Lecture 7
Access Control
modified from slides of Lawrie Brown
Access Control
• ITU-T Recommendation X.800 definition:
– “The prevention of unauthorized use of a resource,
including the prevention of use of a resource in an
unauthorized manner.”
• RFC 2828 defines computer security as:
– “Measures that implement and assure security
services in a computer system, particularly those
that assure access control service”.
Access Control Principles
Granting of a right
or permission to an
entity to access a
system resource.
Verification that the
credentials of a user
or an entity are valid.
An independent review
and examination of
system records and
activities
Access Control Policies
• dictates
– what types of access are permitted,
– under what circumstances,
– by whom.
based on comparing
security labels with
clearances
based on the
identity of the
requestor and on
access rules
Attribute-based access control
based on attributes of the user,
the resource to be accessed, and
current environmental conditions
based on the roles
and their accesses
Access Control Requirements
•
•
•
•
•
•
•
•
reliable input
support for fine and coarse specifications
least privilege
separation of duty
open and closed policies
policy combinations and conflict resolution
administrative policies
dual control
Access Control Basic Elements
subject entity
capable of
accessing
objects
•concept equates with that of process
•typically held accountable for the actions
they initiate
•often have three classes: owner, group, world
object
resource to
which access is
controlled
access right:
the way in
which a subject
may access an
object
•entity used to contain and/or receive
information
•protection depends on the environment
in which access control operates
•e.g. read, write, execute,
delete, create, search
Discretionary Access Control
• scheme in which an entity may enable
another entity to access some resource
– often provided using an access matrix
• one dimension consists of identified subjects that may
attempt data access to the resources
• the other dimension lists the objects that may be
accessed
– each entry in the matrix indicates the access rights
of a particular subject for a particular object
Access Matrix
Example of Access Control Structures
Authorization
Table
Extended Access Control Matrix
Access
Control
Function
Access
Control
System
Commands
Protection Domains
• set of objects together with access rights to
those objects
• more flexibility when associating capabilities
with protection domains
• in terms of the access matrix, a row defines a
protection domain
• user can spawn processes with a subset of the
access rights of the user
Protection Domains
• association between a process and a domain
can be static or dynamic
• in user mode certain areas of memory are
protected from use and certain instructions
may not be executed
• in kernel mode privileged instructions may be
executed and protected areas of memory may
be accessed
UNIX File Access Control
UNIX files are administered using inodes (index nodes)
• control structures with key information needed for a
particular file
• several file names may be associated with a single inode
• an active inode is associated with exactly one file
• file attributes, permissions and control information are
sorted in the inode
• on the disk there is an inode table, or inode list, that
contains the inodes of all the files in the file system
• when a file is opened its inode is brought into main memory
and stored in a memory resident inode table
directories are structured in a hierarchical tree
• may contain files and/or other directories
• contains file names plus pointers to associated inodes
UNIX File Access Control
• unique user identification
number (user ID)
• member of a primary group
identified by a group ID
– belongs to a specific group
– 12 protection bits
• specify read, write, and execute
permission for owner of file,
members of group, and all other users
– owner ID, group ID, and
protection bits are part of
file’s inode
Traditional UNIX File Access Control
• “set user ID”(SetUID)
• “set group ID”(SetGID)
– system temporarily uses rights of the file owner /
group in addition to the real user’s rights when
making access control decisions
– enables privileged programs to access files /
resources not generally accessible
Traditional UNIX File Access Control
• sticky bit
– when applied to a directory it specifies that only
the owner of any file in the directory can rename,
move, or delete that file
• superuser
– is exempt from usual access control restrictions
– has system-wide access
Access Control Lists (ACLs) in UNIX
• modern UNIX systems support ACLs
– FreeBSD, OpenBSD, Linux, Solaris
• FreeBSD
– Setfacl assigns a list of UNIX user IDs and groups
– any number of users and groups can be associated
with a file
– read, write, execute protection bits
– a file does not need to have an ACL
– includes an additional protection bit that indicates
whether the file has an extended ACL
Access Control Lists (ACLs) in UNIX
• when a process requests access to a file
system object two steps are performed:
– step 1: selects the most appropriate ACL
• owner, named users, owning / named groups, others
– step 2: checks if the matching entry contains
sufficient permissions
Mandatory Access Control (MAC)
Top Secret
Secret
Labeling Mechanism is used
Prevent any illegal flow of
information through the
enforcement of multilevel security
Military Security
Confidential
Require a strict classification of
subjects and objects in security levels
Unclassified
dominance can-flow

Adopted from : Role-Based Access Control by Prof.Ravi Sandhu
Drawback of being too rigid
Applicable only to very few
environments
22
Compartments and Sensitivity Levels
• Information access is limited by the need-to-know
• Compartment: Each piece of classified information
may be associated with one or more projects called
compartments
Compartment 1
Top Secret
Secret
Compartment 3
Confidential
Restricted
Unclassified
Compartment 2
Classification & Clearance
• <rank; compartments>
– class of a piece of information
• Clearance: an indication that a person is
trusted to access information up to a certain
level of sensitivity
• <rank; compartments>
– clearance of a subject
Dominance Relation
• We say that s dominates o (or o is dominated
by s) if o <= s
For a subject s and an object o,
o <= s if and only if
rank(o) <= rank(s) and
compartments(o) is subset of compartments(s)
• A subject can read an object if the subject
dominates the object.
