Protecting Data Using Role-Based Access Control Dr. Balaji Palanisamy
Dr. Balaji Palanisamy, an Associate Professor at the University of Pittsburgh's School of Computing and Information, delves into the practice of protecting data through Role-Based Access Control. This module explores the importance of managing access rights based on user roles to enhance data security.
Uploaded on Mar 07, 2025 | 0 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Module D.3 Protecting Data using Role Based Access Control Dr. Balaji Palanisamy Associate Professor School of Computing and Information University of Pittsburgh bpalan@pitt.edu 1
Introduction to access control Objects and subjects accessing them General objects that need protection (examples) Data stored in Memory / File or data set on auxiliary storage device Pgm executing in memory / Directory of files / Hardware device Passwords and authentication mechanism / Protection mechanism Subjects User / Administrator / Programmer / Pgm Another object / Anything that seeks to use object 2 Revised by: Xin Liu
Access Control Discretionary Access Control (DAC) Owner determines access rights Typically, identity-based access control: Owner specifies other users who have access Mandatory Access Control (MAC) Rules specify granting of access Also called rule-based access control 3
Access Control Originator Controlled Access Control (ORCON) Originator controls access Originator need not be owner! Role Based Access Control (RBAC) Identity governed by role user assumes Our topic today 4
Unix Kernel I/O, Load/Run Programs, Filesystem; Device Drivers Standard Utility Programs /bin/ls, /bin/cp, /bin/sh System database files E.g, /etc/passwd; /etc/group Let s study this first in the next slides (interacts with) Security Policy 5
Users and password Each user has a unique account identified by a username Each account has a secret password Standard: 1-8 characters; but varies Passwords could be same bad choice! /etc/passwd contains Username, Identification information Real name, Basic account information 6
Users and Groups Each user is uniquely identified by a UID Special user names Root; Bin; Daemon; Mail; Guest; ftp Every user belongs to one or more groups A primary group /etc/group Gname, Gpassword, GID, Users 16 bits: How many IDs? UID 0: superuser (More bits too) We will visualize this example in the next two slides wheel:*:0:root,rachel http:*:10:http users:*:100: vision:*:101:keith,arlin,janice startrek:*:102:janice,karen,arlin rachel:*:181: 7 Revised by: Xin Liu
Users and Groups - visualize by table Group name wheel http users Gpassword * * * GID 0 10 100 Users root,rachel http (by default, include all users) keith,arlin,jani ce janice,karen,a rlin rachel vision * 101 startrek * 102 rachel * 181 8 Revised by: Xin Liu
Users and Groups - visualize by circles Group name wheel http users Gpassword * * * GID 0 10 100 Users root,rachel http (by default include all users) keith,arlin,jani ce janice,karen,a rlin rachel vision * 101 startrek * 102 rachel * 181 9 Revised by: Xin Liu
Unix file system File systems store information in files and metadata about files. tree-structured A file is a block of information that is given a single name and can be acted upon with a single operation. "everything is a file" 10
Directory A Unix directory is a list of names files, directories,. Unix Meaning of permission permission Read file r Write file w We will see examples of these permissions in the next slides Execute file x 11 Revised by: Xin Liu
Unix file security Each file/directory has owner and group How are the permissions set by a owner for Read, write, execute Owner, group, other ??? Only owner, root can change permissions This privilege cannot be delegated or shared 12
Unix File Permissions For example, we list details of all files in a folder Each line shows one file drwx------ 2 jjoshi isfac 512 Aug 20 2003 risk management lrwxrwxrwx 1 jjoshi isfac 15 Apr 7 09:11 risk_m->risk management -rw-r--r-- 1 jjoshi isfac 1754 Mar 8 18:11 words05.ps -r-sr-xr-x 1 root bin 9176 Apr 6 2002 /usr/bin/rs -r-sr-sr-x 1 root sys 2196 Apr 6 2002 /usr/bin/passwd File names user names group names 13 Revised by: Xin Liu
Unix File Permissions For example, we list details of all files in a folder Each line shows one file drwx------ 2 jjoshi isfac 512 Aug 20 2003 risk management lrwxrwxrwx 1 jjoshi isfac 15 Apr 7 09:11 risk_m->risk management -rw-r--r-- 1 jjoshi isfac 1754 Mar 8 18:11 words05.ps -r-sr-xr-x 1 root bin 9176 Apr 6 2002 /usr/bin/rs -r-sr-sr-x 1 root sys 2196 Apr 6 2002 /usr/bin/passwd permissions If a permission line: - Contains r , the file can be read - Contains w , the file can be modified - Contains x , the file can be executed 14 Source: https://wiki.archlinux.org/title/File_permissions_and_attributes#Viewing_permissions Revised by: Xin Liu
