Rights management model
a role-based access control (Role-Based Access Control)
- Principle of least privilege
- The principle of separation of duties
- Principle of data abstraction.
Second, the type of
RBAC96 model
1, the basic model RBAC0 model
Definitions: RBAC0 model is determined from the following description:
the U-, R & lt, P, S denote the set of users, a set of roles, and the permission set session collection.
PA P × R represents the relationship between the assigned role and permission-many.
UA U × R represents many relationship between the user and the assigned role.
User: S → U each session to a single user User si (si) mapping function (lifecycle constant represents the session).
Role: S → 2 each session to the character subset si roles (si) {r | user (si, r ') ∈UA} ( can change over time) of the mapping function, there si session permission Ur∈roles (si ) {p | (p, r ') ∈PA}.
When using RBAC0 model, you should ask permission for each and every user should at least be assigned to a role. Permission two roles are assigned exactly as possible, but still two completely separate roles, users have a similar situation. Appropriate role can be seen as a semantic structure, is the basis for formal access control policy.
RBAC0 the permission process is not non-interpretation of symbols, because its precise meaning can only be achieved by a determined and related systems. RBAC0 permission can only be applied in data and resource objects, but can not be applied to a component of the model itself. Modified set of U, permissions R, P, and the relationship between a UA and PA called rights management, to be described later RBAC administrative model. Therefore, in RBAC0 assumed that only the security administrator can modify these components.
A session is controlled by a single user in the model, the user can create a session, and there is a certain subset of activating the role of the user's choice. Role in the activation of a session by the user's decision to terminate a session is initiated by the user. RBAC0 are not allowed to create another session of a session, the session can only be created by the user.
2, hierarchical role model RBAC1
Definitions: RBAC1 determined by the following
U, R, P, S denote the set of users, a set of roles, and the permission set session collection.
PA P × R represents the relationship between the assigned role and permission-many.
UA U × R represents many relationship between the user and the assigned role.
RH R × R to R is a partial order relation, called character level or dominant role relationships, ≥ notation can also be used.
User: S → U each session to a single user User si (si) mapping function (lifecycle constant represents the session).
Role: S → 2 each session to the character subset si roles (si) {r | ( r'≥r) [user (si, r ') ∈UA]} ( can change over time) of the mapping function, the session si there permission Ur∈roles (si) {p | ( r "≤r) [(p, r") ∈PA]}.
3, limiting the model RBAC2
RBAC2 model is formed to increase the limit RBAC0 model, it is not compatible with RBAC1. RBAC2 defined as follows:
Definition: In addition to increasing the number of constraints in RBAC0 outside, RBAC2 is unaltered from RBAC0, these restrictions are for determining whether the values of the respective components RBAC0 is acceptable, only those acceptable values It is allowed.
RBAC2 introduced restrictions may be applied to all components and relationships RBAC0 model. Exclusive limit the role of a fundamental limitation RBAC2 when the mutually exclusive character refers to the respective competencies of the two roles can restrict each other. For this type of role a user is assigned a role which can only in a single event, can not obtain the right to use the two roles.
For example, the audit activities, a role can not be assigned to the role of auditors and accounting roles. Another example, in the company, the role of the manager and assistant manager are also mutually exclusive, the contract signed by the manager or check only, can not be signed by the vice president. In RBAC2 model for the establishment of the company, the user can not have both a manager and deputy manager of two roles. Summary limit exclusive model can support the realization of the principle of separation of powers and responsibilities.
More generally, the exclusive restriction can be controlled in different combinations of roles in the user's membership is acceptable. For example, a user can be both a programmer Project A, may be the inspector testers and project B C project, but he can not become the same project of the three roles. RBAC2 model can be limited to this case.
Another example is a user-assigned limit its role to limit the maximum number of members, which is known to limit the role of the base. For example, the top leadership of a unit can only be one person, the number of middle-level cadres is limited, the number of users assigned to those roles once exceeded the limit the role of the base, it is no longer accepting new users of the rationing.
