Abstract
Delegation models based on role-based access control (RBAC) management have been known as flexible and efficient access management for data sharing on distributed environment. Delegation revocations are a significant functionality for the models in distributed environment when the delegated roles or permissions are required to get back. However, problems may arise in the revocation process when one user delegates user U a role and another user delegates U a negative authorization of the role.
This paper aims to analyse various role-based delegation revocation features through examples. Revocations are categorized in four dimensions: Dependency, Resilience, Propagation and Dominance. According the dimensions, sixteen types of revocations exist for specific requests in access management: DependentWeakLocalDelete, DependentWeakLocalNegative, DependentWeakGlobalDelete, DependentWeakGlobalNegative, IndependentWeakLocalDelete, IndependentWeakLocalNegative, IndependentWeakGlobalDelete, IndependentWeakGlobalNegative, and so on. We present revocation delegating models, and then discuss user delegation authorization and the impact of revocation operations. Finally, comparisons with other related work are indicated.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Abadi, M., et al.: A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15(4), 706–734 (1993)
Barka, E., Sandhu, R.: Framework for role-based delegation models and some extensions. In: Proceedings of the 16 Annual Computer Security Applications Conference, New Orleans, pp. 168–177 (2000)
Barkley, J.F., Beznosov, K., Uppal, J.: Supporting relationships in access control using role based access control. In: Third ACM Workshop on RoleBased Access Control, pp. 55–65 (October 1999)
Bertino, E., Jajodia, S., Samarati, P.: A non-timestamped authorization model for data management systems. In: ACM Conference on Computer and Communications Security, pp. 169–178 (1996)
David, F.F., Dennis, M.G., Nickilyn, L.: An examination of federal and commercial access control policy needs. In: NIST NCSC National Computer Security Conference, Baltimore, MD, pp. 107–116 (September 1993)
Fagin, R.: On an authorization mechanism. ACM Trans. Database Syst. 3(3), 310–319 (1978)
Feinstein, H.L.: Final report: Nist small business innovative research (sbir) grant: role based access control: phase 1. technical report. In: SETA Corp. (1995)
Ferraiolo, D.F., Kuhn, D.R.: Role based access control. In: 15th National Computer Security Conference, pp. 554–563 (1992)
Hagstrom, A., Jajodia, S., Presicce, F., Wijesekera, D.: Revocations-a classification. In: Proceedings of 14th IEEE Computer Security Foundations Workshop, Nova Scotia, Canada, pp. 44–58 (2001)
Sandhu, R.: Rational for the RBAC96 family of access control models. In: Proceedings of 1st ACM Workshop on Role-based Access Control, pp. 64–72. ACM Press, New York (1997)
Sandhu, R.: Role activation hierarchies. In: Third ACM Workshop on RoleBased Access Control, pp. 33–40. ACM Press, New York (1998)
Sandhu, R.: Role-Based Access Control. Advances in Computers 46 (1998)
Wang, H., Cao, J., Zhang, Y.: Formal authorization allocation approaches for role-based access control based on relational algebra operations. In: WISE 2002. 3rd International Conference on Web Information Systems Engineering, Singapore, pp. 301–312 (2002)
Wang, H., Cao, J., Zhang, Y.: Formal authorization allocation approaches for permission-role assignments using relational algebra operations. In: ADC 2003. Proceedings of the 14th Australian Database Conference, Adelaide, Australia, pp. 125–134 (2003)
Wang, H., Cao, J., Zhang, Y.: An Electronic Payment Scheme and Its RBAC management. Concurrent Engineering: Research and Application 12(3), 247–275 (2004)
Wang, H., Cao, J., Zhang, Y.: A flexible payment scheme and its role based access control. IIEEE Transactions on Knowledge and Data Engineering 17(3), 425–436 (2005)
Wang, H., et al.: A framework for role-based group delegation in distributed environment. In: Proceedings of the 29th Australasian Computer Science Conference, Australian Computer Society, pp. 321–328 (2006)
Wang, H., et al.: A global ticket-based access scheme for mobile users. Special Issue on Object-Oriented Client/Server Internet Environments, Information Systems Frontiers 6(1), 35–46 (2004)
Wang, H., et al.: Achieving secure and flexible m-services through tickets. In: IEEE Transactions on Systems, Man, and Cybernetics, Part A, Special issue on M-Services, pp. 697–708 (2003)
Zhang, L., Ahn, G., Chu, B.: A role-based delegation framework for healthcare information systems. In: SACMAT 2002. Proceedings of ACM Symposium on Access Control Models and Technologies, Monterey, CA, pp. 125–134 (2002)
Zhang, L., Ahn, G., Chu, B.: A rule-based framework for role-based delegation and revocation. ACM Trans. Inf. Syst. Secur. 6(3), 404–441 (2003)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, H., Cao, J. (2008). Delegating Revocations and Authorizations. In: ter Hofstede, A., Benatallah, B., Paik, HY. (eds) Business Process Management Workshops. BPM 2007. Lecture Notes in Computer Science, vol 4928. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-78238-4_29
Download citation
DOI: https://doi.org/10.1007/978-3-540-78238-4_29
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-78237-7
Online ISBN: 978-3-540-78238-4
eBook Packages: Computer ScienceComputer Science (R0)