- user-role-permission
- many to many relationship for user-role and role-permission
- roles/users assigned to a specific user/role can be determined (user-role review)
- users can simultaneously exercise permissions of various roles
* does not exclude other means by which users can acquire permissions (direct assignment, security labels in lattice-based access control)
* does not rule out negative permissions that deny access
* concept of a session not explicitly part of flat RBAC
Hierarchical RBAC
- adds role hierarchies
- inheritance hierarchies - activation of a role implies activation of all junior roles
- activation hierarchies - junior roles need to be explicitly activated
- (can be both. activation hierarchy may extend the inheritance hierarchy or be separate and independent of it.)
General Hierarchical RBAC
- support for an arbitrary partial order to serve as the role hierarchy
Restricted Hierarchical RBAC
- some systems may impose restrictions on (structures of) the role hierarchy (limited to trees, inverted trees)
Constrained RBAC
- add separation of duties (SOD)
- static SOD - based on user-role assignment
- dynamic SOD - based on role activation
Symmetric RBAC
- adds permission-role review (similar to user-role review of Flat RBAC)
Requirements
1. must return complete set of (objects OR operation and object pairs) that are associated with the permissions assigned to a particular user or role
2. include the ability to selectively define direct and indirect permission assignment
3. include the ability to select the target systems for which the review will be conducted
Other RBAC attributes
Not included because not suitable for standardization, or lack of consensus to justify standardization.
- Scalability
- Authentication
- Negative permissions
- Nature of permissions - fine grained VS coarse grained; primitive operations VS abstract
- Discretionary role activation
- Role engineering - designing roles and assigning permissions and users to roles
- Constraints - other forms of SOD (role-centric, permission-centric, user-centric)
- obligation constraints - require something to happen, VS prohibition constraint (SOD)
- RBAC administration
- Role revocation - immediacy of revocation (instantly, allow user to finish, etc)
No comments:
Post a Comment