The Role Graph Model and Conflict of Interest

TheRoleGraphModelandConflictofInterestMATUNDANYANCHAMAandSYLVIAOSBORNTheUniversityofWesternOntarioWedescribeinmoredetailthanbeforethereferencemodelforrole-basedaccesscontrolintroducedbyNyanchamaandOsborn,andtherole-graphmodelwithitsaccompanyingalgorithms,whichisonewayofimplementingrole-rolerelationships.Analternativeroleinsertionalgorithmisadded,anditisshownhowtherolecreationpoliciesofFernandezetal.correspondtoroleadditionalgorithmsinourmodel.Wethenuseourreferencemodeltoprovideataxonomyforkindsofconflict.Wethengoontoconsiderinsomedetailprivilege-privilegeandrole-roleconflictsinconjunctionwiththerolegraphmodel.Weshowhowrole-roleconflictsleadtoapartitioningoftherolegraphintononconflictingcollectionsthatcantogetherbesafelyauthorizedtoagivenuser.Finally,inanappendix,wepresenttherolegraphalgorithmswithadditionallogictodisallowrolesthatcontainconflictingprivileges.CategoriesandSubjectDescriptors:D.4.6[OperatingSystems]:SecurityandProtection—accesscontrols;K.6.5[ManagementofComputingandInformationSystems]:SecurityandProtection;G.2.2[DiscreteMathematics]:GraphTheory—graphalgorithmsGeneralTerms:Algorithms,Management,SecurityAdditionalKeyWordsandPhrases:role-basedsecurity,rolegraphs,conflictofinterest1.INTRODUCTIONRole-basedaccesscontrolprovidesawayofmanagingauthorizationstoperformtasksincomplexsystemswithmanyusersandmanyresources[Sandhuetal.1996].Rolesareusedtogrouppermissionstogetherinwaysthatmakesenseintheenterpriseortheapplicationenvironment.Individ-ualusersorgroupsofpeoplecanthenbeassignedtotherolesasrequired.Rolesprovideaverynaturalandpowerfulwayforanenterpriseadmin-istratororsecurityofficertodescribetheprivilegesofvariousjobfunctions.Thispaperdescribesourreferencemodelandhowitfitsintoasystem’sauthorizationscheme.Inourpreviouswork,wealsointroducedaroleAuthors’addresses:M.Nyanchama,Ernst&YoungTower,90BurnamthorpeRoadWest,Suite1100,TheUniversityofWesternOntario,Mississauqa,ONL5B-3C3,Canada;email:matunda.nyanchama@ca.eyi.com;S.Osborn,DepartmentofComputerScience,TheUniver-sityofWesternOntario,London,ONN6A5B7,Canada;email:sylvia@csd.uwo.ca.Permissiontomakedigital/hardcopyofpartorallofthisworkforpersonalorclassroomuseisgrantedwithoutfeeprovidedthatthecopiesarenotmadeordistributedforprofitorcommercialadvantage,thecopyrightnotice,thetitleofthepublication,anditsdateappear,andnoticeisgiventhatcopyingisbypermissionoftheACM,Inc.Tocopyotherwise,torepublish,topostonservers,ortoredistributetolists,requirespriorspecificpermissionand/orafee.©1999ACM1094-9224/99/0200–0003$5.00ACMTransactionsonInformationandSystemSecurity,Vol.2,No.1,February1999,Pages3–33.graphmodel,whichprovidesawayofvisualizingtheinteractionsamongrolesandtheirseniorsandjuniors[NyanchamaandOsborn1994].Wealsointroducedalgorithmsformanipulatingtheserolegraphs.Role-basedmodelsprovideawaytobettermanageaccessrightsinasystem,andcanbeappliedindiscretionaryaccesscontrolandalsobeusedtosimulateamandatoryaccesscontrolenvironment[NyanchamaandOsborn1995;Osborn1997;Sandhu1996].Inthispaperwebrieflyreviewourrolegraphalgorithms[NyanchamaandOsborn1994],andenhancethemwithsomeadditionalalgorithms.Thesealgorithmshaveallbeenimplementedinaninteractivetool,whichallowsrolestobecreated,deleted,andalteredasdescribedbelow.Sincethealgorithmsdealwithacyclicdirectedgraphs,theyallhaveefficientruntimecomplexity.Oneversionofourrole-graphsystemprovidesaninterfacewitharelationaldatabase[Osbornetal.1996].Throughthistool,itispossibletoquicklyaltertherolesandtheusersassignedtotherolesandhavechangesconveyedbacktothedatabasesystem.Anadditionalandimportantsecuritytaskinacommercialenvironmentistodefineanddealwithconflictofinterest.Asidefromourreferencemodel,akeycontributionofthispaperistoconsiderconflictofinterestwithinthemodel(whichindicatesfivepossibletypesofconflict)andshowhowourrolegraphmodelcanbeaugmentedtodealwithprivilege-privilegeconflictsandrole-roleconflicts.Therolemanipulationalgorithmsareenhancedtodisallowthecreationofanyrolethatwouldcontainaconflictwithinitself,andthusnotbeauthorizabletoanyuserorgroup.Wealsoshowthestructuresthatareinducedintherolegraphwhenrole-roleconflictsarepresent.Roleshavebeenstudiedinavarietyofcontextsandenvironments;wesummarizesomeofthemhere.AnearlyreferencetorolesisfoundinLochovskyandWoo[1988],whererolesaredefinedandarrangedinageneralizationhierarchyandagentsrepresentingpeopleareassignedtorolesasnecessary.EarlyworkbyTing[1988]describestheuseofrolestodevelopapplication-dependentsecuritycontrols.Ting’sworkwasalsoin-corporatedintoasoftwaredesignsystem[Tingetal.1992;Huetal.1994].Thomsen’sworktalksaboutroles,subroles,andthemandatoryenforce-mentofpoliciesinarole-basedenvironment[Thomsen1991].Baldwin’sNamedProtectionDomains[Baldwin1990]areverysimilartoourroles.InBaldwin’smodelonlyoneNamedProtectionDomaincanbeactiveatonetime.MohammedandDilts[1994]discussthedesignofarole-basedmodelforaspecificapplicationinanevent-dependent,dynamicenvironment.vonSolmsandvanderMerwe[1994]giveafour-levelmodelwhererolesformalayerbetweenusersontheonehandandtransactionsandprojectsontheother.Thereare