Browse Prior Art Database

Enhanced granular RBAC

IP.com Disclosure Number: IPCOM000197259D
Publication Date: 2010-Jun-30
Document File: 5 page(s) / 2M

Publishing Venue

The IP.com Prior Art Database

Abstract

An idea is disclosed that aims at achieving Enhanced Granular RBAC. The core idea is to provide RBAC the ability to segment duties based on the resources. Current RBAC provides authorizations to the regular users who can gain access to administrative commands and can execute these commands on any resource which comes under the purview of assigned commands. The idea provides intelligence to the existing RBAC to restrict authorized users’ access to critical resources.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 48% of the total text.

Page 1 of 5

Enhanced granular RBAC

Enhanced granular RBACEnhanced granular RBAC

Role Based Access Control (RBAC)

RBAC provides division of system duties. The system administrator gets the ability to designate tasks to general users that traditionally would be performed by the root user, or via the setuid/setgid.

Enhanced RBAC command execution process on AIX

Figure 1. Current Enhanced RBAC Flowchart

When a user executes a command , the command is first checked whether it needs RBAC or not by checking against Command Database, which has command and access entries in stanza format.

If the command exists in the database, a check will be performed against the authorizations associated with the user's session

If the session has one of the authorizations listed, then the user will be allowed to execute the command regardless of whether the user passes the DAC execution checks for the command.

If a command does not have an entry in the database then it is not a RBAC "privileged command" and access to it is enforced by DAC and the command itself. If a command is listed in

1

[This page contains 1 picture or other non-text object]

Page 2 of 5

the privileged command database but the invokers session does not have an authorization that allows execution of the command, the DAC and UID/GUID checking will still be used to allow execution if those checks succeed.

Problems & Need for additional Solution for RBAC implementation on AIX

The problem with current RBAC implementation on AIX is that the granularity is provided at command level. Consider aix.fs authorization (i.e.privilege for executing file system commands on any file system) assigned to role R1.

Assume, role R1 is assigned to user U1 then U1 can perform all file system operations on any file system. There is no way to limit the resource on which U1 can perform operations

U1 can

perform undesired operations like rmfs, chfs, etc. on business critical file systems thereby creating a critical impact on customer's business.

Consider a scenario shown in figure below:

.

Figure 2. Network authorization problem

Assume aix.network authorization is assigned to user U2 through a role.

to operate on both LAN1 and LAN2. U2 can view network packets, monitor, modify network characteristics and as well delete the network on both LAN1 and LAN2.

But if the requirement is to have U2 to monitor, modify and delete n/w characteristics of LAN1, and to only monitor and trace LAN2, then the current Enhanced RBAC fails to provide the solution to this level of granularity.

Need for a Enhanced granular RBAC

2

Now, U2 gets the power

[This page contains 1 picture or other non-text object]

Page 3 of 5

Current RBAC only aims at division of system functionality at command level. But it fails to provide any prevention mechanism for restricting unauthorized operations on system resources by the authorized user. Therefore, there is a need for an Enhanced granular RBAC on both command and resource-level to provide a more robust securit...