Skip to main content
SpringerLink
Log in

Delegation in role-based access control

  • SPECIAL ISSUE PAPER
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively studied grant delegations, but transfer delegations have largely been ignored. This is largely because enforcing transfer delegation policies is more complex than grant delegation policies. This paper, primarily, studies transfer delegations for role-based access control models. We also include grant delegations in our model for completeness. We present various mechanisms that authorize delegations in our model. In particular, we show that the use of administrative scope for authorizing delegations is more efficient than using relations. We also discuss the enforcement and revocation of delegations. Finally, we study delegation in the context of workflow systems. In particular, we demonstrate the application of the administrative scope and administrative domain concepts to control delegation of tasks in worklist-based workflow systems.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Sandhu R., Coyne E.J., Feinstein H., Youman C.E. (1996). Role-based access control models. IEEE Comput. 29(2): 38–47

    Google Scholar 

  2. Schaad, A.: A Framework for Organisational Control Principles. PhD thesis, The University of York, York (2003)

  3. Barka, E., Sandhu, R.: Framework for role-based delegation models. In: Proceedings of Twenty Third National Information Systems Security Conference (NISSC’00), pp. 101–114 (2000)

  4. Aura, T.: Distributed access-rights management with delegation certificates. In: Secure Internet Programming—Security Issues for Distributed and Mobile Objects, LNCS vol. 1603, pp. 211–235, Springer, Heidelberg (1999)

  5. Gligor, V.D., Gavrila, S.I., Ferraiolo, D.: On the formal definition of separation-of-duty policies and their composition. In: Proceedings of IEEE Symposium on Research in Security and Privacy, pp. 172–183 (1998)

  6. Simon, R., Zurko, M.: Separation of duty in role-based environments. In: Proceedings of Tenth IEEE Computer Security Foundations Workshop, pp. 183–194 (1997)

  7. Barka, E., Sandhu, R.: A role-based delegation model and some extensions. In: Proceedings of Sixteenth Annual Computer Security Applications Conference (ACSAC’00), pp. 168–177 (2000)

  8. Na, S., Cheon, S.: Role delegation in role-based access control. In: Proceedings of Fifth ACM Workshop on Role-Based Access Control (RBAC’00), pp. 39–44 (2000)

  9. Park, J., Lee, Y., Lee, H., Noh, B.: A role-based delegation model using role hierarchy supporting restricted permission inheritance. In: Proceedings of the 2003 International Conference on Security and Management (SAM’03), pp. 294–302 (2003)

  10. Tamassia, R., Yao, D., Winsborough, W.: Role-based casdaded delegation. In: Proceedings of Ninth ACM Symposium on Access Control Models and Technologies (SACMAT’04), pp. 146–155 (2004)

  11. Wainer, J., Kumar, A.: A fine-grained, controllable, user-to-user delegation method in RBAC. In: Proceedings of Tenth ACM Symposium on Access Control Models and Technologies (SACMAT’05), pp. 59–66 (2005)

  12. Zhang L., Ahn G.-J., Chu B.-T. (2003). A rule-based framework for role-based delegation and revocation. ACM Trans. Inf. Syst. Secur. (TISSEC) 6(3): 404–441

    Article  Google Scholar 

  13. Zhang, X., Oh, S., Sandhu, R.: PBDM: a flexible delegation model in RBAC. In: Proceedings of Eighth ACM Symposium on Access Control Models and Technologies (SACMAT’03), pp. 149–157 (2003)

  14. Crampton J., Loizou G. (2003). Administrative scope: a foundation for role-based administrative models. ACM Trans. Inf. Syst. Secur. (TISSEC) 6(2): 201–231

    Article  Google Scholar 

  15. Ferraiolo D., Kuhn D.R., Chandramouli S. (2003). Role-Based Access Control. Artech House, Boston

    MATH  Google Scholar 

  16. Sandhu R., Bhamidipati V., Munawer Q. (1999). The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 1(2): 105–135

    Article  Google Scholar 

  17. Crampton, J.: Understanding and developing role-based administrative models. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 158–167 (2005)

  18. Barka, E.: Framework for Role-Based Delegation Models. PhD thesis, George Mason University, Virginia (2002)

  19. Hagström, Å., Jajodia, S., Parisi-Presicce, F.: Revocations—a classification. In: Proceedings of the Fourteenth IEEE Workshop on Computer Security Foundations (CSFW’01), pp. 44–58 (2001)

  20. Hollingsworth, D.: Workflow management coalition: the workflow reference model, 1995. Document Number TC00-1003, Document Status- Issue 1.1, http://www.wfmc.org/standards/docs/tc003v11.pdf

  21. IBM WebSphere MQ Workflow version 3.6. http://www-306.ibm.com/software/integration/wmqwf/

  22. BEA AquaLogic BPM (ALBPM) version 5.7. http://edocs.bea.com/albsi/docs57/index.html

  23. Bertino E., Ferrari E., Atluri V. (1999). The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. (TISSEC) 2(1): 65–104

    Article  Google Scholar 

  24. Kandala, S., Sandhu, R.: Secure role-based workflow models. Database Security XV: Status Prospects, pp. 45–58 (2002)

  25. Venter, K., Olivier, M.: The delegation authorization model: A model for the dynamic delegation of authorization rights in a secure workflow management system. In: Proceedings of Information Security South Africa (ISSA’02) (2002). http://icsa.cs.up.ac.za/issa/2002/proceedings/A021.pdf

  26. Atluri, V., Bertino, E., Ferrari, E., Mazzoleni, P.: Supporting delegation in secure workflow management systems. In: Proceedings of Seventeenth Annual IFIP WG 11.3 Working Conference on Data and Applications Security, pp. 190–202 (2003)

  27. Atluri, V., Wainer, J.: Supporting conditional delegation in secure workflow management systems. In: Proceedings of Tenth ACM Symposium on Access Control Models and Technologies (SACMAT’05), pp. 49–58 (2005)

  28. Wainer J., Kumar A., Barthelmess P. (2007). DW-RBAC: a formal security model of delegation and revocation in workflow systems. Inf. Syst. 32(3): 365–384

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Security Group, Royal Holloway, University of London, London, UK

    Jason Crampton & Hemanth Khambhammettu

Authors
  1. Jason Crampton
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hemanth Khambhammettu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jason Crampton.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Crampton, J., Khambhammettu, H. Delegation in role-based access control. Int. J. Inf. Secur. 7, 123–136 (2008). https://doi.org/10.1007/s10207-007-0044-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-007-0044-8

Keywords

Search

Navigation