Role-Based Access Control Second Edition For quite a long time, computer security was a rather narrow field of study that was populated mainly by theoretical computer scientists, electrical engineers, and applied mathematicians. With the proliferation of open systems in general, and of the Internet and the World Wide Web (WWW) in particular, this situation has changed fundamentally. Today, computer and network practitioners are equally interested in computer security, since they require technologies and solutions that canbeusedtosecureapplicationsrelatedtoelectroniccommerce.Againstthisback- ground, the field of computer security has become very broad and includes many topicsofinterest. The aim ofthis seriesis to publish state-of-the-art,high standard technical books on topics related to computer security. Further information about the series can be found on the WWW at the following URL: http://www.esecurity.ch/serieseditor.html Also, if you’d like to contribute to the series by writing a book about a topic relatedtocomputersecurity,feelfreetocontacteithertheCommissioningEditoror the Series Editor at Artech House. Recent Titles in the Artech House Information Security and Privacy Series Rolf Oppliger, Series Editor Privacy Protectionand Computer Forensics, Second Edition, Michael A. Caloyannides Demystifyingthe IPsec Puzzle, Sheila Frankel Developing Secure Distributed Systems with CORBA, Ulrich Lang and Rudolf Schreiner Implementing Electronic Card Payment Systems, Cristian Radu ImplementingSecurityforATMNetworks,ThomasTarmanandEdwardWitzke Information Hiding Techniques for Steganography and Digital Watermarking, Stefan Katzenbeisser and Fabien A. P. Petitcolas, editors Internet and Intranet Security, Second Edition, Rolf Oppliger Non-repudiation in Electronic Commerce, Jianying Zhou Role-BasedAccessControl,SecondEdition,DavidF.Ferraiolo,D.RichardKuhn, and Ramaswamy Chandramouli Secure Messaging with PGP and S/MIME, Rolf Oppliger Security Fundamentals for E-Commerce, Vesna Hassler Security Technologies for the World Wide Web, Second Edition, Rolf Oppliger Software Verificationand Validation for Practitioners and Managers, Second Edition, Steven R. Rakitin Role-Based Access Control Second Edition David F. Ferraiolo D. Richard Kuhn Ramaswamy Chandramouli artechhouse.com Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the U.S. Library of Congress. British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library. ISBN 13: 978-1-59693-113-8 Cover design by Yekaterina Ratner © 2007 ARTECH HOUSE, INC. 685 Canton Street Norwood, MA 02062 All rights reserved. Printed and bound in the United States of America. No part of this book may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the publisher. All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Artech House cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. 10 9 8 7 6 5 4 3 2 1 In memory of my late father, and to my wife, Hildegard, and my sons, Michael and Josef, for the time I spent at my computer instead of with them –DFF To my parents, Richard and Jane Kuhn, and my children, Gary, Christine, and Kevin, with love –DRK To my dear father, late mother, loving wife, Mira, and dear daughters, Dipika and Divya –RC Contents Preface . . . . . . . . . . . . . xv Acknowledgments . . . . . . . . . xix 1 Introduction . . . . . . . . . . . 1 1.1 The purpose and fundamentals of access control 2 1.1.1 Authorization versus authentication 3 1.1.2 Users, subjects, objects, operations, and permissions 4 1.1.3 Least privilege 5 1.2 A brief history of access control 6 1.2.1 Access control in the mainframe era 6 1.2.2 Department of Defense standards 8 1.2.3 Clark-Wilson model 9 1.2.4 Origins of RBAC 9 1.3 Comparing RBAC to DAC and MAC 17 1.4 RBAC and the enterprise 18 1.4.1 Economics of RBAC 19 1.4.2 Authorization management and resource provisioning 20 References 24 2 Access Control: Properties, Policies, and Models . . . . . . . . . . . . 27 2.1 Access control: objectives and enforcement artifacts 27 2.2 Access control: core entities and principles 30 vii viii Contents 2.2.1 Subjects and objects 30 2.2.2 Principles of secure design 31 2.3 Reference monitor and security kernel 33 2.3.1 Completeness 34 2.3.2 Isolation 35 2.3.3 Verifiability 36 2.3.4 The reference monitor—necessary, but not sufficient 37 2.4 Access control matrix 37 2.5 Access control data structures 42 2.5.1 Capability lists and access control lists (ACLs) 42 2.5.2 Protection bits 44 2.6 Discretionary access control (DAC) policies 44 2.7 MAC policies and models 45 2.7.1 Bell-LaPadula model 46 2.8 Biba’s integrity model 47 2.9 The Clark-Wilson model 48 2.10 The Chinese wall policy model 50 2.11 The Brewer-Nash model 51 2.12 Domain-type enforcement (DTE) model 52 References 54 3 Core RBAC Features . . . . . . . . 57 3.1 Roles versus ACL groups 59 3.2 Core RBAC 61 3.2.1 Administrative support 61 3.2.2 Permissions 62 3.2.3 Role activation 64 3.3 Mapping the enterprise view to the system view 65 3.3.1 Global users and roles and indirect role privileges 68 3.3.2 Mapping permissions into privileges 69 4 Role Hierarchies . . . . . . . . . 73 4.1 Building role hierarchies from flat roles 74 4.2 Inheritance schemes 75 4.2.1 Direct privilege inheritance 75 4.2.2 Permission and user membership inheritance 76 Contents ix 4.2.3 User containment and indirect privilege inheritance 78 4.3 Hierarchy structures and inheritance forms 81 4.3.1 Connector roles 82 4.3.2 Organization chart hierarchies 85 4.3.3 Geographical regions 87 4.4 Accounting for role types 89 4.5 General and limited role hierarchies 90 4.6 Accounting for the Stanford model 93 References 95 5 SoD and Constraints in RBAC Systems . . 97 5.1 Types of SoD 100 5.1.1 Static SoD 100 5.1.2 Dynamic SoD 104 5.1.3 Operational SoD 105 5.1.4 History and object-based SoD 106 5.2 Using SoD in real systems 107 5.2.1 SoD in role hierarchies 108 5.2.2 Static and dynamic constraints 109 5.2.3 Mutual exclusion 110 5.2.4 Effects of privilege assignment 111 5.2.5 Assigning privileges to roles 113 5.2.6 Assigning roles to users 114 5.3 Temporal constraints in RBAC 118 5.3.1 Need for temporal constraints 118 5.3.2 Taxonomy of temporal constraints 119 5.3.3 Associated requirements for supporting temporal constraints 122 References 123 6 RBAC, MAC, and DAC . . . . . . . 127 6.1 Enforcing DAC using RBAC 128 6.1.1 Configuring RBAC for DAC 129 6.1.2 DAC with grant-independent revocation 130 6.1.3 Additional considerations for grant-dependent revocation 131 6.2 Enforcing MAC on RBAC systems 131 6.2.1 Configuring RBAC for MAC using static constraints 132