Separating "function" from "scope" in RBAC

Question

I'm trying to formulate an RBAC permission model which allows separation between permissions and the scopes on which those permissions are applied. I have been unable to find a standard model which describes this.

Here's an example:

A Permission consists of an Operation on a Resource:
- (View) (Ops Reports)
- (Create) (Ops Reports)
- (Manage) (Releases)
Roles are collections of Permissions:
- A (Product Manager) can (Manage Releases) and (View Ops Reports)
- A (Ops Manager) can (Create Ops Reports) and (View Ops Reports)
Users can be assigned Roles:

(Alice) and (Bob) are (Product Manager)s

So far, this is standard RBAC-0. Now let's add another orthogonal layer:

(Alice) is a (Product Manager) for "Cool New Product (CNP)"

(Bob) is a (Product Manager) for "Flagship Product (FSP)"

(Charlie) is a (Product Manager) for ...

...

This seems like a fairly common use case.

In a naive implementation, we could duplicate Roles and Permissions for every Product. So instead of:

(Product Manager)

(Manage) (Releases)

(View) (Ops Reports)

we now have:

(CNP Product Manager)

(Manage) (CNP Releases)

(View) (CNP Ops Reports)

(FSP Product Manager)

(Manage) (FSP Releases)

(View) (FSP Ops Reports)

...

...

This can quickly grow out of hand. How do I model this scenario to avoid exponential duplication?

Did you look into Attribute based access control? Here is NIST's view on it - https://csrc.nist.gov/Projects/Attribute-Based-Access-Control — David Brossard, Dec 28 '17 at 06:45
Also have a look at my answer here: https://security.stackexchange.com/a/175729/29490 — David Brossard, Dec 28 '17 at 06:48
(Old) Duplicate: https://security.stackexchange.com/questions/10708/role-based-access-control-data-ownership-based-permissions I'm interested to see if anything new has come up. — Jacco, Mar 15 '18 at 16:01
No time to write a full answer, but take a look at `Role-Centric, Attribute Based Access Control`, a promising 'best-of-both-worlds' approach to RBAC&ABAC. You should be able to find research papers on the subject quite easily. — Jacco, Mar 15 '18 at 16:03

score 3 · Answer 1 · answered Oct 05 '19 at 08:12

While role-based access control (RBAC) is a major model for managing the authorizations, implementing RBAC has some limitations and consequences.

One of the consequences is role explosion, where multiple versions (duplicates) of one role are required to separately manage access to distinct sets of data of the same class.

Role-Centric Attribute-Based Access Control is an extension to the traditional RBAC model to minimise this RBAC limitation.

Each user and object relevant for access control is associated with a set of attributes.

Attributes are assigning access control logic to users, objects, defining how users and work together, what activities related to an object are available if a relevant attribute is assigned to a particular user.

Several approaches to RCABAC are described in literature:

use attributes to dynamically assign users to roles , for example assign preset roles to organizational structure positions, assign roles to business functions to simplify role assignment
treat roles as just another attribute
limit permissions of roles with attributes

Bibliography

Vincent Hu, David Ferraiolo, Richard Kuhn (NIST), Adam Schnitzer (BAH), Kenneth Sandlin, Robert Miller, Karen Scarfone, 2014, NIST, SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations

Jin, X., Sandhu, R. and Krishnan, R., 2012, October. RABAC: role-centric attribute-based access control. In International Conference on Mathematical Methods, Models, and Architectures for Computer Network Security (pp. 84-96). Springer, Berlin, Heidelberg.

Rajpoot, Q.M., Jensen, C.D. and Krishnan, R., 2015, July. Integrating attributes into role-based access control. In IFIP Annual Conference on Data and Applications Security and Privacy (pp. 242-249). Springer, Cham.

D.R. Kuhn, E.J. Coyne, T.R. Weil (2010), Adding Attributes to Role-Based Access Control, IEEE Computer (June 2010).