Serban I. Gavrila

Proposed NIST standard for role-based access control

In this article we propose a standard for role-based access control (RBAC). Although RBAC models have received broad support as a generalized approach to access control, and are well recognized for their many advantages in performing large-scale authorization management, no single authoritative definition of RBAC exists today. This lack of a widely accepted model results in uncertainty and confusion about RBACs utility and meaning. The standard proposed here seeks to resolve this situation by unifying ideas from a base of frequently referenced RBAC models, commercial products, and research prototypes. It is intended to serve as a foundation for product development, evaluation, and procurement specification. Although RBAC continues to evolve as users, researchers, and vendors gain experience with its application, we feel the features and components proposed in this standard represent a fundamental and stable set of mechanisms that may be enhanced by developers in further meeting the needs of their customers. As such, this document does not attempt to standardize RBAC features beyond those that have achieved acceptance in the commercial marketplace and research community, but instead focuses on defining a fundamental and stable set of RBAC components. This standard is organized into the RBAC Reference Model and the RBAC System and Administrative Functional Specification. The reference model defines the scope of features that comprise the standard and provides a consistent vocabulary in support of the specification. The RBAC System and Administrative Functional Specification defines functional requirements for administrative operations and queries for the creation, maintenance, and review of RBAC sets and relations, as well as for specifying system level functionality in support of session attribute management and an access control decision process.

On the formal definition of separation-of-duty policies and their composition

Formally defines a wide variety of separation-of-duty (SoD) properties, including the best known to date, and establishes their relationships within a formal model of role-based access control (RBAC). The formalism helps to remove all the ambiguities of informal definition and offers a wide choice of implementation strategies. We also explore the composability of SoD properties and policies under a simple criterion. We conclude that the practical implementation of SoD policies requires new methods and tools for security administration, even within applications that already support RBAC, such as most database management systems.

Formal specification for role based access control user/role and role/role relationship management

Role Based Access Control (RBAC), an access control mechanism, reduces the cost of administering access control policies as well as making the process less error-prone. The Admin Tool developed for the NIST RBAC Model manages user/role and role/role relationships stored in the RBAC Database. This paper presents a formal specification of the RBAC Database and Admin Tool operations. Consistency requirements for the RBAC Database are defined as a set of properties. Alternative properties, substantially simpler to verify in an implementation, are shown to be equivalent. In addition, the paper defines the semantics of Admin Tool operations, and shows that, given a consistent RBAC Database and an operation which meets specified conditions, the RBAC Database remains consistent after the operation is performed.

The Policy Machine: A novel architecture and framework for access control policy specification and enforcement

The ability to control access to sensitive data in accordance with policy is perhaps the most fundamental security requirement. Despite over four decades of security research, the limited ability for existing access control mechanisms to generically enforce policy persists. While researchers, practitioners and policy makers have specified a large variety of access control policies to address real-world security issues, only a relatively small subset of these policies can be enforced through off-the-shelf technology, and even a smaller subset can be enforced by any one mechanism. In this paper, we propose an access control framework, referred to as the Policy Machine (PM) that fundamentally changes the way policy is expressed and enforced. Employing PM helps in building high assurance enforcement mechanisms in three respects. First, only a relatively small piece of the overall access control mechanism needs to be included in the host system (e.g., an operating system or application). This significantly reduces the amount of code that needs to be trusted. Second, it is possible to enforce the precise policies of resource owners, without compromise on enforcement or resorting to less effective administrative procedures. Third, the PM is capable of generically imposing confinement constraints that can be used to prevent leakage of information to unauthorized principals within the context of a variety of policies to include the commonly implemented Discretionary Access Control and Role-Based Access Control models.

Composing and combining policies under the policy machine

As a major component of any host, or network operating system, access control mechanisms come in a wide variety of forms, each with their individual attributes, functions, methods for configuring policy, and a tight coupling to a class of policies. To afford generalized protection, NIST has initiated a project in pursuit of a standardized access control mechanism, referred to as the Policy Machine (PM) that requires changes only in its configuration in the enforcement of arbitrary and organization specific attribute-based access control policies. Included among the PMs enforceable policies are combinations of policy instances (e.g., Role-Based Access Control and Multi-Level Security). In our effort to devise a generic access control mechanism, we construct the PM in terms of what we believe to be abstractions, properties and functions that are fundamental to policy configuration and enforcement. In its protection of objects under one or more policy instances, the PM categorizes users and objects and their attributes into policy classes, and transparently enforces these policies through a series of fixed PM functions, that are invoked in response to user or subject (process) access requests.

Application-Oriented Security Policies and Their Composition

We define the notion of the application-oriented security policy and suggest that it differs from that of a system-level, global security policy. We view a policy as a conjunction of security properties and argue that these properties are not always independent and, hence, cannot be analyzed (e.g., composed) individually. We also argue that some necessary policy properties fall outside of the Alpern-Schneider safety/liveness domain and, hence, are not subject to the Abadi-Lamport composition principle. We suggest several areas of research in policy definition, composition, and administration.

On the unification of access control and data services

A primary objective of enterprise computing (via a data center, cloud, etc.) is the controlled delivery of data services (DS). Typical DSs include applications such as email, workflow, and records management, as well as system level features, such as file and access control management. Although access control (AC) currently plays an important role in imposing control over the execution of DS capabilities, AC can be more fundamental to computing than one might expect. That is, if properly designed, a single AC mechanism can simultaneously implement, control, and deliver capabilities of multiple DSs. The Policy Machine (PM) is an AC framework that has been designed with this objective in mind. This paper describes the PM features that provide a generic AC mechanism to implement DS capabilities, and comprehensively enforces mission tailored access control policies across DSs.

Enabling an Enterprise-Wide, Data-Centric Operating Environment

The Policy Machine can execute arbitrary data services and specify and enforce arbitrary but mission-tailored access control policies over those executions.

Specification of attribute relations for access control policies and constraints using Policy Machine

Attribute relations in access control mechanisms or languages allow accurate and efficient specification of some popular access control models. However, most of the access control systems including todays de-facto access control protocol and specification language, XACML, does not provide sufficient syntactic and semantic support for the specification of attribute relations in their scheme. In this paper, we show the deficiencies of XACML in specifying such capabilities in the implementations of the Multilevel Security, Hierarchical Role Based policies and Separation of Duty requirements of access control systems. In comparison, we then demonstrate the attribute relation mechanism provided by a relation-based access control mechanism - the Policy Machine.

Smart Cards for mobile devices

While mobile handheld devices provide productivity benefits, they also pose new risks. User authentication is the best safeguard against the risk of unauthorised use and access to a devices contents. This paper describes two novel types of Smart Card (SC) with unconventional form factors, designed to take advantage of common interfaces built into many current handheld devices.