A single model would either include or exclude too

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: hat mutually exclusive roles must be invoked to complete a sensiIve task. •  Data abstracIon : abstract permissions such as credit and debit for an account. –  The degree to which data abstracIon is supported will be determined by the implementaIon details Access Matrix RepresentaIon (Users, Roles) (Roles, Objects) - Similar to DAC ACM - Roles can be Objects Role- Based Access Control •  RBAC is a rich and open- ended technology –  Permits simple policies, as well as complex ones •  TreaIng RBAC as a single model is therefore unrealisIc. –  A single model would either include or exclude too much, and would only represent one point along a spectrum of technology and choices. •  Here we first look at two disInguishing features of RBAC models RBAC Reference Models [SCFY96] •  RBAC0 –  Minimum funcIonality •  RBAC1 –  RBAC0 + Role hierarchies •  RBAC2 –  RBAC0 + Constraints •  RBAC3 –  RBAC0 + RBAC1 + RBAC2 RBAC0 – Base •  •  •  •  Users: individuals with access to the system Role: named job funcIon within the org Permission: approval of a parIcular mode of access to objects Session: mapping between a user and a subset of roles RBAC1 – Role Hierarchies •  Reflect hierarchical structure of roles in org •  MathemaIcally, parIal order (reflexive, transiIve, anI- symmetric) Higher - > More rights, line from lower to higher means inheritance of rights Example of Role Hierarchy LimiIng the scope of inheritance: Role Hierarchy with private roles RBAC2 – Constraints •  Reflect higher- level organizaIonal policy •  Example constraint...
View Full Document

Ask a homework question - tutors are online