Week 7 - RBAC and ABAC

Question 1

RBAC

Answer 1

Role Based Access Control

RBAC model governs the access of a user to information through the roles to which the user is assigned

Question 2

RBAC three primary entities

Answer 2

users, roles, permissions

Users are assigned roles, which have permissions consisting of operations and objects

Question 3

Permissions consist of

Answer 3

Operations and objects

Question 4

User-Role Relation

Answer 4

This type of relation is created due to assignment of users to roles

For example, usually a user is assigned only a single role while a role could be assigned to multiple users ….

Question 5

Role-Permission Relation

Answer 5

This is the second primary relation in RBAC. Typically a role is assigned multiple permissions. Also a permission could be assigned to multiple roles. Hence theoretically, Role-Permission assignment relation is a many-to-many relation.

Question 6

Permission in RBAC

Answer 6

one can see that that a permission entity itself is composed of a combination of operations on objects

Operate-CustomerAcct Permission
Oper-Object (Read, CustomerAcct)
Oper-Object (AddTrans, CustomerAcct)
Oper-Object (DeleteTrans, CustomerAcct)

Question 7

Role Hierarchy

Answer 7

Roles can be organized as a hierarchy instead of a flat data.

By organizing the roles as a hierarchy, a role higher in the hierarchy can automatically inherit all permissions of the roles beneath it.

Question 8

RBAC Model Relations

Answer 8

User-Role (, )
Role-Perm (, )
Inherited-Role (, )

Question 9

RBAC Create Command

Answer 9

Create-User (Lee)
Create-Role (LoanOfficer)
Create-Permission (Operate-LoanAcct)

Question 10

RBAC Add Role Command

Answer 10

Add-UserRole (Mike, Teller)
Drop-UserRole (Mike, Teller)

Would result in the following relation added to RBAC model
User-Role (Mike, Teller)

Question 11

RBAC to add/drop role hierarchies

Answer 11

Add-InheritedRole (Customer-Rep, Teller)

Will result in

Inherited-Role (Customer-Rep, Teller)

Question 12

RBAC add role permission

Answer 12

Add-RolePerm (Teller, Read-LoanAcct)
Drop-RolePerm(Customer-Rep, Operate-LoanAcct)

will result in

Role-Perm (Teller, Read-LoanAcct)

Question 13

RBAC Advantages

Answer 13

Eliminates the need to assign permissions directly to the user

If a user’s job description or position changes, it is enough that the user is deleted from certain roles and assigned new roles that is appropriate to his/her new position.

If the permissions required for a given role changes, it is enough that permissions are added to or deleted from the corresponding role.

Question 14

RBAC Disadvantages

Answer 14

In some instances, there may be too many roles defined to enable users to do some one-time or emergency operations with the result it results in a situation called role proliferation.

When there are too many roles, the administrators may not update the permission set properly with the result some users may have more permissions than what is needed to perform their role.

In some instances, when a user changes job, the role assignments may not be properly changed.

Question 15

Attribute-based Access Control (ABAC)

Answer 15

In an ABAC model, as the name denotes, the access rights for a user or subject is based on the current values of attributes associated with subject, object and optionally environment as well.

Question 16

ABAC model variables

Answer 16

there are logical expressions called rules built using the combination of attributes of a subject, object and environment.

The outcome of evaluating these logical expressions using the values of attributes current at the time decides whether the subject’s access request can be allowed or not.

Question 17

ABAC Subject Attribute Examples

Answer 17

Assigned Identity (e.g., SSNO, Driver’s License number, Passport No)

Role (e.g., Accountant)

Age

Organization affiliation

Rank

Security Clearance etc

Question 18

ABAC Object Attribute Examples

Answer 18

Based on the type of project (e.g., Capital Project, Maintenance Project)

Based on the type of application (e.g., Purchase-Order Application, Budgeting Application)

Security Classification (Top Secret, Secret etc)

Owning Department (e.g., Manufacturing, Marketing etc)

Question 19

ABAC Environmental Attribute Examples

Answer 19

Time of the Day

Day of the Week

Threat Level

Network Segment (e.g., DMZ)

Question 20

Components of a logical expression

Answer 20

Entity, Attribute, Value

Ex. Entity = Subject, Attribute = Role, Value = Teller

Question 21

Distinguishing features of ABAC

Answer 21

The permissions are dynamic

The permissions have to be computed

Question 22

Most widely deployed means of defining ABAC model

Answer 22

platform-neutral XML-based language called XACML.

Question 23

XACML Specification primary sub-specifications

Answer 23

Structural and Syntax rules for encoding policies and rules – XACML Policy Language Structure

A functional architecture that presents the data flow for the entire authorization process.

Question 24

XACML Policy Language Structure

Answer 24

An ABAC Model definition using XACML contains at the topmost level a definition of a single PolicySet.

A PolicySet in turn consists of one or more Policy elements.

A Policy element in turn consists of one or more Rules.

Question 25

XACML Policy Set components

Answer 25

Target, the set of policies it contains and can also contain other policy sets (nested)

Question 26

XACML Policy components

Answer 26

This contains a Target and a set of one or more Rules. A Target defines the scope of resources (objects) over which the policy applies

Question 27

XACML Rules components

Answer 27

The Rules also contain a Target. In addition they contain a Effect and Conditions components. The semantics for Target is same as in PolicySet and Policy. Effect denotes whether it is a positive or negative permission. Conditions denote further restrictions on Target.

Question 28

PDP

Answer 28

Policy Decision Point The PDP is thus the core of the access decision engine performing key operations such as: parsing XACML Access Request, retrieving policies, obtaining additional attributes through PIP, evaluating policies and encoding the access decision response 5. The PDP requests any additional Subject, Resource and Environment attribute values from the Context Handler. 9. The PDP requests the PAP (or the repository where PAP has stored the policies for PDP access) for policies matching the request’s Target. 11. The PDP evaluates the related (applicable) policies and returns the authorization decision, encoded as an XACML Response Context to the Context Handler.

Question 29

PEP

Answer 29

Policy Enforcement Point The PEP enforces the authorization decision (either allow or deny) and also fulfills the obligations (if any). In some instances the PEP is tightly integrated with the application to enable fine-grained authorization. 2. The Access Requester sends an access request to PEP 3. The PEP sends the access request to the Context Handler in its native request format optionally including attributes of the Subjects, Resource, and Environment..

Question 30

PIP

Answer 30

Policy Information Point 7. The PIP obtains the requested attributes from Subjects, Resource & Environment.

Question 31

PAP

Answer 31

Policy Administration Point 1. The PAP writes policies and policy sets and makes them available to PDP 10. The PAP (or the policy repository manager) returns the requested policies.

Question 32

CH

Answer 32

Context Handler The Context Handler translates the XACML Response Context to the native response format of the PEP. The Context Handler returns the response to the PEP. 4. The Context Handler constructs an XACML Request Context, optionally adds attributes, and sends it to PDP 6. The Context Handler requests the attributes from PIP. 8. The Context Handler forwards those attributes (and optionally the relevant Resource content) to PDP.

Question 33

Memorize XACML Policy Language Structure

Answer 33

Policy Set contains Target, Policy, and PolicySet (nested) Police contains Target and Rule Rule contains Target, Effect (permit, deny), Conditions (Rule is satisfied if)