Lecture 3 - RBAC

Question 1

What is RBAC?

Answer 1

Controls access based on the roles that users have within the system and on the rules stating what accesses are allowed to users in given roles

Question 2

Role is typically..

Answer 2

a job functionality

Question 3

Roles can be added …

Answer 3

statically or dynamically

Question 4

Users to roles relationship is …

Answer 4

many to many

Question 5

How can we utilise an access matrix here?

Answer 5

• to denote user to role correspondence
• to denote role to object correspondence with access rights inside

Question 6

Can a role be an object?

Answer 6

Yes, as this allows for role hierarchy !

Question 7

What are the 4 RBAC reference models?

Answer 7

• RBAC0
• RBAC1
• RBAC2
• RBAC3

Question 8

What is RBAC0?

Answer 8

Base model consisting of users, roles, permissions and sessions. It has no hierarchies and constraints.

It provides flexibility and granularity as each user is only given exact permissions they need.

Question 9

What is a session?

Answer 9

a temporary one-to-one relationship between user and a role to which user has been assigned that is needed for the task they’re trying to accomplish in that moment

Question 10

What is RBAC1?

Answer 10

RBAC0 but with role hierarchies. Role
hierarchies make use of the concept of inheritance to enable one role to implicitly include access rights associated with a subordinate role.

Question 11

What is RBAC2?

Answer 11

Adding constraints onto RBAC0. A constraint is a defined relationship among roles or a condition related to roles.

Seperation of duties and capabilities within an organisation

Question 12

Constraint of mutual exclusiveness?

Answer 12

Mutually exclusive roles are roles such that a user can be assigned to only
one role in the set. This limitation could be a static one, or it could be dynamic, inthe sense that a user could be assigned only one of the roles in the set for a session

Question 13

Enhancement of mutual exclusiveness constraint?

Answer 13

• A user can only be assigned to one role in the set
• Any permission (access right) can be granted to only one role in the set
  (no overlapping permissions between roles and hence user types)

Purpose: To increase difficulty of collusion among individuals of different
skills or divergent job functions to thwart security policies

Question 14

Cardinality constraint?

Answer 14

Cardinality refers to setting a maximum number with respect to roles. One
such constraint is to set a maximum number of users that can be assigned to a given role.

we can also impose max number of roles per user or roles per user per session

Question 15

Prerequisite role constraint?

Answer 15

dictates that a
user can only be assigned to a particular role if it is already assigned to some other specified role. A prerequisite can be used to structure the implementation of the least
privilege concept