Cybersecurity

Bachelor’s degree in ACSAI 2024-25

Access control

Angelo Spognardi
[email protected]
Dipartimento di Informatica
Sapienza Università di Roma
Topic: Access Control

●
Goal: Protect confidentiality and integrity of information
●
Control what a subject can do to prevent damage to the system
●
Regulate the operations that can be executed by a subject on data and
resources
●
Typically provided as part of operating systems and of database
management systems

2 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Access control: definitions

●
NISTIR 7298: “the process of granting or denying specific requests to:
– (1) obtain and use information and related information processing services;
and
– (2) enter specific physical facilities”
●
RFC 4949: “a process by which use of system resources is regulated
according to a security policy and is permitted only by authorized
entities (users, programs, processes, or other systems) according to that
policy”

3 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Access control concepts

4 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Access control models

●
Discretionary access control ●
Role-based access control (RBAC)
(DAC) – Controls access based on the roles
– Controls access based on the that users have within the system
identity of the requestor and on and on rules stating what accesses
access rules (authorizations) are allowed to users in given roles
stating what requestors are (or ●
Attribute-based access control
are not) allowed to do (ABAC)
●
Mandatory access control (MAC) – Controls access based on
– Controls access based on attributes of the user, the resource
comparing security labels with to be accessed, and current
security clearances environmental conditions

5 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Subjects, objects and access rights

Access
Subject Object
right
Describes the way in
An entity capable of A resource to which
which a subject may
accessing objects access is controlled
access an object

Three classes Could include:

Entity used to contain • Read
• Owner and/or receive • Write
• Group information • Execute
• World • Delete
• Create
• Search

6 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Discretionary Access Control (DAC)

●
Scheme in which an entity may be granted access rights that permit the
entity, by its own volition, to enable another entity to access some
resource
●
Often provided using an access matrix

7 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Example Access Control Matrix

●
One dimension: identified subjects asking data access to the resources
●
Other dimension: the objects that may be accessed
●
Each entry in the matrix indicates the access rights of a particular subject for a
particular object
●
An empty cell means that no access rights are granted.

8 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Access Control Lists
●
It defines, for each object (o) a list (L) called o’s access control list,
which enumerates all the subjects that have access rights for o and, for
each such subject, s, gives the access rights that s has for object o.

/etc/passwd /usr/bin/ /u/roberto/ /admin/

root: r,w root: r,w,x root: r,w,x root: r,w,x

mike: r mike: r,x roberto: r,w,x backup: r,x
roberto: r roberto: r,x backup: r,x
backup: r backup: r,x

9 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Capabilities
/etc/passwd: r,w,x; /usr/bin: r,w,x;
root /u/roberto: r,w,x; /admin/: r,w,x
●
Takes a subject-centered approach
to access control.
●
It defines, for each subject s, the mike /usr/passwd: r; /usr/bin: r,x
list of the objects for which s has
nonempty access control rights,
together with the specific rights /usr/passwd: r; /usr/bin: r;
roberto /u/roberto: r,w,x
for each such object.

/etc/passwd: r,x; /usr/bin: r,x;

backup /u/roberto: r,x; /admin/: r,x

10 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Extended access control matrix

Considers the ability of one subject to transfer rights, create another subject and to
have ‘owner’ access right to that subject

11 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Extended access control matrix rules

Considers the
ability of one
subject to
transfer rights,
create another
subject and to
have ‘owner’
access right to
that subject.

It can also define

a hierarchy of
subjects.

12 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Organization of the Access Control Function

●
Every access by a subject to an
object is mediated by the
controller for that object
●
The controller’s decision is
based on the current contents of
the matrix
●
Certain subjects have the
authority to make specific
changes to the access matrix.

