Engineering re deniion of roles can be dicult

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Lock Mechanisms RBAC will deal with all the objects listed in the permissions assigned to roles. USER Assignment USERS set A user can be assigned to one or more roles ROLES set Developer A role can be assigned to one or more users Help Desk Rep Permissions Assignment PRMS set A prms can be assigned to one or more roles Create Delete Drop View Update Append ROLES set Admin.DB1 A role can be assigned to one or more prms User.DB1 Permission Assignments Mapping of permissions to objects PRMS set Gives the set of objects associated with the prms Open Close View Update Append Create Drop Objects BLD1.door2 SQL DB1.table1 SESSIONS Session : Activation of a subset of roles assigned to a user. USER SESSION admin user SQL SESSIONS SESSION ROLES SQL • Admin • User • Guest DB1.table1.session Hierarchical RBAC •  The set of roles is parIally ordered •  Models hierarchical structure of enterprise •  Aggregates permissions and implicitly assigns users to roles –  Further simplifies administraIon –  The Manager role inherits the permissions of the Administrator and Clerk roles –  A user assigned to the Manager role can acIvate the Administrator or Clerk role Manager Administrator Clerk Hierarchical RBAC •  Similar to RBAC1 •  r1 is a descendant of r2 if: –  r1 includes all permissions from r2 –  All users assigned to r1 are also assigned to r2 •  General role hierarchies –  Arbitrary parIal order, mulIple inheritance •  Means a role may inherit from mulIple roles, and more than one ‘descendant’ from a given role •  Limited role hierarchies –  Tree structure, single descendant allowed •  Administra9ve func9ons: add/delete immediate inheritance relaIonship, create new role and add it as ascendant or descendant •  Review func9ons: enable admin. to view users/permissions directly or by inheritance. Example : Hierarchy at a Bank StaIc SeparaIon of Duty (SSD) •  Prevents conflict of interest •  Cardinality constraint on a set of roles –  SSD := (role set, n) where no user is assigned to n or more roles from the role...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online