Limiting the role of the minimum base to implement some difficulties. For example, if the specified minimum number of users take up a role, the question is how the system can know the occupants of a person does not disappear at any moment, if disappears, the system and how to do it.
When assigning a role to a user A, and in some cases it requires that the user must be a member of the role of B, B to become role role role A prerequisite of. The concept of the role of precedent (PrerequisiteRoles) comes from the ability and adaptability. Prerequisite for absolute limits become prerequisite limit. A common example is an associate professor of mathematics should be promoted from lecturer in mathematics lecturer is an associate professor of prerequisite roles. But in the actual system, the incompatibility between the role of precedent restrictions may also occur.
In Figure ap08-03 may be restricted only members of the project are eligible to assume the role of programmers, usually in a system, the role of precedent is lower than the level of some of the newly assigned role. But in some cases, but only when the user is not required a special role to another role as A. For example, you need to perform when required to do so avoidance strategy, for example, the group members should not be members of the results of the project appraisal committee. Such restrictions may be extended to the license terms.
Because a user with the role will be linked to the session, so the session can impose restrictions. For example, a user may be allowed to be assigned to two roles, but not at the same time the user activates the two roles. Further, a user may also limit the number can be activated at the same time of the session, a corresponding number of licenses assigned to the user in an active session limit may be applied.
The aforementioned concept of inheritance can be considered as a limitation. Permissions are assigned to lower-level roles, but also must be assigned to all higher-level roles that role. Or equivalent, the user is assigned to a higher-level role must be assigned to all subordinate role that role. So that sense, RBAC1 model is redundant, it is included in the RBAC2. But RBAC1 model is relatively simple, can make the concept clearer inheritance instead of restrictions.
It can be implemented as a function implementing the limit, when the specified role for the user or for the role assignment permission to call these functions be checked to determine the allocation meets the requirements limiting the results returned by the function, usually only to those who can be effectively checked and those Some simple restrictions convention of giving achieve, because these limits can be maintained for a longer time.
Limit the effectiveness of the mechanism of the model based on only a unique identifier for each user based on the actual system support if a user has more than identifier, restrictions will be invalid. Similarly, if you have permission to be two or more operations than the same accurate, then, RBAC system can not implement the basic restrictions and strengthening of separation of duties and restrictions. Thus requiring the user identifier thereto, and the correspondence between the operation corresponding to the license.
4, unified model RBAC3
RBAC3 the RBAC1 and RBAC2 combined together to provide grading and the ability to inherit the role. But these two concepts together also caused some new problems.
Restrictions may be applied to character level itself, due to the hierarchical relationship between the role of partial order, such restrictions are essential for the model, and this may affect the partial order. For example, additional restrictions may limit the number of a given role due to the subordinate role.
Two or more roles by the public may be limited to no superior or subordinate role role. These types of limitations in the case of the concept of the role of rating authority has been decentralized useful Oh, but still want to be in charge of security restrictions on the method allows all of these changes.
Also have sensitive interplay between the regulation and the role of rating. Figure ap08-03 in the environment, the project members may not simultaneously assume the role of programmers and testers, but the location of the project in which the administrator is clearly a violation of the restrictions. In some cases i violation of such restrictions by a high-level role is acceptable, but in other cases they do not allow such violations occur.
From the point of view of the strict rules of the model should not be allowed to be in some cases and in other cases are permissible. A similar situation also occurs in the restriction on base. Assumed to limit a user can assign up to a role, then assigned to a figure of testers can not do this limitation? In other words, the base limit is not only for direct members, it also can be applied to inherited members?
The concept of private roles can explain these limits are useful. Also in Figure ap08-03 environment, it is possible to testers 'programmers' and project managers three characters described as mutually exclusive, they are at the same level, there is no common superior role, the administrator role does not violate each other exclusion limit. No public role between superiors usually private roles and other roles, because they are the largest element of this level, so mutually exclusive relationship between private roles can be no conflict of definition.
The same portion between the various private role can be described as having a maximum technical limitations 0 members. According to this method, the tester must be assigned to the testers' this role, and the role of testers will serve as a tool to share with the Administrator role permissions.
