Download Exam 1 for CIS/CSE 774: Principles of Distributed Access Control and more Exams Engineering in PDF only on Docsity!
Name:
CIS/CSE 774 — Principles of Distributed Access Control Exam 1 October 11, 2004
Question Points Possible
Points Received
1 12
Total 60
Instructions:
- This exam is an open-book, open-notes exam.
- Legibility counts! Make sure I can read (and find!) your answers.
If you need more room for an answer than that given, use the back side of the pages. Be sure to leave a note indicating where the answer is.
- This test should have 6 pages (including this cover sheet). Let me know now if your copy does not have the correct number of pages.
- (12 points) Consider the following collection of RBAC definitions:
U = {Del , Earl , Fred , Guy, Hal } P = {write loan, read balance, approve loan, sell loan, accept deposit, cash check , close acct, open acct, void transaction, fire staff } R = {Emp, Teller , AcctOfficer , LoanOfficer , MortgageOfficer , LoanSupervisor , TellerSupervisor , BranchManager } U A = {(Del , Teller ), (Earl , MortgageOfficer ), (Fred , TellerSupervisor ), (Fred , AcctOfficer ), (Guy, LoanSupervisor ), (Hal , BranchManager )} P A = {(read balance, Emp), (open acct, AcctOfficer ), (close acct, AcctOfficer , (cash check , Teller ), (accept deposit, Teller ), (write loan, LoanOfficer ), (void transaction, TellerSupervisor ), (sell loan, MortgageOfficer ), (approve loan, LoanSupervisor ), (fire staff , BranchManager )} � = {(r, r), (BranchManager , r), (r, Emp) | r ∈ R} ∪ {(LoanSupervisor , MortgageOfficer ), (LoanSupervisor , LoanOfficer )} ∪ {(MortgageOfficer , LoanOfficer ), (TellerSupervisor , Teller )}
Calculate each of the following:
(a) auth users(LoanOfficer )
(b) auth users(Teller )
(c) auth permissions(MortgageOfficer )
(d) auth permissions(TellerSupervisor )
This page intentionally left blank.
- (30 points) The Computer Science and Engineering Department at a small university has decided to develop a new electronic grading system. Here are the key features the department wants the system to handle (do not assume any permissions or restrictions other than those explictly mentioned): - Each course has some primary instructors (PIs) and teaching assistants (TAs) assigned to it. - TAs and PIs for a given course can both read and write that course’s grades; in addition, a course’s PI(s) can submit final grades. - Any faculty member can read the grades for any course. - No graduate student can ever be assigned as a TA for more than one course. - No graduate student can ever be assigned as a primary instructor for a course. - Faculty members can be assigned as either teaching assistants or primary instruc- tors for any course, and there are no limits on how they are assigned to courses. (Yes, they may even serve as both the TA and the PI for the same course; I mention this only to make your task easier.) - Because of the potential for confusion (particularly if instructors have the same students in multiple courses), the electronic grading system must not permit any- one to perform in more than one instructor role at any given time (e.g., login session).
As part of the system’s initial test run, the department wants to configure the system to handle just three of the department’s courses: CS 123, CS 456, and CS 789. Thus, the department has identified the following roles and permissions for this system:
R = {Fac, Grad , 123TA, 123PI , 456TA, 456PI , 789TA, 789PA} P = {R 123 , W 123 , S 123 , R 456 , W 456 , S 456 , R 789 , W 789 , S 789 }
For example, R 123 , W 123 , and S 123 are the permissions to (respectively) read, write, and submit the grades for CS 123. Provide the following RBAC components to accurately meet and fulfill all of the de- partment’s desired features/criteria:
(a) A role-hierarchy relation � (a Hasse diagram is sufficient) and a permission- assignment relation P A (b) A static separation-of-duty relation to capture necessary static constraints (c) A dynamic separation-of-duty relation to capture necessary dynamic constraints
Caveat: Be careful with your definition of �: make sure that there are no unintended consequences for separation of duty.