13 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Example: Unix subjects, obejects, rights

●
Subjects: users, groups, others
●
Objects: files, directories
●
Access rights: read, write, execute
– For files
●
read: reading from a file
●
write: writing to a file
●
execute: executing a (program) file
– For directories
●
read: list the files within the directory
●
write: create, rename, or delete files within the directory
●
execute: enter the directory

14 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

UNIX File Access Control

●
Unique user identification number (user ID)
●
Member of a primary group identified by a group ID
●
Belongs to a specific group
●
12 protection bits
– Specify read, write, and execute permission for the owner of the file, members
of the group and all other users
●
The owner ID, group ID, and protection bits are part of the file’s inode

15 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Traditional UNIX File Access Control
(minimal ACL)
●
“Set user ID”(SetUID) and “Set group ID”(SetGID)
– System temporarily uses rights of the file owner/group in addition to the real
user’s rights when making access control decisions
– Enables privileged programs to access files/resources not generally accessible
●
Sticky bit
– When applied to a directory it specifies that only the owner of any file in the
directory can rename, move, or delete that file
●
Superuser
– Is exempt from usual access control restrictions
– Has system-wide access

16 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Access Control Lists (ACLs) in UNIX

●
Many modern UNIX systems support access control lists
– FreeBSD, OpenBSD, Linux, and Solaris.
●
FreeBSD
– Setfacl command assigns a list of UNIX user IDs and groups
– Any number of users and groups can be associated with a file
– Read, write, execute protection bits
– A file does not need to have an ACL
– Includes an additional protection bit that indicates whether the file has an extended ACL
●
When a process requests access to a file system object two steps are performed:
1) Selects the most appropriate ACL
2) Checks if the matching entry contains sufficient permissions

17 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Mandatory Access Control

●
Inspired by the Bell-La Padula model
●
Each subject and each object is assigned a security class
●
In the simplest formulation, security classes form a strict hierarchy and are
referred to as security levels.
– One example is the U.S. military classification scheme:
top secret < secret < confidential < restricted < unclassified
●
A subject is said to have a security clearance of a given level
●
An object is said to have a security classification of a given level
●
The security classes control the manner by which a subject may access an
object

18 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Multilevel security (MLS)

●
The model defined four access modes:
– read: The subject is allowed only read access to the object
– append: The subject is allowed only write access to the object
– write: The subject is allowed both read and write access to the object
– execute: The subject is allowed neither read nor write access to the object but
may invoke the object for execution
●
Confidentiality is achieved if a subject at a high level may not convey
information to a subject at a lower level...
– ...unless that flow accurately reflects the will of an authorized user as revealed
by an authorized declassification

19 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Multilevel security confidentiality

●
No read up: A subject can only read an object of less or equal security
level
– This is referred to in the literature as the simple security property (ss-
property).
●
No write down: A subject can only write into an object of greater or
equal security level.
– This is referred to in the literature as the *-property (pronounced star
property).
●
The more recent MAC implementations, are SELinux and AppArmor for
Linux and Mandatory Integrity Control for Windows

20 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Role-based Access Control

●
Define roles and then specify access control rights for these roles,
rather than for subjects directly.
Department
Chair

Administrative Lab System Undergraduate Graduate

Manager Manager Administrator TA TA

Lab Backup Undergraduate Graduate

Accountant Secretary
Technician Agent Student Student

Administrative Technical
Personnel Personnel Faculty Student

Department
Member
21 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity
Role Based Access Control (RBAC) goals

Goals
●
Describe organizational access control policies
●
Based on job function
– A user’s permissions are determined by her roles rather than by identity or
clearance
●
Increase flexibility/scalability in policy administration
– Easy to meet new security requirements
– Reduce errors in administration
– Reduce cost of administration

22 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

RBAC: Intuition

23 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Role Based Access Control (RBAC)

●
Roles defined based on job functions
– e.g., bookkeeper
●
Permissions defined based on job authority and responsibilities within
a role
– e.g., bookkeeper is allowed to read financial records
●
Users have access to objects based on the assigned role
– e.g., Sally is the bookkeeper

24 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Access Control Matrix Representation of RBAC

25 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Exercise

●
Given the following User Assignment and Permission Assignment,
define the corresponding access matrix.