ARBAC97 model
ARBAC97 role model is role-based management model, consists of three parts:
URA97: user - role assignment. The assembly involves a user - UA assignment relationship management, the relationship with the user associated with the role. The right to amend this relationship is controlled by administrative roles so that members of the administrative role of the right to manage membership in formal roles. The user is designated as a management role is done outside URA97, and assumed to be done by the security officer.
PRA97: permission - role assignment. This component involves role - permission assignment and revocation. From the point of view of the role of users and permissions have similar characteristics, they are linked by the role of physical reality. Therefore, the PRA97 seen as dual components of URA97.
RRA97: Role - role assignment. In order to facilitate the management of roles, on the role and classified. This component involves three types of roles, they are:
1. Capacity (Abilities) role - permission to enter, and the ability to make other members of the role.
2. Group (Groups) role - only users and other groups as members of a class of roles.
3. UP- role - represents the user's role and permissions, these roles is no limit to its members, members can make users, roles, permissions, ability, group, or other UP- roles.
The main reason is the difference between these three models can be applied to different management models to establish relationships between different types of roles. The first is the distinction between motivation consideration of capacity, capability is a set of permissions, you can put all the permissions in the collection as a unit assigned to a role. Similarly, the group is a collection of users, you can put all the permissions in the collection as a unit assigned to a role. The ability to group and role seems to be divided into classes.
In a UP- role, whether a capability is a member of its role is determined by the UP- whether the ability to govern, if domination is, otherwise it is not. Conversely, if a character is dominated by a group UP- role, then this group is a member of the UP- role.
Research on ARBAC97 management model continues among capacity - assigned to the group - Formal assignment has been completed, the results of research on the UP- role concept has not yet been formalized. [2]
DRBAC
DRBAC is distributed RBAC model in a dynamic environment alliance.
DRBAC different from the previous trust management and RBAC method is that it supports three features:
1. third-party assignment: If an entity is authorized to assign the assignment, you can assign a role other than its name space.
2. Digital Properties: access through a mechanism to adjust the value of the allocation process and related roles.
3. Monitoring assignment: sub structure of the trust relationships established with continuous monitoring pub / tracking can be canceled assigned state.
DRBAC environment is under allied control access to resources by the question leads. "Alliance environment" can be a military working together to achieve a common goal in several countries, or a few commercial partner. Alliance defined environment is characterized by the presence of multiple organizations or entities with no common trusted authority. In this case, the entity while protecting their respective resources must also collaborate to share part of the protected resources necessary for the alliance. Internet network services to make this demand growth is widespread.
DRBAC combines the advantages of RBAC and trust management system that is both flexible management system but also dispersed, scalable implementation. DRBAC expressed in terms of the role of controlled behavior, the definition of the role of domain trust in one entity and can pass this role will be assigned to other roles different trust domains. DRBAC use PKI to identify all sensitive operations and trust-related entities and confirm assignment certificates. Mapping of roles to authorized namespace avoids the need to recognize additional strategies roots.
Third, analysis
cms system used is RBAC0 rights management control model, operating system permissions involved can only be carried out by the super administrator in principle, and the system must require a super administrator. introduced rbac0 model solves the problem of the separation of user rights and, in fact, the user does not have permission, only the user is given a role only the permissions of this role have. Typically, rbac0 rights management model can be solved, it is the most common. The project is the development we use the simplest, but most common permissions model. Here are a few we build a database table, we spent five tables to implement this authority model, which will be broken down into two pairs of two many-to-many-to complete, so more conducive to the maintenance of our table, feeling simpler, easier to control.
The following figure shows rbac1 model, on rbac0 model implementation inheritance, but there can also be achieved rbac0 data redundancy.
RBAC2, also based foundation RBAC0 model, made access control role. a, exclusive of the time limit the role of a fundamental limitation in RBAC2, exclusive role is the role of two respective rights of each other constraints. For this type of role a user is assigned a role which can only in a single event, can not obtain the right to use the two roles.
RBAC3 is the most comprehensive and most complex models RBAC3 = RBAC1 + RBAC2.