A FAMILY OF MODELS FOR RULE-BASED USER-ROLE ASSIGNMENT by

A FAMILY OF MODELS FOR RULE-BASED USER-ROLE ASSIGNMENT Mohammad Abdullah Al-Kahtani, Ph.D. George Mason University, 2003 Dissertation Director: Dr. Ravi Sandhu Conventional role based access control (RBAC) was designed with closed-enterprise environment in mind where a security officer(s) manually assigns users to roles. However, today, an increasing number of service-providing enterprises make their services available to users via the Internet. Furthermore, many enterprises have users (i.e. workers and/or clients) whose numbers can be in the hundreds of thousands or millions. In addition, RBAC is being supported by software products designed to serve large number of clients such as popular commercial database management systems. All these factors render the manual user-to-role assignment a formidable task which is costly and error-prone. An appealing solution is to automate the assignment process. Besides eliminating the drawbacks of its manual counterpart, automatic assignment, particularly in the case of external user (i.e. clients), extends enterprise-consumers business partnership. In fact some large enterprises have already implemented systems that assign and revoke users automatically, and many of them have achieved 90-95% automation of administration. Our work lays the theoretical foundation for the implementation of the assignment process. It also serves as a benchmark for software implementations. In this dissertation, we describe a family of models called RB-RBAC that extends and modifies RBAC96, a well-known RBAC model, to allow the specification of automatic (implicit) user-role assignment. Model A allows specifying a set of authorization rules that can be used to assign users to roles based on users’ attributes. Model B extends Model A to allow specifying negative authorization and mutual exclusion among roles. Model C extends Model A to allow constraints specification. To show the power and usefulness of RB-RBAC, we demonstrate how it can be configured to express Mandatory Access Controls (MAC) and Discretionary Access Controls (DAC). In addition to RB-RBAC family, we developed an administrative model, ARB-RBAC, which provides the specification needed to administer users’ attributes and authorization rules. Our work demonstrates that it is possible to modify RBAC96 to allow implicit user-role assignment and, at the same time, retain the central features of RBAC96.