Example
• Information classified as <secret; {Sweden}>
• Which of the following subject clearances can
read the above information?
– <top secret; {Sweden}>
– <secret; {Sweden, crypto}>
– <top secret; {crypto}>
– <confidential; {Sweden}>
– <secret; {France}>
Users
Role-Based
Access
Control
(RBAC)
Roles
Role 1
Role 2
Role 3
Resources
Access
Control
Matrix
Role-Based Access Control
Role Hierarchies
Usrer-Role
Assignment
USERS
ROLES
Permission-Role
Assignment
PERMISSIONS
Primary-Care
Physician
...
Specialist
Physician
Sessions
Physician
•
•
•
•
•
•
Users are human beings or other active agents
Business function the user perform is role
A user can be a member of many roles
Each role can have many users as members
A user can invoke multiple sessions
In each session a user can invoke any subset
of roles that the user is a member of
Adopted from : Role-Based Access Control by Prof.Ravi Sandhu
Health-Care Provider
• A permission can be assigned to
many roles
• Each role can have many
permissions
‐ read, write, append, execute
Role-Based Access Control
Scope RBAC Models
Example of Role Hierarchy
Constraints - RBAC
• provide a means of adapting RBAC to the
specifics of administrative and security
policies of an organization
• a defined relationship among roles or a
condition related to roles
mutually exclusive
roles
• a user can only be
assigned to one role in
the set (during a
session or statically)
• any permission can be
granted to only one
role in the set
cardinality
• setting a maximum
number with respect
to roles
prerequisite roles
• dictates that a user
can only be assigned
to a particular role if it
is already assigned to
some other specified
role
RBAC System
administrative
functions
• provide the
capability to
create, delete, and
maintain RBAC
elements and
relations
supporting
system
functions
• provide functions
for session
management and
for making access
control decisions
review
functions
• provide the
capability to
perform query
operations on
RBAC elements
and relations
NIST RBAC Basic Definitions
• object
– any system resource subject to access control,
such as a file, printer, terminal, database record
• operation
– an executable image of a program, which upon
invocation executes some function for the user
• permission
– an approval to perform an operation on one or
more RBAC protected objects
NIST RBAC Model
Core RBAC
administrative
functions
supporting
system functions
• add and delete
users from the set
of users
• add and delete
roles from the set
of roles
• create and delete
instances of userto-role assignment
• create and delete
instances of
permission-to-role
assignment
• create a user
session with a
default set of active
roles
• add an active role
to a session
• delete a role from a
session
• check if the session
subject has
permission to
perform a request
operation on an
object
review functions
• enable an
administrator to
view but not modify
all the elements of
the model and their
relations
Hierarchical RBAC
general role
hierarchies
limited role
hierarchies
allow an arbitrary partial ordering of
the role hierarchy
impose restrictions resulting in a
simpler tree structure
supports multiple inheritance,
in which a role may inherit
permissions from multiple
subordinate roles and
more than one role can inherit from
the same subordinate role
role may have one or more
immediate ascendants
but is restricted to a single
immediate descendant
Static Separation of Duty
• enables the definition of a set of mutually exclusive
roles,
– if a user is assigned to one role in the set, the user may not be
assigned to any other role in the set
• can place a cardinality constraint on a set of roles
– defined as a pair (role set, n) where no user is assigned to n or
more roles from the role set
• includes administrative functions for creating and
deleting role sets and adding and deleting role members
• includes review functions for viewing the properties of
existing SSD sets
Dynamic Separation of Duty
• limit the permissions available to a user
– places constraints on the roles that can be activated within
or across a user’s sessions
• define constraints as a pair (role set, n) with the
property that no user session may activate n or more
roles from the role set
– where n is a natural number n ≤ 2
• enables the administrator to specify certain
capabilities for a user at different, time spans
• includes administrative and review functions for
defining and viewing DSD relations
Task Based Access Control
Classical subject-object access control
TBAC view of access control
P

P

S x O x A
S x O x A x U x AS
TBAC extensions
P – Permission
S – Subject
O – Object
A – Actions
U – Usage and Validity Counts
AS – Authorization step
•
•
•
•
Active Security Model
Dynamic authorization gives flexibility
