Role Based Access Control (RBAC)
RBAC: - RBAC is a method of regulating access to computer or network resources based on the role of individual user within a company. It is a security feature that control how user and system communicate and interact with one another.Role based access control also known as non-discretionary. RBAC is the security feature that control how user and system communicate and interact with one another.Key points: -
- RBAC uses a set of controls to determine how subject and object interacts.
- Allows you to be assigned a role and your role dictate your access to resource.
- It is a method of regulating access to computer or network resources based on the role of individual user within an enterprise.
Access
- It is the ability of an individual user to perform a specific task, such as read, write, or modify a file.
- Read and write
Subject
- Active (alive) entity
Object
- Passive (motionless) entity
Roles
- Roles are defined according to job capability and responsibility within a company. A user can have more than one role and more than one user can have same roles.
user.- An electronic representation of human being on system or an automatic service.
Several intermediate concepts can be inserted between subject and object:
1. Object = Bank account
2. Subject = Bank employee
3. Roles
- Clerk
- Teller
- Administrator
4. Procedure
- Creating new account
- Fund transfer between accounts
5. Data types = Set of bank accounts forms a data type
RBAC has following types of users: -
+ Account Owner
- Account owner play his role as account administrator. Account owner have full permissions to execute all services and commands.
+ Account Owner Role
- Create new user accounts
- Modify existing users
- Delete users
+Account User
- Account user has been added by account owner. Account user have only limited permissions.
+ Account User Role
- Read
- Write
COMPONENTS
+ Core RBAC
- It deal with user and user permissions.In this session permissions are give to user to perform specific roles. A session is created when user authenticated and user roles are authorized to make it active.
+ Hierarchical RBAC
- All roles are members of a common base role and every user is member of at least one role.Roles can be members of other roles forming an inheritance hierarchy where a member role inherits all its parents permissions.
+ Separation RBAC
- Adds constraints on the set of roles users and roles can be active or authorized member of. To avoid conflict of interest for users with different functions within an organization, restrictions on currently active roles can be added.This is referred to as dynamic SOD, This is referred to as dynamic SOD, while static SOD refers to a scheme where a user cannot even become member of conflicting roles, thereby reducing the possibility of conflict of interest.
Applications
- DBMS's such as Oracle Enterprise Server i8, Sybase adaptive server 12.5 and Informix Dynamic Server 9.3 implement some of the RBAC features.
- SELinux by the US National Security Agency use RBAC features.
- RBAC-NFS An RBAC implementation for NFS on Linux was developed at Linkoping University.
- Sun secure server uses RBAC to avoid the quite rigid concept of one super user.
Advantages: -
1. Scalable to some degree.
2. Great for organization with high turnover.
Disadvantages: -
1. Roles need provisioning and maintenance.
2. Possibility of role explosion.
3. Unable to accommodate real time context.