Role Based Access Control Flashcards
What is the purpose of roles in RBAC?
Roles function as an intermediary between users and permissions. IN RBAC, no subject or object is assigned permissions directly. Instead, they are assigned a role that provide a set of permissions. Administrator is an example of a role.
What is a session in RBAC?
A session is simply the relationship between a user and the roles assigned.
Why are RBAC models the most used in the real world?
They are conceptually easier to understand and align nicely with how organizations are structured. Different people will have different responsibilities which will reflect their different levels of access to the system as a whole and the resources found within. These responsibilities can easily be encapsulated into roles which are then provided to the different users.
What are constraints in the RBAC model?
There are many possible constraints in the RBAC model. However, some of the more important are:
- Mutual exclusivity, some roles cannot be held at the same time.
- Cardinality, an upper limit to the number of roles assigned to a user at a time.
- Prerequisite roles, a user may only be assigned a given role if it is already assigned to specific role, e.g., a user cannot become administrator immediately.
What are static separation of duty relations in RBAC?
These relations (SSD) enable the definition of mutually exclusive roles. For instance, if a user is assigned to one role in a set of roles, he cannot be assigned to another.
An example of an SSD is a cardinality constraint on the number of active roles per user, e.g., no user can have more than two roles per session.
What is dynamic separation of duty relations in RBAC?
These relations (DSD) try to limit the permissions available for a given user by placing constraints on the roles that can be activated within or across sessions. For instance, no user may activate more than 1 role per session.
These relations are more complex but offer finer granularity. One key advantage is the ability for administrators to specify user capabilities over different times/sessions.
What is the major downside with RBAC?
RBAC is not targeted for information flow control. In simpler terms, by focusing on groups there is less specificity regarding the information flow between specific subjects and/or objects. If a special requirements occurs, a new role must be tailored for the relevant users.