Role-Based Access Control in Ambient and Remote Space

Role-Based Access Control in Ambient and Remote Space Horst F. Wedde,

Mario Lischka

Informatik III, University of Dortmund 44221 Dortmund, Germany {wedde,lischka}@ls3.cs.uni-dortmund.de

ABSTRACT In the era of Ubiquitous Computing and world–wide data transfer mobility, as an innovative aspect of professional activities, imposes new and complex problems of mobile and distributed access to information, services, and on–line negotiations for this purpose. This paper restricts itself to presenting a distributed and location–dependent RBAC approach which is multi–layered. Also an adapted form of Administration Nets [24] is presented which allows the scheduling of distributed on–line processes for automated location– dependent negotiating procedures, and for proving their correctness. Examples are discussed in some detail.

Categories and Subject Descriptors D.4.6 [Software]: Operating Systems—Security and Protection; K.6.5 [Computer Milieux]: Management of Computing and Information Systems—Security and Protection

General Terms security, management

Keywords spatial, Petri-Nets, work-flow

1.

INTRODUCTION

For some years privacy of personal information has become a major concern with respect to data transfer across borders. After the latest version of the EU Directive on Data Protection [9] became effective on October 25, 1998 the US Department of Commerce issued the “Safe Harbor Principles” [20] on July 21, 2000. The negotiations between the EU and the US allowed for implementing these highly different standards in such a way that after three years of practice the cooperation within the combined framework was just found to provide for adequate protection. Since personal information is an integral part of any authentication or authorization, a broad cooperation between European and US

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SACMAT’04, June 2–4, 2004, Yorktown Heights, New York, USA. Copyright 2004 ACM 1-58113-872-5/04/0006 ...$5.00.

companies or institutions can be foreseen and will be appreciated. This will result in an abundance of novel research as well as practical problems for distributed authorization and authentication, due to the rapid technological progress in Ubiquitous Computing: The door is opened for data transfer between cooperating individuals or groups residing in their professional locations. A more exciting perspective stems from the mostly unlimited mobility of users who at the same time need, for extended professional work, to count on the availability of a huge amount of services facilitating if not enabling them to fulfill their extended job functions. The EU Commission has specifically anticipated this when designing their Sixth Frame Program (6th FP). As an example every research or development proposal under this program within the section “Trust and Security” has to strictly adhere to at least one out of four scenarios (within the general 6th FP theme “Ambient Intelligent Space” [7]). In our context the first scenario “Maria — Road Warrior” describes a professional role where Maria while moving swiftly and regularly between countries and continents is taking advantage of third party services that are negotiated on–line between automated distributed agents, on behalf of Maria, her company, various widely distributed official agencies (customs, immigration) and service companies (hotels, rental car companies, even hair dressing stores). This paper is dealing with the authorization problems arising from the mobility which is, or is to become soon, part of professional roles or profiles. We focus on modeling the authorization and (administration) processes within highly distributed yet predefined organizational relationships, we do not discuss ad–hoc meetings of strangers. For this purpose we assume that authentication of users moving between locations is taken care of by adequate measures, mostly based on certification (certificates stored on their personal computing devices and linked through a trust hierarchy ). While an increasing amount of research is devoted to this new area even organizational issues like connectivity between a diversity of wired and wireless networks poses hard problems to date. The technical discussion in this paper is based on, and extends, our distributed approach in Modular Authorization [22, 23]. (In turn, this borrows from the RBAC work presented in [13, 14].) At the same time we further pursue our work on Administration Nets [24] in order to adequately cope with distributed on–line negotiation processes and their administration. Here we are heading towards design and verification of automated software tools and procedures.

Temporal aspects of access control have been intensively discussed in [2, 3], although this approach is relying on mandatory access control (and centralized as well). In [15] temporal constraints have also been utilized for modeling separation of duty aspects. Our own work on distributed administration processes is to be found in [24]. In order to define the security of context–aware applications environment roles have been introduced [4, 5]. In this way some spatial and temporal aspects have already been addressed. The resulting role hierarchy in this centralized approach may well be difficult to manage for large systems. Our approach in contrast is decentralized. While context constraints as introduced in [16] are interesting ideas in their own right already under centralized control, our emphasis on location–dependent distributed access control, in particular on process modeling for negotiation and administration, does not relate to the work in [16], and it cannot really benefit from the evaluation techniques described there. The rest of this paper is structured as follows: In section 2 we very briefly summarize our approach of Modular Authorization (as far as documented in [22]). In section 3 we introduce a trust level hierarchy and a location hierarchy which will be used for modeling security measures for hosts (3.1), communication channels between hosts (3.2), and eventually for the application of trust level constraints (3.3). After a few examples for illustrating how this distributed formalism works (section 4) section 5 deals with the on–line negotiation of trusted communications channels and procedures, based on an adequate adaption of our Administration Net model [24]. The concluding section summarizes our results and addresses future work.

