordering iff one is an immediate predecessor of the other

  5. Remove redundant permissions

  6. Remove roles that have no permissions


Alternative normalisations without step 2 of the process and modifications to hierarchy construction are also proposed.

Exclusive role constraints are described and included into the normalisation. Exclusive role constraints are similar to separation of duty constraints except they are motivated by least privilege rather than enforcing separation of duties. Static mutual exclusive roles (SMER) define the number of roles from a set a subject can be assigned. Dynamic mutual exclusive roles (DMER) define the number of roles from a set a subject can activate in a session. Equivalences of constraints are compared as sets through roles in the absence of users. Alternative equivalences using permission constraints instead of role constraints that are more compatible with the proposed models are also discussed.

Finally, different types of inheritance are specified more clearly and discussed.

[1] Li, N., Byun, J.W. and Bertino, E. (2005) A Critique of the ANSI Standard on Role-Based Access Control. Technical Report CERIAS TR 2005-29, Department of Computer
Science, Purdue University.

No comments: