Business Process Driven Framework for defining an Access Control Service based on Roles and Rules by Ramaswamy Chandramouli Computer Security Division, ITL NIST, Gaithersburg, MD 20899 (chandramouli@nist.gov) Presented by Brett Ford (gtg309v@mail.gatech.edu) Some Info about me • Name: Brett Ford • Major: Computer Science (that’s a shocker) • Class: 4th year senior • Any other questions? Didn’t think so. • On to the paper… Paper Introduction • Business Process Driven (BPD-ACS) framework used as the model for formulating access decision rules. • BPD-ACS uses the Role Based Access Control (RBAC) model. • Access Decision Rules formulated based on temporal business associations. • Access control service defined for a multi-facility hospital application called Hospital-based Laboratory Information System (HLIS). About BPD-ACS • BPD-ACS defines service components through a top-down analysis of business processes of an application. Role Based Access Control (RBAC) chosen because: • – – • Administrative convenience through concept of roles Support for RBAC available on many platforms (DBMSs and OSs) Two main facets of user-operation interactions governed by an Access Control Model: 1. 2. Privileges – application level operations a designated user is entitled to perform based on his/her job or role. Access Decision Rules – Restrictions on privileges based on environmental/contextual variables (i.e. app state, time of access) Similar Work • Didriksen used a concept of fragments to define restrictions to accessing rows/columns in relational database tables. – Limitation: it can only be used for access control rules for data in relational database table. • Guiri and Iglio proposed role templates with parameterized privileges. – Limitation: parameters in a role template are the same as those in each of the privileges they contain. • The HP model used in HP Praesidium Authorization Server is more flexible by having rules defined independently of the roles. – The Access Decision Rule approach discussed in the paper builds on the HP model. Processing Steps in BPD-ACS 1. 2. 3. 4. 5. Identify business processes, as well as their supporting information objects and methods. Output: application operations Determine Access control requirements, driven by enterprise access control policies. Output: privileges and constraints Map the user-privilege associations using the RBAC model based on findings from Step 2. Formulate set of Access Decision Rules using constraints. This data is housed in a Temporal Business Association Database. Define Access Enforcement Mechanism based on the access service components from Step 3 and Step 4. Business Processes in HLIS (Step 1) • From analysis of commercial HLISs, business processes supported include: – Lab Order Entry, Lab Test Scheduling, Capture and Recording of Test Results, Quality Control checks on Test Results, Generation of Summary Reports, Retrieve/Access Test Results Mapping Security Policies to HLIS (Step 2) • Enterprise access control policy may be comprised of a combination of information categories. – Enterprise best practices, threat model driven requirements, government regulations Defining Access Control Model (Step 3) • Using the RBAC, there are 3 broad entities to consider: 1. 2. 3. Privileges – In the example of the Lab Order Entry business process there were a set of methods. If we decide user interactions with information objects will be through methods with no other lower level access, then methods themselves provide correct granularity for defining privileges. Roles – Generally used to group privileges together based on job functions or business processes. A business process may require several privileges in itself, and so a business process may be used to define a role in such a case. User – Entity generally used to group associated roles together with those categorized users of the application to which those roles pertain. In example, a User entity, say a Physician, may be associated with (a) examining patients (b) prescribing medicine (c) ordering clinical tests and analyzing the results Definition of Access Decision Rules (Step 4) • Access Decision Rules constrain the exercise of Privileges. – – – – Time/Day of Access Request (Time Constraints) History of previous accesses (Conflict of Interest Constraints) Trust Level of the User (Trust Constraints) Parameter Values Used in Access Request (Temporal Business Association Constraints) (Step 4) continued… Defining the Access Enforcement Mechanism (Step 5) • Logical sequence of steps involved in arriving at an access decision for a given access request. Furthermore… • The Access Control Model itself can/may have constraints, i.e., the RBAC model could have constraints associated with user-role assignments, user-role activation, and privilege-role assignments. • So, the overall concept is that these service component definitions should be based on a correct analysis of the business processes and their temporal business associations which are meant to be supported by the given application. • Questions?