Implementation of role-based access control in multi-level secure systems
First Claim
1. In a lattice-based multi-level security system of the type wherein each object to which access is controlled by said lattice-based multi-level security system is assigned to a compartment and level maintained thereby, and wherein individual subjects are permitted access to specified objects protected by said security system only if the particular subject possesses a clearance level at least equal to that assigned to the object, and if the object is assigned to a compartment authorized for use by the subject, a method of implementing role-based access control, comprising the following steps:
- defining a collection of roles,mapping each defined role to a set of privileges, each privilege providing access to one or more combinations of compartments and levels within said lattice-based multi-level security system,assigning each subject to one or more of said roles, andat the time a subject requests access to an object,determining whether the subject is assigned to a role having privileges corresponding to the compartment and level of the requested object within said lattice-based multi-level security system, andemploying said lattice-based multi-level security system to control access of the subject to the object in response to said determination.
1 Assignment
0 Petitions
Accused Products
Abstract
Role-based access control (RBAC) is implemented on an multi-level secure (MLS) system by establishing a relationship between privileges within the RBAC system and pairs of levels and compartments within the MLS system. The advantages provided by RBAC, that is, reducing the overall number of connections that must be maintained, and, for example, greatly simplifying the process required in response to a change of job status of individuals within an organization, are then realized without loss of the security provided by MLS.
A trusted interface function is developed to ensure that the RBAC rules permitting individuals access to objects are followed rigorously, and provides a proper mapping of the roles to corresponding pairs of levels and compartments. No other modifications are necessary. Access requests from subjects are mapped by the interface function to pairs of levels and compartments, after which access is controlled entirely by the rules of the MLS system.
-
Citations
6 Claims
-
1. In a lattice-based multi-level security system of the type wherein each object to which access is controlled by said lattice-based multi-level security system is assigned to a compartment and level maintained thereby, and wherein individual subjects are permitted access to specified objects protected by said security system only if the particular subject possesses a clearance level at least equal to that assigned to the object, and if the object is assigned to a compartment authorized for use by the subject, a method of implementing role-based access control, comprising the following steps:
-
defining a collection of roles, mapping each defined role to a set of privileges, each privilege providing access to one or more combinations of compartments and levels within said lattice-based multi-level security system, assigning each subject to one or more of said roles, and at the time a subject requests access to an object, determining whether the subject is assigned to a role having privileges corresponding to the compartment and level of the requested object within said lattice-based multi-level security system, and employing said lattice-based multi-level security system to control access of the subject to the object in response to said determination. - View Dependent Claims (2, 3, 4, 5, 6)
-
Specification