Scribd
Upload
12 views

CSC_5SL03_TP-pt3-Tutorial4-RBAC-answers

Uploaded by

mansiinparis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views

CSC_5SL03_TP-pt3-Tutorial4-RBAC-answers

Uploaded by

mansiinparis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Exercise 1: RBAC role hierarchy

Let consider a RBAC policy with a flat role hierarchy where the UA (Users to Roles) and PA (Permissions to
Roles) assignments are defined as follows:

Nurse Doctor Anesthetist Pediatrics Secretary


Alice X X
Bob X X
Charly X X
Denise X

P1 P2 P3 P4 P5 P6 P7 P8
Nurse X X X
Doctor X
Anesthetist X X X
Pediatrics X X X
Secretary X X

1- Give the corresponding acces control matrix.

P1 P2 P3 P4 P5 P6 P7 P8
Alice X X X X
Bob X X X X X X
Charly X X X X X X
Denise X X

2- Define a new role hierarchy satisfying the two following conditions:

• each user is directly assigned a unique role,


• if roles R1 and R2 shares a same permission p, then R1 is a descendant of R2, or reciprocally R2
is a descendant of R1.

The following syntax, “R: Permission, Roles, Users”, means that R is a role, Permissions the set of
permissions assigned to R, Roles the set of children roles for R, and Users the set of users owning the role R.

The following role hierarchy satisfies both conditions:


• R1: {P5}, {R2,R3}, Æ
• R2: {P7}, R5, {Denise}
• R3: {P1,P3}, {R4,R5}, Æ
• R4: {P2}, Æ, {Alice}
• R5: {P8}, {R6,R7}, Æ
• R6: {P4}, Æ, {Bob}
• R7: {P6}, Æ, {Charly}

Exercice 2: Policy with separation of duty problems


Let consider the following RBAC policy:

3
Ssds (resp. ≥s) specifies the skeleton of the static separation of duty (resp. inheritance) relation Ssd (resp ≥)
that is Ssd (resp. ≥) is the transitive closure of Ssds (resp. ≥s).

The system is currently running with three active sessions s1, s2, and s3, such that:
• user(s1)= Mike and role(s1)={E,F}
• user(s2)= Pat and role(s2)={J,H}
• user(s3)= Omar and role(s3)={D}

1. Draw the role inheritance diagram.


2. Specify the permissions for each role.
3. Identify problems in the current policy in term of static separation of duty.
4. Let suppose that Ssd is not the static separation of duty relation but the dynamic separation of duty
relation, are there still problems in the policy?

3. The (static) role assignment to users is the following:


• Lee = {D,E,B}
• Mike={F,B,E,J,G,D}
• Nell={D,E,F,B}
• Omar={A,B,E,C,D,H,F}
• Pat={H,F,B,E,J,G,D}
We notice that there are several problems in term of static separation of duty: for instance Mike has
both the roles G and F, which is forbidden by the static separation of duty relation.

4. The (dynamic) role assignment to users is the following:


• Mike={F,B,E,J,G,D}
• Pat={H,F,B,E,J,G,D}
• Omar={D,E}
If Ssd is now the dynamic separation of duty relation, there are still problems in the policy: for instance
ike has still both roles G and F.

Exercice 3: Policy with separation of duty problems


A research and computing department in a University wish to enforce the following access control policy:
a. Each teaching unit (Ui) has one or more supervisors (UiR) and one or more teaching assistants
(UiC);
b. The supervisors and teaching assistants of a teaching unit Ui can read (RUi) and write (WUi)
marks for this teaching unit, but only the supervisors can validate (SUi) the marks;
c. All teachers can read the grades, whatever the teaching unit;
d. PhD students can be considered as teachers, but no PhD student can be supervisor of a teaching
unit;
e. All teachers can be both supervisors and teaching assistants, with no limit on the number of
teaching units. They can be both at the same time.
Consider three teaching units, U1, U2, and U3, and the following sets of rights (R) and permissions (P):
4
• R={Teacher, PhD}È{U1R, U2C, U2R, U2C, U3R, U3C}
• P={RU1, WU1, SU1, RU2, WU2, SU2, RU3, WU3, SU3}

1. Define a role hierarchy together with the permission to role assignment relation (PA), and a static
separation of duty relation to model in RBAC the previous informal access control policy.

2. How is it possible to take into account the following supplementary requirement: it is not possible to
be a supervisor for several teaching units?

1. The following syntax, “R: Permission, Roles”, means that R is a role, Permissions the set of
permissions assigned to R, Roles the set of children roles for R. Consider the following role hierarchy:

• Teacher: {RU1, RU2, RU3}, {PhD, U1R, U2R, U3R},

• PhD: Æ, Æ

• U1C: {WU1}, {U1R}

• U1R: {SU1},Æ

• U2C: {WU2}, {U2R}

• U2R: {SU2}, Æ

• U3C: {WU3}, {U3R}

• U3R: {SU3}, Æ

Furthermore, since no PhD student can be supervisor of a teaching unit, we must add the static
separation of duty constraint defined by the following set of exclusions: {(PhD, U1R), (PhD, U2R),
(PhD, U3R)}

2. It is necessary to add a static separation of duty constraint defined by the following set of exclusions:
{( U1R, U2R), ( U1R, U3R), ( U2R, U3R)}

You might also like