26 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Solution

●
Homework 1:
– What happens if the job function of a user changes?
●
e.g., Charlie becomes a GP
– What happens if permissions are added/removed from a role?
●
e.g., Radiologist can also delete image scans

27 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

A Family of Role-Based Access Control Models

28 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

RBAC1: Role Hierarchy

●
Some roles subsume others:
– many operations are common to a large number of roles
– a GP can perform all actions that a physician can perform (plus other actions)
●
This suggests a hierarchy of roles
●
Reflect an organization’s role structure
●
Inheritance among roles
– Instead of specifying permissions for each role, one specifies it for a more
generalized role
– Granting access to role R implies that access is granted for all specialized roles
of R

29 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Role Hierarchy

●
Structuring roles
– Partial order ≤: x ≤ y we say x is specialization of y
●
Inheritance of permission from generalized role y (top) to specialized role x
(bottom)
– Members of x are also implicitly members of y
– if x ≤ y then role x inherits permissions of role y
●
Partial order
– Reflexivity (i.e., x ≤ x)
– Transitivity (i.e., x ≤ y and y ≤ z then x ≤ z)
– Antisymmetry (i.e., x ≤ y and y ≤ x then x = y )

30 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Role Hierarchy – Examples

31 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Solved exercise

●
Let UA = {(u1, r2), (u2, r3), (u3, r4), (u4, r5)} and
PA = {(r1 , p1), (r2, p2), (r3, p3), (r4, p4), (r5, p5)}.
●
Given the following role hierarchy, determine the permissions that
users have in form of an access matrix.

32 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Solved exercise (2)

●
Let UA = {(u1, r2), (u2, r3), (u3, r4), (u4, r5)} and
PA = {(r1 , p1), (r2, p2), (r3, p3), (r4, p4), (r5, p5)}.
●
Given the following role hierarchy, determine the permissions that
users have in form of an access matrix.

p1 p2 p3 p4 p5

u1 x x

u2 x x x

u3 x x x

u4 x x x x x

33 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

RBAC2: constraints

●
Provide a means of adapting RBAC to the specifics of administrative and
security policies of an organization
●
A defined relationship among roles or a condition related to roles
●
Types:

Mutually exclusive
Cardinality Prerequisite roles
roles
• A user can only be Dictates that a user
assigned to one role in can only be assigned
the set (either during a Setting a maximum
to a particular role if it
session or statically) number with respect to
• Any permission (access is already assigned to
roles
right) can be granted to some other specified
only one role in the set role
34 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity
Attribute-Based Access Control (ABAC)

●
Can define authorizations that express conditions on properties of both
the resource and the subject
●
Strength is its flexibility and expressive power
●
Main obstacle to its adoption in real systems has been concern about
the performance impact of evaluating predicates on both resource and
user properties for each access
●
Web services have been pioneering technologies through the
introduction of the eXtensible Access Control Markup Language (XAMCL)
●
There is considerable interest in applying the model to cloud services

35 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

ABAC Model: Attributes

Environment
Subject attributes Object attributes
attributes
• A subject is an active • An object (or resource) is a • Describe the operational,
entity that causes passive information technical, and even
information to flow among system-related entity situational environment or
objects or changes the containing or receiving context in which the
system state information information access occurs
• Attributes define the • Objects have attributes • These attributes have so
identity and that can be leverages to far been largely ignored in
characteristics of the make access control most access control
subject decisions policies

36 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

 ABAC

Distinguishable Relies upon the evaluation of

because it controls
access to objects by
evaluating rules
against the attributes
of entities, operations,
and the environment
relevant to a request
attributes of the subject,
attributes of the object, and a
formal relationship or access
control rule defining the
allowable operations for
subject-object attribute
combinations in a given
environment

Systems are Allows an unlimited

capable of number of
attributes to be
enforcing DAC, combined to satisfy
RBAC, and MAC any access control
concepts rule

