AN INTRODUCTION TO ROLE-BASED ACCESS CONTROL
This bulletin provides background information on Role-Based Access Control (RBAC), a technical means for controlling access to computer resources. While still largely in the demonstration and prototype stages of development, RBAC appears to be a promising method for controlling what information computer users can utilize, the programs that they can run, and the modifications that they can make. Only a few off-the-shelf systems that implement RBAC are commercially available; however, organizations may want to start investigating RBAC for future application in their multi-user systems. RBAC is appropriate for consideration in systems that process unclassified but sensitive information, as well as those that process classified information.
What is Role-Based Access Control?
Access is the ability to do something with a computer resource (e.g., use, change, or view). Access control is the means by which the ability is explicitly enabled or restricted in some way (usually through physical and system-based controls). Computer- based access controls can prescribe not only who or what process may have access to a specific system resource, but also the type of access that is permitted. These controls may be implemented in the computer system or in external devices.
With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.
Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies.
The use of roles to control access can be an effective means for developing and enforcing enterprise-specific security policies, and for streamlining the security management process.
Users and Roles
Under the RBAC framework, users are granted membership into roles based on their competencies and responsibilities in the organization. The operations that a user is permitted to perform are based on the user's role. User membership into roles can be revoked easily and new memberships established as job assignments dictate. Role associations can be established when new operations are instituted, and old operations can be deleted as organizational functions change and evolve. This simplifies the administration and management of privileges; roles can be updated without updating the privileges for every user on an individual basis.
When a user is associated with a role: the user can be given no more privilege than is necessary to perform the job. This concept of least privilege requires identifying the user's job functions, determining the minimum set of privileges required to perform that function, and restricting the user to a domain with those privileges and nothing more. In less precisely controlled systems, this is often difficult or costly to achieve. Someone assigned to a job category may be allowed more privileges than needed because is difficult to tailor access based on various attributes or constraints. Since many of the responsibilities overlap between job categories, maximum privilege for each job category could cause unlawful access.
Background on access control:
DAC, MAC, and RBAC
Access control technology has evolved from research and development efforts supported by the Department of Defense (DoD). This research has resulted in two fundamental types of access control: Discretionary Access Control (DAC) and Mandatory Access Control (MAC). While initial research and applications addressed preventing the unauthorized access to classified information, recent applications have applied these policies to commercial processing environments.
DAC permits the granting and revoking of access control privileges to be left to the discretion of the individual users. A DAC mechanism allows users to grant or revoke access to any of the objects under their control. As such, users are said to be the owners of the objects under their control. However, for many organizations, the end users do not own the information for which they are allowed access. For these organizations, the corporation or agency is the actual owner of system objects as well as the programs that process them. Access priorities are controlled by the organization and are often based on employee functions rather than data ownership.
MAC, as defined in the DoD's Trusted Computer Security Evaluation Criteria (TCSEC), is "A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e. clearance) of subjects to access information of such sensitivity."
These policies for access control are not particularly well suited to the requirements of government and industry organizations that process unclassified but sensitive information. In these environments, security objectives often support higher-level organizational policies which are derived from existing laws, ethics, regulations, or generally accepted practices. Such environments usually require the ability to control actions of individuals beyond just an individual's ability to access information according to how that information is labeled based on its sensitivity.
Roles and Role Hierarchies
Under RBAC, roles can have overlapping responsibilities and privileges; that is, users belonging to different roles may need to perform common operations. Some general operations may be performed by all employees. In this situation, it would be inefficient and administratively cumbersome to specify repeatedly these general operations for each role that gets created. Role hierarchies can be established to provide for the natural structure of an enterprise. A role hierarchy defines roles that have unique attributes and that may contain other roles; that is, one role may implicitly include the operations that are associated with another role.
In the healthcare situation, a role Specialist could contain the roles of Doctor and Intern. This means that members of the role Specialist are implicitly associated with the operations associated with the roles Doctor and Intern without the administrator having to explicitly list the Doctor and Intern operations. Moreover, the roles Cardiologist and Rheumatologist could each contain the Specialist role.
Role hierarchies are a natural way of organizing roles to reflect authority, responsibility, and competency:
the role in which the user is gaining membership is not mutually exclusive with another role for which the user already possesses membership. These operations and roles can be subject to organizational policies or constraints. When operations overlap, hierarchies of roles can be established. Instead of instituting costly auditing to monitor access, organizations can put constraints on access through RBAC. For example, it may seem sufficient to allow physicians to have access to all patient data records if their access is monitored carefully. With RBAC, constraints can be placed on physician access so that only those records that are associated with a particular physician can be accessed.
Roles and Operations
Organizations can establish the rules for the association of operations with roles. For example, a healthcare provider may decide that the role of clinician must be constrained to post only the results of certain tests but not to distribute them where routing and human errors could violate a patient's right to privacy. Operations can also be specified in a manner that can be used in the demonstration and enforcement of laws or regulations. For example, a pharmacist can be provided with operations to dispense, but not to prescribe, medication.
An operation represents a unit of control that can be referenced by an individual role, subject to regulatory constraints within the RBAC framework. An operation can be used to capture complex security-relevant details or constraints that cannot be determined by a simple mode of access.
For example, there are differences between the access needs of a teller and an accounting supervisor in a bank. An enterprise defines a teller role as being able to perform a savings deposit operation. This requires read and write access to specific fields within a savings file. An enterprise may also define an accounting supervisor role that is allowed to perform correction operations. These operations require read and write access to the same fields of a savings file as the teller. However, the accounting supervisor may not be allowed to initiate deposits or withdrawals but only perform corrections after the fact. Likewise, the teller is not allowed to perform any corrections once the transaction has been completed. The difference between these two roles is the operations that are executed by the different roles and the values that are written to the transaction log file.
The RBAC framework provides administrators with the capability to regulate who can perform what actions, when, from where, in what order, and in some cases under what relational circumstances:
only those operations that need to be performed by members of a role are granted to the role. Granting of user membership to roles can be limited. Some roles can only be occupied by a certain number of employees at any given period of time. The role of manager, for example, can be granted to only one employee at a time. Although an employee other than the manager may act in that role, only one person may assume the responsibilities of a manager at any given time. A user can become a new member of a role as long as the number of members allowed for the role is not exceeded.
Advantages of RBAC
A properly-administered RBAC system enables users to carry out a broad range of authorized operations, and provides great flexibility and breadth of application. System administrators can control access at a level of abstraction that is natural to the way that enterprises typically conduct business. This is achieved by statically and dynamically regulating users' actions through the establishment and definition of roles, role hierarchies, relationships, and constraints. Thus, once an RBAC framework is established for an organization, the principal administrative actions are the granting and revoking of users into and out of roles. This is in contrast to the more conventional and less intuitive process of attempting to administer lower-level access control mechanisms directly (e.g., access control lists [ACLs], capabilities, or type enforcement entities) on an object-by-object basis.
Further, it is possible to associate the concept of an RBAC operation with the concept of "method" in Object Technology. This association leads to approaches where Object Technology can be used in applications and operating systems to implement an RBAC operation.
For distributed systems, RBAC administrator responsibilities can be divided among central and local protection domains; that is, central protection policies can be defined at an enterprise level while leaving protection issues that are of local concern at the organizational unit level. For example, within a distributed healthcare system, operations that are associated with healthcare providers may be centrally specified and pertain to all hospitals and clinics, but the granting and revoking of memberships into specific roles may be specified by administrators at local sites.
Status of Current RBAC Activities
Several organizations are experimenting with the inclusion of provisions for RBAC in open consensus specifications. RBAC is an integral part of the security models for Secure European System for Applications in a Multi-vendor Environment (SESAME) distributed system and the database language SQL3. In addition, the Object Management Group's (OMG) Common Object Request Broker Architecture (CORBA) Security specification uses RBAC as an example of an access control mechanism which can be used with the distributed Object Technology defined by the OMG. (See reference below.)
CSL has been developing and defining RBAC and its applicability cooperatively with industry, government, and academic partners. In conjunction with Dr. Ravi Sandhu of George Mason University and Seta Corporation, CSL is defining RBAC and its feasibility. We are working with Dr. Virgil Gligor and his associates at the University of Maryland and with the National Security Agency (NSA) to develop a formal reference model for RBAC to provide a safe, effective, and consistent mechanism for access control. This effort is also implementing RBAC on NSA's Synergy Platform, a secure platform based on the Mach Operating System. CSL is also developing a demonstration of RBAC use in healthcare. The access policy used in this demonstration is based on a draft consensus policy for patient record access developed in the United Kingdom. In conjunction with the Internal Revenue Service (IRS), CSL is defining roles and operations suitable for the IRS environment. In conjunction with the Veterans Administration (VA), CSL is studying the applicability of RBAC to VA systems.
Based on current research and experience, RBAC appears to fit well into the widely varying security policies of industry and government organizations.
In computer systems security, an approach to restricting system access to authorized users is called role-based access control (RBAC). It is a newer alternative approach to mandatory access control (MAC) and discretionary access control (DAC). RBAC is also known as role-based security.
Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members of staff (or other system users) are assigned particular roles, and through those role assignments acquire the permissions to perform particular system functions. Unlike context-based access control (CBAC), RBAC does not look at the message context (such as a connection's source).
Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user; this simplifies common operations, such as adding a user, or changing a user's department.
RBAC is appropriate for consideration in systems that process unclassified but sensitive information, as well as those that process classified information.
RBAC differs from access control lists (ACLs) used in traditional discretionary access control systems in that it assigns permissions to specific operations with meaning in the organization, rather than to low level data objects. For example, an access control list could be used to grant or deny write access to a particular system file, but it would not dictate how that file could be changed. In an RBAC-based system, an operation might be to create a 'credit account' transaction in a financial application or to populate a 'blood sugar level test' record in a medical application. The assignment of permission to perform a particular operation is meaningful, because the operations are granular with meaning within the application. RBAC has been shown to be particularly well suited to separation of duties (SoD) requirements, which ensure that two or more people must be involved in authorizing critical operations. Necessary and sufficient conditions for safety of SoD in RBAC have been analyzed. An underlying principle of SoD is that no individual should be able to effect a breach of security through dual privilege. By extension, no person may hold a role that exercises audit, control or review authority over another, concurrently held role.
With the concepts of role hierarchy and constraints, one can control RBAC to create or simulate lattice-based access control (LBAC). Thus RBAC can be considered a superset of LBAC.
When defining an RBAC model, the following conventions are useful:
* S = Subject = A person or automated agent
* R = Role = Job function or title which defines an authority level
* P = Permissions = An approval of a mode of access to a resource
* SE = Session = A mapping involving S, R and/or P
* SA = Subject Assignment
* PA = Permission Assignment
* RH = Partially ordered role Hierarchy. RH can also be written: ≥
* A subject can have multiple roles.
* A role can have multiple subjects.
* A role can have many permissions.
* A permission can be assigned to many roles.
A constraint places a restrictive rule on the potential inheritance of permissions from opposing roles, thus it can be used to achieve appropriate separation of duties. For example, the same person should not be allowed to both create a login account and to authorize the account creation.
A subject may have multiple simultaneous sessions with different permissions.
The biometric technology plays an imp role in the authentication of an individual. The primitive biometric techniquewas onlythe the fingerprint identification, which wasused by the Chinese merchants in the 14th century. These techniqueshave been upgraded excessively now with the involvementof the govts.of US, UK and many countries of the European unionwho have seen it as aneffectivemethod to curb the problems relating to authentication. The biometrics, exploit'sthe human behavioural and physical traits to identify a person. The physiological characteristics are fingerprint, face, hand geometry, DNA and iris recognition. Behavioural are related to the behaviour of a person like signature, study of keystroke, voice etc. This method is no doubt been used by the MPS to strengthen itselfand to curb variouscyber crimes andalso against the alien criminals. Various devices are used in biometrics like digital cameras for face recognition, ear recognition etc or a telephone for voice recognition etc.A biometric system operates in verification mode or identification mode. In verification mode the system validates a person identity by comparing the captured biometric data with the biometric template stored in the database and is mainly used for positive recognition. In the identification mode the system captures the biometric data of an individual and searches the biometric template of all users in the database till a match is not found.
