Access Control Model and Policies for Collaborative Environments
Total Page:16
File Type:pdf, Size:1020Kb
Hasso–Plattner–Institut fuer Softwaresystemtechnik an der Universitaet Potsdam Access Control Model and Policies for Collaborative Environments Dissertation zur Erlangung des akademischen Grades “Doctor rerum naturalium” (Dr. rer. nat.) am Fachgebiet Internet Technologien und Systeme eingereicht an der Mathematisch–Naturwissenschaftlichen Fakultaet der Universitaet Potsdam von Wei Zhou Potsdam 2008 Abstract To effectively participate in modern collaborations, member organizations must be able to share specific data and functionality with the collaborative partners, while ensuring their resources are safe from inappropriate access. This requires access control models, policies, and enforcement mechanisms for collaborative systems. This thesis describes my research work that concerns two important issues in collaborative systems: access control model and policies. Team and Task based RBAC (TT-RBAC) Model. TT-RBAC extends the Role-Based Access Control (RBAC) model through adding sets of two basic data elements called teams and tasks. TT-RBAC model as a whole is defined in terms of individual users being assigned to roles and teams, roles and tasks being assigned to teams, and permissions being assigned to roles and tasks. By virtue of team membership, users get access to team’s resources specified by assigned tasks. However, for each user, the exact permissions he/she obtains to a team’s resources will be determined by his/her roles and current activity of the team. The team defines a small and specific RBAC application zone, through which we can preserve the advantages of scalable security administration that RBAC-style models offer and yet offers the flexibility to specify fine-grained control on individual users in certain roles and on individual object instances. The integrated context constraints make the TT-RBAC be an active security model. Function-Based Authorization Constraints. Authorization constraints are an important aspect of RBAC and its various extensions. They are often regarded as one of the principal motivations behind these access control models. There are two important issues relating to constraints: their specification and their enforcement. However, the existing approaches cannot comprehensively support both of them. We designed two novel authorization constraint schemes named prohibition constraint scheme and obligation constraint scheme respectively. They can be used for both expressing and enforcing authorization constraints. These schemes are strongly bound to authorization entity set functions and entity relation functions that could be directly mapped to the functions that need to be developed in application systems. Thus, these schemes provide the developers a clear view about which functions should be developed in an authorization constraint system. Based on these functions, various constraint schemes can be easily defined and then enforced. A constraint system could be scalable through defining new entity set and relation functions. This approach goes beyond the well known separation of duty constraints, and considers many aspects of entity relation constraints. Label-Based Access Control Policy (LBACP). In collaborative systems, the participants and trust relationships may be dynamically changed and the authorization policies have to explicitly specify which users from which organizations can access which resources. When there are many organizations involved and these organizations need to be dynamically added or removed, it will bring considerable burden to the administration. So it would be better to move such dynamic information to some separated control policies. For this purpose, we developed the LBACP. Its basic principle is defining some labels that specify information flow constraints and then assigning them to other access control policies or their components. The usage of the labeled policy components must conform to the information flow constraints defined by the labels in order to avoid them being misused. The LBACP can reduce the burden of security 3 administration and avoid information leaks in collaborative environments. LBACP is a high level security policy layered on the top of normal access control policies. Root Policy. In collaborative environments, there may involve several independent autonomous domains; each of them may have its own security mechanisms and policies; these mechanisms and policies should be combined together and enforced as one at runtime. Authorization in such a system needs to be flexible and scalable to support multiple security mechanisms and policies. We developed the root policy specification language that is used to specify multiple heterogeneous authorization policies’ combination and the mechanism that is used to enforce these root policies. In a root policy, each involved authorization policy’s storage, trust management and enforcement can be defined independently. Various policy combination algorithms and flexible context constraints enable the root policy to deal with complex authorization scenarios. On the other hand, multiple root policies can cooperate together to complete more complex authorization tasks in distributed fashion. 