Browse Prior Art Database

Enforced Separation of Roles in a Multi-user Operating System

IP.com Disclosure Number: IPCOM000122574D
Original Publication Date: 1991-Dec-01
Included in the Prior Art Database: 2005-Apr-04
Document File: 3 page(s) / 151K

Publishing Venue

IBM

Related People

Steves, DH: AUTHOR [+2]

Abstract

Disclosed is a design for providing enforced separation of roles in a UNIX*-based multi-user operating system. Separation of roles is a key requirement in more secure systems and allows for greater accountability in system administration.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 42% of the total text.

Enforced Separation of Roles in a Multi-user Operating System

      Disclosed is a design for providing enforced separation
of roles in a UNIX*-based multi-user operating system. Separation of
roles is a key requirement in more secure systems and allows for
greater accountability in system administration.

      Administering a computer system involves several discrete
tasks, including device installation and configuration, software
installation and configuration and security administration. System
administrators require special privilege in order to perform these
functions. In order to provide for greater security and integrity, it
is necessary to assign administrators the least privilege necessary
to perform the tasks necessary for their role.

      In traditional UNIX system administration, all privileges are
assigned to one user (root, also referred to as superuser). This form
of privilege is monolithic, because only one user can perform system
administration. This is, of course, counter to the notion of least
privilege. It is also counter to the way that most organizations run
their business. Most organizations require that accountability be
provided separately from control - that is, all decisions must be
separately auditable. This clearly is not provided by traditional
UNIX, since the superuser is the most powerful user on the system and
can access all resources, and so could subvert any attempt made to
audit his or her actions.

      Worse, however, even if the superuser could effectively be
audited, this would not establish accountability. In a typical
systems, several users perform administrative tasks and, thus, many
different users will log onto the superuser account. Because of this,
individual accountability cannot be established.

      The disclosed design addresses these issues with two
mechanisms.  First, the superuser is turned into a
super-administrator. That is, the function of the superuser is mostly
restricted to administering other administrators and is not required
in day-to-day usage of the system. Most importantly, the system
provides "firewalls" between the superuser and other administrators
and between one administrator and another. These firewalls are
sufficient to enforce separation of roles.

      The super-administrator is required for only two functions.
These are initial installation and configuration of the Trusted
Computing Base and defining the roles of other system administrators.
The Trust ed Computing Base consists of the system software and
hardware directly responsible for enforcing the system security
policy, and so the super-administrator's responsibilities here are
obvious and unavoidable. They are also generally sporadic (perhaps
once only), since installing hardware devices and operating system
software is done infrequently.

      Administrative role configuration is done in three steps.
First, the super-administrator defines an administrative user. This
is done...