No Roles Involved
Constraints for this model is still under
study
• For each authorization step consumes permission, usage count is
incremented
• Usage Count reaches its limit, the associated permission is
deactivated
Adopted from Source: Task based authorization controls by R.S.Sandhu and R.K.Thomas
41
Constraints
User
Instance
Task constraints – Least Privilege
Users are not given more permission than is
necessary to perform their duties
Constraints
Achieved through task instances
Tasks
status
Permissions
Initiated
Alice
Check Patient Josh
Access Permissions starts when the instance is initiated
Active
Access Permissions end when the instance is completed or revoked
Fine Grained Access Control
Completed
Revoked
42
Workflow
Users
Tasks
Workflow
Alice
Check Patient
NonWorkflow
Bob
Do Physical Exam
Write
Prescription
(T5)
Out Patient Workflow
Do Physical
Exam (T1)
Start
Non-Workflow
Check
Patient
(T2)
View Current
Patient List
Perform Lab
Test (T3)
View Lab
Results
(T4)
Refer
another
specialist
(T6)
End
43
Passive and Active Access Control
View Current
Patient List
Physician
Write
Prescription
Read
File 1
Passive Access
File 2
Active Access
Write
Workflow
Start
Do
Physical
Exam (T1)
Check
Patient
(T2)
Perform
Lab Test
(T3)
View Lab
Results
(T4)
Write
Prescription
(T5)
Refer
another
specialist
(T6)
End
44
Spatial and Temporal Constraints
• Accessed from anywhere and at anytime
– User’s location and time is taken into
consideration for granting access to a task
Family Practice
Location
Constraint
(Reno Office)
Physician
Tasks
Time
Constraint
(8 - 5)
Nurse
45
Static and Dynamic Separation of Duty
No single individual can execute all tasks within the workflow
Do
Physical
Exam (T1)
Check
Patient
(T2)
Perform
Lab Test
(T3)
View Lab
Results
(T4)
Write
Prescription
(T5)
End
Start
Nurse
Task Instance 1
Physician
Technician
Alice
Physician
Check Patient Josh
Protects against fraudulent activities of users
Static SOD - Defining the tasks in workflow or non workflow govern the
administration or design-time associations between users and permissions.
Dynamic SOD - permissions or task instances are granted at run-time.
46
Delegation of Tasks
Initially assigned user is not available to complete the task
Supervisor can delegate task to another junior user in the same hierarchy
Access rights revoked once the task is completed
Senior
Physician
(Jan)
Physician
(Alice)
Task Instance
Alice
Physician
(Bob)
Check Patient Josh
Jan can delegate task to Bob
Task Instance
Bob
Check Patient Josh
47
Classification of Tasks
Non-Inheritable
Inheritable
Passive Access Control
Private
Supervision
Active Access control
Workflow
Approval
Family Practice
Senior
Physician
(Jan)
View Current
Patient List
Physician
(Alice)
Workflow
Start
Do
Physical
Exam (T1)
Check
Patient
(T2)
Class
Private
Perform
Lab Test
(T3)
View Lab
Results
(T4)
Class
Supervision
Diagnosis
Details
Write
Prescription
(T5)
Refer
another
specialist
(T6)
End
48
Classification of Tasks
Class Workflow
Class Approval
Family Practice
Senior
Physician
(Jan)
Physician
(Alice)
Check Patient
Workflow
Start
Do
Physical
Exam (T1)
Check
Patient
(T2)
Senior
Physician
(Jan)
Physician
(Alice)
Perform
Lab Test
(T3)
View Lab
Results
(T4)
Same Hierarchy
Physician
(Bob)
Write
Prescription
(T5)
Refer
another
specialist
(T6)
End
Non-Inheritable
Inheritable
Passive Access Control
Private
Supervision
Active Access control
Workflow
Approval
Attribute Based Access Control
Subject
attributes
• A subject is an active
entity that causes
information to flow
among objects or
changes the system
state
• Attributes define the
identity and
characteristics of the
subject
Object
attributes
• An object (or resource)
is a passive
information systemrelated entity
containing or receiving
information
Environment
attributes
• Describe the
operational, technical,
and even situational
environment or
context in which the
information access
occurs
• Objects have attributes • These attributes have
that can be leverages
so far been largely
to make access control
ignored in most
decisions
access control policies
ABAC
Distinguishable because it
controls access to objects by
evaluating rules against the
attributes of entities,
operations, and the
environment relevant to a
request
Relies upon the evaluation of
attributes of the subject,
attributes of the object, and
a formal relationship or
access control rule defining
the allowable operations for
subject-object attribute
combinations in a given
environment
Systems are capable of
enforcing DAC, RBAC, and
MAC concepts
Allows an unlimited number
of attributes to be combined
to satisfy any access control
rule
ABAC Scenario
Access Control
Policy
Environmental
Conditions
2a
2d
Rules
1
Decision
Subject
2b
Enforce
3
Object
Access Control
Mechanism
2c
Name
Etc.