37 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Policies

38 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

ABAC Policies

●
A policy is a set of rules and relationships that govern allowable
behavior within an organization, based on the privileges of subjects
and how resources or objects are to be protected under which
environment conditions
●
Typically written from the perspective of the object that needs
protecting and the privileges available to subjects

39 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

ABAC policies model

●
S, O, and E are subjects, objects, and environments, respectively
●
SAk (1 ... k ... K), OAm (1 ... m ... M), and EAn (1 ... n ... N) are the pre-defined
attributes for subjects, objects, and environments, respectively
●
ATTR(s), ATTR(o), and ATTR(e) are attribute assignment relations, for
example
– Role(s) = “Service Consumer”
– ServiceOwner(o) = “XYZ, Inc.”
– CurrentDate(e) = “01-23-2005”
●
Rule: can_access (s, o, e) ← f(ATTR(s), ATTR(o), ATTR(e))

40 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

ABAC example

●
R1: can_access(u, m, e) ←
– (Age(u) ≥ 17 and Rating(m) ∈ {R, PG-13, G}) or
(Age(u) ≥ 13 and Age(u) < 17 and Rating(m) ∈ {PG-13, G}) or
(Age(u) < 13 and Rating(m) ∈ {G})

41 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

ABAC vs RBAC

●
In RBAC as the number of attributes increases to accommodate finer-
grained policies, the number of roles and permissions grows
exponentially

●
The ABAC model deals with additional attributes in an efficient way

42 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Finer grained policy example

●
Movies are classified as either New Release or Old Release, based on release
date compared to the current date
●
Users are classified as Premium User and Regular User, based on the fee they
pay
●
Policy: only premium users can view new movies.

Roles Permissions
RBAC
Adult-Regular R-Old_release
●
Double the number of roles, to
Juvenile-Regular PG13-Old_release
distinguish each user by age and fee
Child-Regular G-Old_release
●
Double the number of separate Adult-Premium R-New_release
permissions Juvenile-Premium PG13-New_release
Child-Premium G-New_release
43 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity
ABAC: Finer grained policy example

ABAC
●
R2: can_access(u, m, e) ← (MembershipType(u) = Premium) or
(MembershipType(u) = Regular and MovieType(m) = OldRelease)
●
R3: can_access(u, m, e) ← R1 and R2

●
Environment attributes example:
– New policy: Regular users are allowed to view new releases in promotional periods.
– Difficult to express in an RBAC model.
– In an ABAC model, we only need to add a conjunctive (AND) rule that checks to see
the environmental attribute today’s date falls in a promotional period

44 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Exercise

Let UA = {(u1, hp), (u2, ph), (u3, sp), (u4, gp)} Given the following role
●
●
and
PA = {(hp, <o1, R>), hierarchy, determine the
(ph, <o1, W>), permissions that users have in
(sp, <o2, RW>),
(gp, <o3, RW>), form of an access matrix.
(gp, <o2, R>),
(gp, <o4, RW>)}.

45 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Homework 2

●
Given the following access matrix, try to define the best possible roles

46 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Homework 3

Consider a database for patients' measurements in a hospital.

●
Doctors can add (A), update (U), and view (V) any patients’ diseases and
read (RP) and write prescriptions (WP)
●
Pharmacists can read prescriptions (RP) and give drugs (G) to patients.
●
Patients (P) can only read their diseaeses and prescriptions.

47 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Homework 3 (cont.)

●
Describe the RBAC system, given the following settings
– Doctors: Derek Shepherd (DS), Meredith Grey (MG);
– Pharmacists: Alex Karev (AK), Cristina Yang (CY)
– Patients: Mark Sloan (MS), Lexie Grey (LG)
●
List the users
●
List the roles
●
List the permissions
●
List the user assignments
●
Realize the access matrix

48 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

 Thanks!

See you on Monday!

52 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity

Disclaimer

Slides based on the

Introduction to Computer Security,
Computer Security: Principles and Practice, Global
Edition,
and Nicola Zannone (Eindhoven University of
Technology) material on RBAC.

This material should not be disclosed outside the course.