Abstract
Efficient collaboration allows organizations and individuals to improve the efficiency and quality of their business activities. Delegations, as a signif icant approach, may occur as workflow collabora tions, supply chain collaborations, or collaborative commerce. Role-based delegation models have been used as flexible and efficient access management for collaborative business environments. Delegation revocations can provide significant functionalities for the models in business environments when the delegated roles or permissions are required to get back. However, problems may arise in the revocation process when one user delegates user U a role and another user delegates U a negative authorization of the role. This paper aims to analyse various role-based delegation revocation features through examples. Revocations are categorized in four dimensions: Dependency, Resilience, Propagation and Dominance. According to these dimensions, sixteen types of revocations exist for specific requests in collaborative business environments: DependentWeakLocalDelete, Dependent WeakLocalNegative, DependentWeakGlobalDelete, DependentWeakGlobalNegative, IndependentWeak LocalDelete, IndependentWeakLocalNegative, Inde pendentWeakGlobalDelete, IndependentWeakGlobal Negative, and so on. We present revocation delegating models, and then discuss user delegation authorization and the impact of revocation operations. Finally, comparisons with other related work are discussed.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Abadi, M., Burrows, M., Lampson, B., & Plotkin, G. (1993). A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems, 15(4), 706–734.
Barka, E., & Sandhu, R. (2000a). Framework for role-based delegation models and some extensions. In Proceedings of the 16 annual computer security applications conference (pp. 168–177). New Orleans.
Barkley, J. F., Beznosov, K., & Uppal, J. (1999). Supporting relationships in access control using role based access control. In Third ACM workshop on rolebased access control (pp. 55–65), October.
Bertino, E., Crampton, J., & Paci, F. (2006). Access control and authorization constraints for ws-bpel. In ICWS ’06: Proceedings of the IEEE international conference on web services (ICWS’06) (pp. 275–284). Washington, DC, USA: IEEE Computer Society.
Bertino, E., Ferrari, E., & Atluri, V. (1999). The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security, 2(1), 65–104.
Bertino, E., Jajodia, S., & Samarati, P. (1996). A non-timestamped authorization model for data management systems. In ACM conference on computer and communications security (pp. 169–178).
Caetano, A., Zacarias, M., Silva, A., & Tribolet, J. (2005). A role-based framework for business process modeling. In HICSS ’05: Proceedings of the proceedings of the 38th annual Hawaii international conference on system sciences (HICSS’05) - track 1 (p. 13.3). Washington, DC, USA: IEEE Computer Society.
David, F. F., Dennis, M. G., & Nickilyn, L. (1993). An examination of federal and commercial access control policy needs. In NIST NCSC national computer security conference (pp. 107–116). Baltimore, MD, September.
Fagin, R. (1978). On an authorization mechanism. ACM Transactions on Database Systems, 3(3), 310–319.
Feinstein, H. L. (1995). Final report: Nist small business innovative research (sbir) grant: Role based access control: Phase 1. Technical report. In SETA Corp.
Ferraiolo, D. F., & Kuhn, D. R. (1992). Role based access control. In 15th national computer security conference (pp. 554–563). ferraiolo92rolebased.html.
Firozabadi, B., & Sergot, M. (2002). Revocation schemes for delegated authorities. In Proceeding of policy 2002. http://www.citeseer.ist.psu.edu/firozabadi02revocation.html.
Hagstrom, A., Jajodia, S., Presicce, F., & Wijesekera, D. (2001). Revocations—a classification. In Proceedings of 14th IEEE computer security foundations workshop (pp. 44–58). Nova Scotia, Canada.
Li, E., Du, T., & Wong, J. (2007). Access control in collaborative commerce. Decision Support Systems, 43(2), 675–685.
Michael, H. (2001). XSLT programmer’s reference. New York: Wiley.
Sandhu, R. (1997). Rational for the RBAC96 family of access control models. In Proceedings of 1st ACM workshop on role-based access control (pp. 64–72). ACM Press.
Sandhu, R. (1998). Role activation hierarchies. In Third ACM workshop on rolebased access control (pp. 33–40). ACM Press, October.
Sandhu, R. (1998). Role-based access control. Advances in Computers, 46, 1–13.
Stafford, T. F. (2005). Understanding motivations for internet use in distance education. IEEE Transactions on Education, 48(2), 301–306.
Wang, H., Cao, J., & Zhang, Y. (2001). A consumer anonymity scalable payment scheme with role based access control. In 2nd international conference on web information systems engineering (WISE01) (pp. 53–62). Kyoto, Japan, December.
Wang, H., Cao, J., & Zhang, Y. (2002). Formal authorization allocation approaches for role-based access control based on relational algebra operations. In 3nd international conference on web information systems engineering (WISE02) (pp. 301–312). Singapore, December.
Wang, H., Cao, J., & Zhang, Y. (2003). Formal authoriza tion allocation approaches for permission-role assignments using relational algebra operations. In Proceedings of the 14th Australian database conference ADC2003. Adelaide, Australia.
Wang, H., Cao, J., & Zhang, Y. (2004). An electronic payment scheme and its RBAC management. Concurrent Engineering: Research and Application, 12(3), 247–275.
Wang, H., Cao, J., & Zhang, Y. (2005). A flexible payment scheme and its role based access control. IIEEE Transactions on Knowledge and Data Engineering, 17(3), 425–436.
Wang, H., Li, J., Addie, R., Dekeyser, S., & Watson, R. (2006). A framework for role-based group delegation in distributed environment. In Proceedings of the 29th Australasian computer science conference. Australian Computer Society.
Wang, H., Zhang, Y., Cao, J., & Kambayahsi, Y. (2004). A global ticket-based access scheme for mobile users. Special Issue on Object-Oriented Client/Server Internet Environments, Information Systems Frontiers, 6(1), 35–46.
Wang, H., Zhang, Y., Cao, J., & Varadharajan, V. (2003). Achieving secure and flexible m-services through tickets. IEEE Transactions on Systems, Man, and Cybernetics, Part A, Special issue on M-Services, 33, 697–708.
Zhang, L., Ahn, G., & Chu, B. (2002). A role-based delegation framework for healthcare information systems. In Proceedings of ACM symposium on access control models and technologies (SACMAT 2002) (pp. 125–134). Monterey, CA, June.
Zhang, L., Ahn, G., & Chu, B. (2003). A rule-based framework for role-based delegation and revocation. ACM Transactions on Information and System Security, 6(3), 404–441.
Zhao, X., & Liu, C. (2007). Version management in the business process change context. In 5th international conference on business process management (Vol. 4714, pp. 198–213). Lecture Notes in Computer Science, Springer.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Wang, H., Cao, J. & Zhang, Y. Delegating revocations and authorizations in collaborative business environments. Inf Syst Front 11, 293–305 (2009). https://doi.org/10.1007/s10796-008-9091-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-008-9091-6