Clearance
Affiliation
Subject Attributes
Type
Etc.
Owner
Classification
ObjectAttributes
ACL Trust Chain (NIST)
Proper
Credential Issuance
Identity
Credential
Credential Validation
Strength of
Credential Protection
Access Control
Decision
Authentication
Subject
Physical
Access
Network
Authentication
Access Control
Enforcement
Object Access Rule Enforcement
Access Provisioning
Network
Credential
Network Access
Digital Identity
Provisioning
Group Management
Access Control List
(a) ACL Trust Chain
Object
(a) ACL Trust Chain
ABAC Trust Chain (NIST)
Proper
Credential Issuance
Identity
Credential
Subject
Attributes
Authoritative Subject
Attribute Stores
Authoritative
Object Attributes
Attribute Provisioning
Credential Validation
Strength of
Credential Protection
Common Object
Attribute Taxonomy
Common Subject
Attribute Taxonomy
Attribute Integrity
Attribute Integrity
Access Control
Decision
Authentication
Subject
Object
Attributes
Physical
Access
Access Control
Enforcement
Network
Authentication
Object Access Rule Enforcement
Access Provisioning
Network
Credential
Network Access
Digital Identity
Provisioning
Group Management
Rules
(b) ABAC Trust Chain
Object
ABAC Policies
• A policy is a set of rules and relationships that govern
allowable behavior within an organization,
– based on the privileges of subjects and how resources or
objects are to be protected under which environment
conditions
– Typically written from the perspective of the object that needs
protecting and the privileges available to subjects
• Privileges represent the authorized behavior of a
subject and are defined by an authority and embodied
in a policy
– rights, authorizations, and entitlements
Identity, Credential, and Access Management
• A comprehensive approach to manage and implement
digital identities, credentials, and access control
– Developed by the U.S. government
• Designed to:
– Create trusted digital identity representations of individuals
and nonperson entities (NPEs)
– Bind those identities to credentials that may serve as a proxy
for the individual of NPE in access transactions
• A credential is an object or data structure that authoritatively binds
an identity to a token possessed and controlled by a subscriber
– Use the credentials to provide authorized access to an
agency’s resources
Credential Management
Sponsorship
Enrollment
Issuance
Credential
Production
Identity Management
Background
Investigation
Authoritative Attribute Sources
Credential
Lifecycle
Management
External
Agency
State or Local
Government
Business
Partner
Citizen
On-boarding
Digital Identity
Lifecycle
Management
Provisioning/Deprovisioning
Resource
Management
Privilege
Management
Physical
Access
Policy
Management
Logical
Access
Access Management
Identity Federation
Figure 4.12 Identity, Credential, and Access Management (ICAM)
Identity Management
• Concerned with assigning attributes to a digital identity and
connecting that digital identity to an individual or NPE
– Goal is to establish a trustworthy digital identity that is independent of a
specific application or context
• Most common approach to access control for applications and
programs is to create a digital representation of an identity for the
specific use of the application or program
– Maintenance and protection of the identity itself is treated as secondary to
the mission associated with the application
– Final element is lifecycle management which includes:
•
•
•
•
Mechanisms, policies, and procedures for protecting personal identity info
Controlling access to identity data
Techniques for sharing authoritative identity data with applications that need it
Revocation of an enterprise identity
Credential Management
• The management of the life cycle of the credential
– E.g. smart cards, private/public cryptographic keys, digital certificates
• Encompasses five logical components:
– An authorized individual sponsors an individual or entity for a credential to
establish the need for the credential
– The sponsored individual enrolls for the credential
• Process typically consists of identity proofing and the capture of biographic and
biometric data
• This step may also involve incorporating authoritative attribute data, maintained by
the identity management component
– A credential is produced
• Depending on the credential type, production may involve encryption, the use of a
digital signature, the production of a smart card or other functions
– The credential is issued to the individual or NPE
– A credential must be maintained over its life cycle