Types of Biometrics:
• Face Recognition
The biometric system can automatically recognize a person by the face. This technology works by analyzing specific features in the face like - the distance between the eyes, width of the nose, position of cheekbones, jaw line, chin ,unique shape, pattern etc. These systems involve measurement of the eyes, nose, mouth, and other facial features for identification. To increase accuracy these systems also may measure mouth and lip movement.Face recognition captures characteristics of a face either from video or still image and translates unique characteristics of a face into a set of numbers. These data collected from the face are combined in a single unit that uniquely identifies each person. Sometime the features of the face are analyzed like the ongoing changes in the face while smiling or crying or reacting to different situation etc.The entire face of the person is taken into consideration or the different part of the face is taken into consideration for the identity of a person. It is highly complex technology. The data capture by using video or thermal imaging. The user identity is confirmed by looking at the screen. The primary benefit to using facial recognition as a biometric authenticator is that people are accustomed to presenting their faces for identification and instead of ID card or photo identity card this technique will be beneficial in identifying a person. As the person faces changes by the age or person goes for plastic surgery, in this case the facial recognition algorithm should measure the relative position of ears, noses, eyes and other facial features.
[as the surveillance systems are already set up in the public areas like malls/ airports it is not intrusive on the part of the suspect as he doesn't know whether he is been examined, and also disturbance to the public is alsoavoided.In the present scenario of international terrorism, police are opting for this method to identify some of the most wanted personal.]
• Hand Geometry:
Hand geometry is techniques that capture the physical characteristics of a user's hand and fingers. It analyses finger image ridge endings, bifurcations or branches made by ridges. These systems measure and record the length, width, thickness, and surface area of an individual's hand. It is used in applications like access control and time and attendance etc. It is easy to use, relatively inexpensive and widely accepted. A camera captures a 3 dimensional image of the hand. A verification template is created and stored in the database and is compared to the template at the time of verification of a person. Fingerprint identification.Currently fingerprint readers are being built into computer memory cards for use with laptops or PCs and also in cellular telephones, and personal digital assistants. It is successfully implemented in the area of physical access control.
• Eye Recognition:
This technique involves scanning of retina and iris in eye. Retina scan technology maps the capillary pattern of the retina, a thin nerve on the back of the eye. A retina scan measures patterns at over 400 points. It analyses the iris of the eye, which is the colored ring of tissue that surrounds the pupil of the eye. This is a highly mature technology with a proven track record in a number of application areas. Retina scanning captures unique pattern of blood vessels where the iris scanning captures the iris. The user must focus on a point and when it is in that position the system uses a beam of light to capture the unique retina characterstics.It is extremely secure and accurate and used heavily in controlled environment. However, it is expensive, secure and requires perfect alignment and usually the user must look in to the device with proper concentration. Iris recognition is one of the most reliable biometric identification and verification methods. It is used in airports for travellers.Retina scan is used in military and government organization. Organizations use retina scans primarily for authentication in high-end security applications to control access, for example, in government buildings, military operations or other restricted quarters, to authorized personnel only. The unique pattern and characteristics in the human iris remain unchanged throughout one's lifetime and no two persons in the world can have the same iris pattern.
• Voice Biometrics
Voice biometrics, uses the person's voice to verify or identify the person. It verifies as well as identifies the speaker. A microphone on a standard PC with software is required to analyze the unique characteristics of the person. Mostly used in telephone-based applications. Voice verification is easy to use and does not require a great deal of user education. To enroll, the user speaks a given pass phrase into a microphone or telephone handset. The system then creates a template based on numerous characteristics, including pitch, tone, and shape of larynx. Typically, the enrollment process takes less than a minute for the user to complete. Voice verification is one of the least intrusive of all biometric methods. Furthermore, voice verification is easy to use and does not require a great deal of user education.