Role Based Access Control (RBAC) Access control in organizations is based on roles that individual users take on as part of the organization Access depends on function, not identity Example: Allison is bookkeeper for Math Dept. She has access to financial records. If she leaves and Betty is hired as the new bookkeeper, Betty now has access to those records. The role of bookkeeper dictates access, not the identity of the individual. A role is is a collection of permissions 15
RBAC Users Users Permission Permissions u1 o1 u1 o1 u2 o2 u2 o2 Role r un om un om n m n + m assignments (b) Of assignments Possible? assignments (a) Of assignments Possible? Total number Total number 16
RBAC (NIST Standard) (user assignment) UA (permission assignment) PA Users Roles Operations Objects Permissions user_sessions (one-to-many) role_sessions (many-to-many) Sessions How many total number of roles possible? - See Core RBAC in Appendix 17 Revised by: Xin Liu
RBAC with Role Hierarchy RH (role hierarchy) PA UA Users Roles Operations Objects Permissions user_sessions (one-to-many) role_sessions (many-to-many) Sessions 18
Role Hierarchy - simple example Let s assume a user, Bob. He has senior roles. Thus, Bob acquires permissions of all junior roles. Bob can assign these junior roles to his subordinates. For formal definition, please go to RBAC with General Role Hierarchy in Appendix 19 Source: https://www.ekransystem.com/en/blog/rbac-vs-abac Revised by: Xin Liu
Constrained RBAC RH (role hierarchy) Static Separation of Duty PA UA Users Roles Operations Objects Permissions user_sessions (one-to-many) Dynamic Separation of Duty Sessions 20
Static VS Dynamic Separation of Duty Assume we will purchase some items. There will be someone - who purchases the items (Role 1) - someone who approves the purchases (Role 2). See Appendix for formal definitions. Assume we have a person: Bob. Role 1 Bob Should not be Bob Bob Role 2 Should not be Bob Bob Bob If static, then Bob cannot have 2 roles at the same time. Static Static Dynamic 21 Source: https://security.stackexchange.com/questions/133512/separation-of-duties-using-rbac Revised by: Xin Liu
Advantages of RBAC Allows Efficient Security Management Administrative roles, Role hierarchy Principle of least privilege allows minimizing damage Separation of Duty constraints to prevent fraud Allows grouping of objects / users 22
Cost Benefits Saves about 7.01 minutes per employee, per year in administrative functions Average IT admin salary - $59.27 per hour The annual cost saving is: $6,924/1000; $692,471/100,000 Lots of saving 24
Appendix 25
Users and Groups Some useful Linux commands - groups - id - newgrp - su 26
Core RBAC (relations) Permissions = 2Operations x Objects UA Users x Roles user_sessions: Users 2Sessions PA Permissions x Roles session_user: Sessions Users assigned_users: Roles 2Users session_roles: Sessions 2Roles session_roles(s) = {r | (session_user(s), r) UA)} assigned_permissions: Roles 2Permissions Op(p): set of operations associated with permission p avail_session_perms: Sessions 2Permissions Ob(p): set of objects associated with permission p 27
RBAC with General Role Hierarchy authorized_users: Roles 2Users authorized_users(r) = {u | r r &(r , u) UA} authorized_permissions: Roles 2Permissions authorized_permissions(r) = {p | r r &(p, r ) PA} RH Roles x Roles is a partial order called the inheritance relation written as . (r1 r2) authorized_users(r1) authorized_users(r2) & authorized_permisssions(r2) authorized_permisssions(r1) 28 What do these mean?
Role Hierarchy Example authorized_users(Employee)? authorized_users(Administrator)? authorized_permissions(Employee)? authorized_permissions(Administrator)? px, py e10 px, py e8, e9 Manager px, py e5 px, py e3, e4 pp Senior Engineer Senior Administrator px, py e6, e7 po pa, pb px, py e1, e2 Administrator Engineer Employee pm, pn px, py p1, p2 29
Static Separation of Duty SSD 2Roles x N In absence of hierarchy Collection of pairs (RS, n) where RS is a role set, n 2 for all (RS, n) SSD, for allt RS: |t| n r tassigned_users(r)= Describe! In presence of hierarchy Collection of pairs (RS, n) where RS is a role set, n 2; for all (RS, n) SSD, for allt RS: |t| n r tauthorized_uers(r)= Describe! 30
Dynamic Separation of Duty DSD 2Roles x N Collection of pairs (RS, n) where RS is a role set, n 2; A user cannot activate n or more roles from RS What is the difference between SSD or DSD containing: (RS, n)? Consider (RS, n) = ({r1, r2, r3}, 2)? If SSD can r1, r2 and r3 be assigned to u? If DSD can r1, r2 and r3 be assigned to u? 31
