Session-aware RBAC administration, delegation, and enforcement with XACML

Abstract

An administrative role-based access control (ARBAC) model specifies administrative policies over a role-based access control (RBAC) system, where an administrative permission has the capability to modify an RBAC policy by updating permissions assigned to roles, or assigning/revoking users to/from roles. Enforcing ARBAC policies over an active access controller while some users are using protected resources may result in conflicts: a policy may be in effect in the RBAC system while being modified by an administrative operation. Towards solving this concurrency problem, this dissertation proposes a sessionaware administrative model for RBAC to manage the interactions and potential conflicts between access control evaluation and the administrative operations. Based on this model, this dissertation specifies the concurrency requirements of an ARBAC model: (1) revoke an activated role or delete an active session immediately, and (2) delay administrative operations. This dissertation introduces the concept of lock scope for a role. This captures the affected roles when the permissions granted to this role are modified due to administrative operations. Consider that eXtensible Access Control Markup Language (XACML) is the de facto language to specify access control policies for Web Services; this dissertation proposes the XACML profile for administrative RBAC (XACML-ARBAC) which is the extension of the XACML-RBAC profile with the proposed session-aware administrative model. One of the advantages of doing so is to use XACML policies to administrate XACML-RBAC policies. The XACML policy evaluation runtime is enhanced by introducing a locking manager and a special administrative policy enforcement point (A-PEP). The lock manager handles concurrency control issues that arise when enforcing the XACML-ARBAC profile. The A-PEP competes read-write locks for RBAC and ARBAC policies in conjunction with the evaluation engine of the access controller. Along with the administrative model, the fine-grained and flexible permission delegation capability of the RBAC system has obtained considerable adoption in the last decade. The OASIS technical committee published the XACML v3.0 administration and delegation profile (XACML-Admin) working draft on April 16, 2009 in order to provide policy administration and dynamic delegation services to the XACML runtime. To capture the concurrency control requirements for delegation, this dissertation further proposes that the XACML-ARBAC profile is augmented with role-based delegation, named rolebased administration and delegation XACML profile (XACML-ADRBAC). The XACMLADRBAC profile has two novel properties: scalability–it facilitates delegated permissions to a large number of users with the same permission assignment, and flexibility–it allows a delegator to delegate any subsets of permissions assigned to him/her and modify the delegated permission whenever required. Correspondingly, the proposed XACML-ARBAC enforcement mechanism is also enhanced to enforce the XACML-ADRBAC. To the author’s best knowledge, this proposal is the first method to enforce the XACML-Admin profile proposed by OASIS. To demonstrate the feasibility and performance of the framework, a prototype is implemented to enforce the XACML-ARBAC profile by augmenting Sun Microsystems’s XACML reference implementation. Experimental studies show that the system has reconcilable performance characteristics. xi