2.

MODULAR AUTHORIZATION

In order to overcome some drawbacks of a centralized security administration in a distributed system we presented the concept of Modular Authorization [22]. This approach extended the research documented in [14, 13] for supporting a decentralized definition and administration of the security policies. In this section we briefly describe these concepts.

2.1

Roles and Units

As in many models that are based on role-based access control (RBAC) (e.g. [10]) a role is a job function or job title within an organization with some associated semantics regarding the authority and responsibility conferred on a member of the organization. In our approach we additionally define a structure to model organizational entities such as departments or project groups. Such a structure is termed a unit. As a subject may play different roles in different units, we want to specify access rights, or constraints, for a particular subject w.r.t. her or his membership in a unit. Consequently, every access right will be specified to apply to a pair (hrolei, huniti), and subjects are assigned a role in a unit. This is in contrast to other approaches [17] which refer to the organizational unit only during the assignment of roles. Formally we consider a unit as a set of subjects and objects for pursuing (possibly very complex) tasks. Roles are hierarchically ordered, and access rights will be formulated according to this hierarchy. There is also a hierarchical order defined for all units which represents the structure of an organization.

2.2

Authorization Sphere

One key aspect of our modular authorization language is a decentralized definition of the access policies through local authorization teams which have shared privileges of administering the authorization rules, sets of roles and units, and the related hierarchies. We assume that a subordinate/local authorization sphere has a more detailed insight into the processes and roles and the access privileges necessary. The access policy of a local authorization team, expressed through a set of rules, is valid for a well–defined set of subordinate units. We call this set the authorization sphere of an authorization team. An authorization team consists of all subjects who jointly may modify the set of rules of this authorization sphere. An authorization sphere is a special unit. Every unit is under the control of an authorization sphere, and authorization spheres do not overlap. In our model authorization is partially organized in a modular fashion, through the different authorization teams. At the same time we have an inheritance principle built into our model, which is based on hierarchical relationships between authorization spheres. Conflicts may arise if the access rules of two or more (unrelated) authorization spheres are inherited by one subordinate sphere, e.g. one authorization sphere might grant a specific access a to an object o through subject s while the other one denies it according to their (local) rules. We also dealt with the detection of such conflicts and general strategies for their resolution, modeled through “grant” rules (see section 2.5, and for details [22]), as well as for specifying adequate administration processes to determine concrete rules resolving a given conflict (see [24]).

2.3

Formal Definition

The denotations used for entities defined in the system are listed in table 1 and used to specify the modular authorization language. The units are partially ordered into (U, as0 > u The roles are also partially ordered into (R, ∝) (according to the role hierarchy). As shown in table 1 there are also seven sets of named variables denoting elements from the corresponding sets. Terms are defined as the union of variables and elements of a specific set. For the following we assume throughout as, as0 ∈ AST , s ∈ ST , o ∈ OT , r, r0 ∈ RT , u, u0 ∈ U T , t ∈ T T , a ∈ ACT , hsigni ∈ {+, −}.

2.4

Feature Predicates

Feature Predicates characterize the variables used to describe the scope of access rules. This covers subjects, objects, and authorization spheres. More feature predicates describing the ownership, signature on objects, object-types, attributes of objects, have been defined in [22]. In this way feature predicates are particularly used to model the scope

units authorization spheres roles subjects objects object-types access-methods

terms UT AST RT ST OT TT ACT

= = = = = = =

variables VU VAS VR VS VO VT VAC

∪ ∪ ∪ ∪ ∪ ∪ ∪

sets U AS R S O T AC

control/ monitoring

processing 

 





 


























































 

 

 










 

 

 










 

 

 



 






 

 



 



 




 



 



 




 



 








 








 

 










 



 










 





 

storage



 





 























 























 























 























 























 























 





















host B

host A channel AB

host C

channel BC

Table 1: Set of Variables and Terms

Figure 1: Spatial Environment

of access policies. The set F contains all feature predicates defined in the system.

tures for the remote information access under user mobility will depend the on hosts and channels involved. The general model used in this paper is shown in figure 1. The spatial context of subjects or object storage will result in the assignment of a trust level. Trust levels are hierarchically ordered. The actual name or the granularity of the trust levels may vary between different organizations. Consequently there might be different hierarchies. Let T L be the set of trust levels defined in an organization which are partially ordered into (T L,