• Might include revocation, reissuance/replacement, reenrollment, expiration,
personal identification number (PIN) reset, suspension, or reinstatement
Access Management
• Deals with the management and control of the ways
entities are granted access to resources
• Covers both logical and physical access
• May be internal to a system or an external element
• Purpose is to ensure that the proper identity
verification is made when an individual attempts to
access a security sensitive building, computer
systems, or data
Support elements for an enterprise-wide access control
Resource management
• Concerned with defining rules for a resource that requires access control
• Rules would include credential requirements and what user attributes, resource
attributes, and environmental conditions are required for access of a given
resource for a given function
Privilege management
• Concerned with establishing and maintaining the entitlement or privilege
attributes that comprise an individual’s access profile
• These attributes represent features of an individual that can be used as the basis
for determining access decisions to both physical and logical resources
• Privileges are considered attributes that can be linked to a digital identity
Policy management
• Governs what is allowable and unallowable in an access transaction
Identity Federation
• Term used to describe the technology, standards,
policies, and processes that allow an organization to
trust digital identities, identity attributes, and
credentials created and issued by another organization
• Addresses two questions:
– How do you trust identities of individuals from external
organizations who need access to your systems
– How do you vouch for identities of individuals in your
organization when they need to collaborate with external
organizations
Identity
Service
Provider
(Possible contract)
Relying
Party
T
(T erm
O s
S) o f
a g Se
re rv
em ic
en e
t
ce
vi t
er en
f S eem
s o gr
rm ) a
Te OS
(T
Identity
Service
Provider
(Possible contract)
Relying
Party
ce
vi t
er en
f S e em
s o gr
rm ) a
Te OS
(T
T
(T erm
O s
S) o f
a g Se
re rv
em ic
en e
t
Users
(a) Traditional triangle of parties involved in an exchange of identity information
Identity
Service
Providers
Trust Framework
Providers
Attribute Providers
Attribute Exchange
Network
Assessors
& Auditors
Relying
Parties
Dispute
Resolvers
Users
(a) Traditional triangle of parties involved
Users in an exchange of identity information
(B) Identity attribute exchange elements
Figure 4.13 Identity Information Exchange Approaches
Trust Framework
Providers
Open Identity Trust Framework
OpenID
OIDF
ICF
•An open standard that allows
users to be authenticated by
certain cooperating sites using
a third party service
•OpenID Foundation is an
international nonprofit
organization of individuals and
companies committed to
enabling, promoting, and
protecting OpenID
technologies
•Information Card Foundation
is a nonprofit community of
companies and individuals
working together to evolve the
Information Card ecosystem
OITF
OIX
AXN
•Open Identity Trust
Framework is a standardized,
open specification of a trust
framework for identity and
attribute exchange, developed
jointly by OIDF and ICF
•Open Identity Exchange
Corporation is an independent,
neutral, international provider
of certification trust
frameworks conforming to the
OITF model
•Attribute Exchange Network is
an online Internet-scale
gateway for identity service
providers and relying parties to
efficiently access user
asserted, permissioned, and
verified online identity
attributes in high volumes at
affordable costs
Trust Framework
Providers
Identity
Service
Providers
Attribute Providers
Attribute Exchange
Network
Assessors
& Auditors
Relying
Parties
Dispute
Resolvers
Users
(B) Identity attribute exchange elements
Figure 4.13 Identity Information Exchange Approaches
Summary
• access control
–
–
–
–
–
prevent unauthorized users from gaining access to resources
prevent legitimate users from accessing resources in an unauthorized manner
enable legitimate users to access resources
subjects, objects, access rights
authentication, authorization, audit
• discretionary access controls (DAC)
– controls access based on identity
• mandatory access control (MAC)
– controls access based on security labels
• role-based access control (RBAC)
– controls access based on roles
• task-based access control (TBAC)
– controls based on task at hand
• attribute-based access control (ABEC)
– Controls based on attributes