Abstract
The User Authorization Query (UAQ) Problem is a key issue related to efficiently handling users’ access requests in RBAC systems. In practice, there may not exist any solution for the UAQ problem, as missing any requested permissions may make the failure of this task, while any extra permissions may bring the intolerable risk to the system. Hence, making a desirable update of the RBAC system state to support the UAQ problem is desirable. However, this task is generally complex and challenging as usually the resulting state is expected to meet various necessary objectives and constraints. In this paper, we study a fundamental problem of how generate a valid role-permission assignment to satisfy all objectives and constraints, such as reassignment objectives, prerequisite constraints and permission-capacity constraints. The computational complexity result shows that it is intractable (NP-complete) in general. We also propose an approach to reduce it to SAT that benefit from SAT solvers to reduce the running time. Experiment results show that the proposed approach scales well in large RBAC systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ANSI.: American national standard for information technology-role based access control, ANSI INCITS 359-2004 (2004)
Xu, D., Kent, M., Thomas, L., et al.: Automated model-based testing of role-based access control using predicate/transition nets. IEEE Trans. Comput. 64(9), 2490–2505 (2015)
Zhang, Y., Joshi, J.B.D.: UAQ: a framework for user authorization query processing in RBAC extended with hybrid hierarchy and constraints. In: 13th ACM Symposium on Access Control Models and Technologies, New York, USA, pp. 83–92 (2008)
Lu, J., Joshi, J.B.D., Jin, L., Liu, Y.: Towards complexity analysis of user authorization query problem in RBAC. Comput. Secur. 48C, 116–130 (2015)
Wickramaarachchi, G.T., Wahbeh, H.Q., Li, N.: An efficient framework for user authorization queries in RBAC systems. In: 14th ACM Symposium on Access Control Models and Technologies, Stresa, Italy, pp. 23–32 (2009)
Armando, A., Ranise, S., Turkmen, F., Crispo, B.: Efficient run-time solving of RBAC user authorization queries: pushing the envelope. In: 17th ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA, pp. 241–248 (2012)
Mousavi, N., Tripunitara, Mahesh V.: Mitigating the intractability of the user authorization query problem in role-based access control (RBAC). In: Xu, L., Bertino, E., Mu, Y. (eds.) NSS 2012. LNCS, vol. 7645, pp. 516–529. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34601-9_39
Chen, L., Crampton, J.: Set covering problems in role-based access control. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 689–704. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04444-1_42
Hu, J., Khan, K. M., Zhang, Y., Bai, Y., Li, R.: Role updating in information systems using model checking. Knowl. Inf. Syst. (2016). doi:10.1007/s10115-016-0974-4
Sun, Y., Wang, Q., Li, N., et al.: On the complexity of authorization in RBAC under qualification and security constraints. IEEE Trans. Dependable Secure Comput. 8(6), 883–897 (2011)
Lu, J., Xu, D., Jin, L., Han, J., Peng, H.: On the complexity of role updating feasibility problem in RBAC. Inf. Process. Lett. 114(11), 597–602 (2014)
Verde, N.V., Vaidya, J., Atluri, V., Colantonio, A.: Role engineering: from theory to practice. In: 2nd ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA, pp. 181–192 (2012)
Ni, Q., Lobo, J., Calo, S.B., Rohatgi, P., Bertino, E.: Automating role-based provisioning by learning from examples. In: 14th ACM Symposium on Access Control Models and Technologies, Stresa, Italy, pp. 75–84 (2009)
SAT4Â J: A satisfiability library for Java, January 2006, http://www.sat4j.org/
Acknowledgment
This work is supported by National Natural Science Foundation of China under Grant 61402418, 61503342, 61672468, 61602418, Social development project of Zhejiang provincial public technology research under Grant 2017C33054, 2016C3316.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Lu, J., Xin, Y., Peng, H., Han, J., Lin, F. (2017). Supporting User Authorization Queries in RBAC Systems by Role-Permission Reassignment. In: Wen, S., Wu, W., Castiglione, A. (eds) Cyberspace Safety and Security. CSS 2017. Lecture Notes in Computer Science(), vol 10581. Springer, Cham. https://doi.org/10.1007/978-3-319-69471-9_35
Download citation
DOI: https://doi.org/10.1007/978-3-319-69471-9_35
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69470-2
Online ISBN: 978-3-319-69471-9
eBook Packages: Computer ScienceComputer Science (R0)