4 Zusammenfassung Um eine effektive Teilnahme an modernen Kollabrationen zu ermöglichen, müssen beteiligte Organisationen fähig sein, spezifische Daten und Funktionalität mit ihren Partnern auszutauschen und dabei sicherstellen, dass die eigenen Ressourcen sicher vor unerlaubten Zugriff sind. Dies verlangt nach Zugriffskontrolle, Policies und Mechanismen für kollaborative Systeme. Diese Dissertation beschreibt meine Forschungsarbeit, welche zwei wichtige Belange in kollaborativen Systemen betrifft: Zugriffskontrolle und Policies. Function-Based Authorization Constraints. Es existieren zwei wichtige Belange in Bezug auf Authorisierungseinschränkungen: Ihre Spezifizierung und ihre Durchsetzung. Jedoch können existierende Ansätze nicht beide Belange umfassend unterstützen. Im Rahmen meiner Arbeit habe ich neuartige Schemata für Authorisierungsaeinschränkungen entworfen, genannt „prohibition constraint scheme“ und „obligation constraint scheme“. Diese Schemata sind mit entity set functions und entity relation functions im Bereich der Authorisierung verwandt, die direkt auf die für Anwendungsszenarien zu entwickelden Funktionen abgebilded werden können. Basierend auf diesen Funktionen können verschiedene Schemata für Einschränkungen einfach definiert und durchgesetzt werden. Team and Task based RBAC (TT-RBAC) Model. TT-RBAC erweitert das rollenbasierte Zugriffskontrollmodell durch die Hinzunahme von zwei grundlegenden Datenelementen, genannt Team und Aufgabe. Das TT-RBAC model ist im Wesentlichen definiert durch die Zuordnung von einzelnen Benutzern zu Rollen und Teams, die Beziehung zwischen Rollen und Aufgaben zu Teams und Berechtigungen, welche wiederum Rollen und Aufgaben zugewiesen sind. Aufgrund der Teamzugehörigkeit erhalten Benutzer Zugriff auf Ressourcen, die durch Aufgaben zugewiesen sind. Das Team definiert eine kleine und spezifische RBAC Anwendungszone, durch welche die Vorteile der skalierbaren Sicherheitsadministration erhalten werden können, die durch RBAC-Modelle geboten werden. Überdies wird eine Flexibilität erreicht durch die genaue Kontrolle von individuellen Benutzern in spezifischen. Label-Based Access Control Policy (LBACP). Das grundlegende Prinzip von LBACP stellt die Definition von Auszeichnungen (labels) dar, die den Informationsfluss spezifizieren und deren Zuweisung zu anderen Authorisierungspolicies oder ihren Komponenten. Der Einsatz von solchen Policies oder Policy-Komponenten muss den Einschränkungen hinsichtlich des Informationsflusses folgen, welche durch die Label spezifieziert sind. LBACP kann zu ereiner Veringerung des Administrationsaufwandes führen und potentielle Sicherheitslücken ausschließen. Insgesamt stellt LBACP eine Abstraktionsschicht über herkömmliche Zugriffskontroll-Policies dar. Root Policy. In kollaborativen Umgebungen wird eine flexibele und skalierbare Autorisierung benötigt, um verschiedene Sicherheitsmechanismen und Policies zu unterstützen. Dazu habe ich im Rahmen meiner Arbeit ein System genant Root-Policy entwickelt, welches verschiedene Sicherheitsmechanismen und Policies spezifizieren und durchstzen kann. In einer Root-Policy kann die Speicherung von Autoriesierungspolicies, das Trust-Management und deren Durchsetzung unabhängig voneinander definiert werden. Darüberhinas können verschiedene Root-Policies zusammen kooperieren, um verteilte Szenarien zu bedienen. 5 6 To my wife Dongyun Zhang and daughter Ziqi Zhou To my parents Kuiwu Zhou and Shijie Wu 7 8 Preface This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration. The pronouns ‘we’ and ‘our’ in the text, which have been used for stylistic reasons, should be taken to refer to the singular author. This dissertation is not substantially the same as any that I have submitted for a degree or any other qualification at any other university. No part of this dissertation has already been, or is being currently submitted for any such degree, diploma or other qualification. This dissertation does not exceed 60,000 words including tables and footnotes, but excluding bibliography and diagrams. 9 10 Acknowledgements This work would have not been possible without the continuous guidance, advice, support, and encouragement from my PhD supervisor, Prof. Dr. Christoph Meinel at University of Trier, and later at University of Potsdam. Throughout my pursuit