• Signature Verification
Signature verification technology is the analysis of an individual's written signature, including the speed, acceleration rate, stroke length and pressure applied during the signature. There are different ways to capture data for analysis i.e. a special pen can be used to recognize and analyze different movements when writing a signature, the data will then be captured within the pen. Information can also be captured within a special tablet that measures time, pressure, acceleration and the duration the pen touches it .As the user writes on the tablet, the movement of the pen generates sound against paper an is used for verification. An individual's signature can change over time, however, which can result in the system not recognizing authorized users. Signature systems rely on the device like special tablet, a special pen etc. When the user signs his name on an electronic pad, rather than merely comparing signatures, the device instead compares the direction, speed and pressure of the writing instrument as it moves across the pad. this verification is done to identify false documents or forgery. The forensic department uses this to analysevarious financial documents. Many law firms also use this method to help their clients. A new parascript signature verification technology is been developed in Moscow,which has already unveiled a scam of $160000 and has been approved by the forensics department. Parascript SignatureXpert is the software which identified the signatures as fraudulent.Forgery isvery huge crime whichcanaffect both individuals and company and incur themhuge loses. therefore, the police have takensignature verification seriously and many frauds were revealed.Theacsued in Mumbai blasts of 26/11Faheem Ansari matchedhis writings on maps of Mumbai terror sites seized from him. By this the signature varification also prove to be good against criminals. more common ones include online frauds or identity theft, there are more blatant ones when someone from the bank or outside forges your signature.
The Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
In cryptography, a PKI is an arrangement that binds public keyswith respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA) . For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the CA.
This section discusses the following basic processes which are common to all PKIs:
Public key cryptography - Includes the generation, distribution, administration, and control of cryptographic keys.
Certificate issuance - Binds a public-key to an individual, organization, or other entity, or to some other data—for example, an email or purchase order.
Certificate validation - Verifies that a trust relationship or binding exists and that a certificate is still valid for specific operations.
Certificate revocation - Cancels a previously issued certificate and either publishes the cancellation to a Certificate Revocation List or enables an Online Certificate
Status Protocol process.
WHAT IS RSA
This section is a brief overview of the cryptography that is incorporated into a PKI. Current public key cryptography as described in this article is mostly attributed to Diffie and Hellman and Rivest, Shamir and Adleman. Because of its widespread use in e-commerce, this article focuses on the RSA (named for its creators: Rivest, Shamir and Adleman) public key cryptographic system. RSA is a public key cryptographic algorithm that is based on the hard mathematical problem of factoring composite numbers. The keys used by the RSA crypto-system are based on the product of two large prime numbers that derive their cryptographic strength from the fact that it is difficult to factor large composite numbers of this kind. RSA uses a pair of keys: a public key which is made known to many entities, and a private key for which secrecy and integrity are strictly controlled and only used by the owner of that key. Given an appropriate key length, it is
computationally infeasible to determine one key from another. The basic cryptographic feature of RSA is that it allows the encryption of clear text data with one key but decryption with the other. This basic cryptographic feature is what provides RSA its asymmetry.
RSA performs the generation of a public/private key pair as follows:
Two large primes,
p and q are used to compute their product n = pq, where n is called the modulus. A number is chosen, e, which is less than n and relatively prime to (p-1)(q-1), which means e and (p-1)(q-1) have no common factors except 1. Another number is chosen, d, such that (ed - 1) is divisible by (p-1)(q-1). This is the inverse of e and means that ed = 1 mod (p-1)(q-1). The values e and d are called the public and private exponents, respectively. The public key is the pair (n, e) and the private key is (d). RSA supports two basic modes of operation: encryption and digital signatures. These are outlined in the following sections.
PKI is a complex subject and still evolving in terms of its utilization in the commercial and e-commerce sectors. Although the underlying technology is quite sound, issues exist in areas such as interoperability and performance. Nonetheless, PKI offers considerable benefits to those in need of the basic security services described in this article. Those considering a PKI should evaluate their environment to understand where they require basic security services and thus where a PKI would be most useful.
When progressing to a PKI, careful planning is critical. Start small with a pilot implementation. This will allow you to gain an understanding of the issues and also the operational, security, and practical aspects particular to your environment. With the successful implementation of a pilot PKI and a clear understanding of focused goals and objectives, which can realistically be satisfied by a PKI, you can proceed to a more comprehensive implementation of a PKI.