You are hereTR Role Based Access Control
TR Role Based Access Control
Trusted RUBIX Role Based Access Control (RBAC) allows highly granular administrative authorizations to be assigned to a named role. That role may then be assigned to any number of users, giving that user all of the authorizations assigned to the role. Example authorizations are the ability to override the DAC policy for the INSERT operation on the database named MyDB and the ability to backup all databases. The granular authorizations allow roles to be constructed that divide the administrative power between users. This "separation of duties" between the various administrators is critical to limit the potential damage a rogue administrator or a compromised administrative account may inflict.
Trusted RUBIX fully integrates its RBAC mechanism with that of the host operating system. This allows the creation of roles with consistent authorizations across both the operating system and the Trusted RUBIX RDBMS. For example, the audit administrator may have audit authorizations for both the operating system and the RDBMS using a single named role.
Trusted RUBIX Authorizations
Trusted RUBIX authorizations are categorized according to type. Each category has numerous individual authorizations and each may be configured to allow operations on all databases or a specific, named database.
The Trusted RUBIX MAC authorizations provide the ability to change the sensitivity label of a database row and to change the database session sensitivity label to one that is different from the current database session label. Each authorization type is partitioned into changing a label “up”, changing a label “down”, and changing a label “across”. Since changing a label to an incomparable label technically falls into neither of these categories, the partitioning is done based upon raising or lowering the hierarchical classification portion of the sensitivity label. Altering the session label is further broken down into read only and read/write categories. The row reclassification authorizations may be combined with the table import authorization to allow multilevel import operations.
The Trusted RUBIX DAC authorizations give the privileged user the ability to perform SQL commands without regard to the DAC security policy. The authorizations are partitioned by SQL operations. The DAC authorizations do not supersede the DAC policy for write operations on specially protected Definition Schema objects. These objects are contained in the SYSTEM catalog and include the SYSTEM catalog itself.
The Trusted RUBIX audit authorizations provide the ability to perform functions related to the Trusted RUBIX audit mechanism. This includes generating audit reports, setting audit criteria, and listing, deleting, and setting audit log files.
The Trusted RUBIX restore authorizations provide the ability to perform functions related to the Trusted RUBIX dump/restore mechanism. This includes producing backups of databases, performing database restores, and listing, deleting, and setting restore log files.
The Trusted RUBIX administrative authorizations provide the ability to perform functions related to general administration. This includes the ability to drop a database, list a database, rename a database, start/stop Trusted RUBIX servers and dispatcher.
The Trusted RUBIX user authorizations provide the ability to perform functions given to typical users. This includes the ability to import data into and export data out of a database. If the user holds certain MAC authorizations in addition to the import authorization, the user may perform a multilevel import, limited by his/her session sensitivity label.
Trusted RUBIX Default Roles
Trusted RUBIX has the following default roles that are installed during installation. Note that there is no requirement to group the audit authorizations all under the default role, and the user is free, and encouraged, to create more limited roles by grouping the audit authorizations to meet their security requirements.
The Trusted RUBIX Audit Administrator (AUD) role is responsible for administering the Trusted RUBIX audit subsystem. Specifically, this role is permitted to create audit reports, set audit criteria, and administer the audit log files.
The Trusted RUBIX Database Administrator (DBA) role is empowered to perform all operations which maintain the consistency and integrity of the stored data. Specifically, this role is permitted to supercede the DAC security policy for SQL operations, administer database objects (list, rename, drop), and administer the dispatcher and server processes.
The authorizations granted to the default DBA administrative role are largely DAC authorizations which make him/her DAC exempt, but not MAC exempt. For example, to alter the Access Control Lists (ACLs) on a table, the DBA must be operating at the table's label. If the DBA's label strictly dominates the table's label then the table's ACL cannot be altered. If the table's label strictly dominates the DBA's label, then the table will not be visible to the DBA.
The Trusted RUBIX Operator (OP) role is authorized to perform functions related to the Trusted RUBIX dump/restore mechanism. This includes producing backups of databases, performing database restores, and listing, removing, and modifying restore log files. Although operators are able to back-up and restore entire databases, they hold no other special capability as far as reading or writing those databases, (i.e.: SELECT or UPDATE) but are, in this respect, bound by the standard MAC and DAC mechanisms.
The Trusted RUBIX Security Administrator (SA) role is responsible for all operations which may arbitrarily determine the label of a database object. Specifically, this role is permitted to change the label of a row, arbitrarily set the database session label, and perform multilevel import operations.