Information Technology Reference
In-Depth Information
For the logic to support reasoning about a specific RBAC policy, it must
provide ways to express the following components: (1) RBAC entities (e.g.,
users, roles, permissions), (2) role activation and user requests, and (3) the role-
inheritance relationship. We consider these components in turn.
4.1
Describing RBAC Entities
We represent users and roles as principals in the logic, and we represent
permis-
sions
as primitive propositions.
UA
and
PA
are jointly represented in the logic
as statements of the form
U
serves
RA
ap
(
R
)
R,
where
RA
represents a role authority that certifies that the user
U
has the right
to act in the role
R
,and
ap
(
R
) is the set of propositions corresponding to the
permissions in the set
authorized permissions
(
R
).
1
Simply put,
U
serves
RA
ap
(
R
)
R
indicates that user
U
is an authorized user of role
R
and may make requests
involving permissions associated with
R
.
The reference monitor's ultimate decision on whether to grant a request
q
is based on a series of access-control list (ACL) entries, each of which can be
expressed as
((
U
for
RA
R
)
says
q
)
⊃
q,
where
U
authorized permissions
(
R
). That is, if
the reference monitor can verify that (1) a user
U
is making the request
q
while
activated in the role
R
,and(2)
q
is a permission associated with role
R
,then
the reference monitor will grant the request.
∈
authorized users
(
R
)and
q
∈
4.2
Describing User Requests
In RBAC, all requests by users are made within the context of a role. The result
is that two principals—the user and the role—are involved in all requests.
We use quoting to describe role assertions (e.g.,
U
R
)andthe
says
operator to
represent the actual requests. For example, a user
U
asserting role
R
and making
arequest
q
is represented as
U
|
|
R
says
q
. Multiple requests can be expressed
through conjunction, as in
U
|
R
says
(
q
1
∧
q
2
)or(
U
|
R
1
says
q
1
)
∧
(
U
|
R
2
says
q
2
).
R
says
q
does not guarantee that
U
is
authorized
for role
R
: it merely states that
U
is
claiming
to be acting in role
R
. There is no
danger, however that an inappropriate request will be granted: the ACL entry
requires the reference monitor to deduce (via Role Del) that (
U
for
RA
R
)
says
q
,
which is possible only when
U
is authorized for role
R
.
Note that the statement
U
|
4.3
Describing Role Inheritance
The relationship
R
1
R
2
is expressed in the logic by the formula
R
1
ap
(
R
2
)
R
2
,
which is syntactic sugar for (
R
1
⇒
(
R
2
ap
(
R
2
)
R
1
).
1
Henceforth, we shall blur the distinction between actual permissions and the primi-
tive propositions that are associated with them.
R
2
)
∧