Skip to main content
SpringerLink
Log in

A graph theoretic approach to authorization delegation and conflict resolution in decentralised systems

  • Published:
Distributed and Parallel Databases Aims and scope Submit manuscript

Abstract

The problem of resolving conflicts in delegated authorizations has not been systematically addressed by researchers. In (Ruan and Varadharajan in Proceedings of the 7th Australasian Conference on Information Security and Privacy, pp. 271–285, 2002) we proposed a graph based framework that supports authorization delegation and conflict resolution. In this paper, we have extended the model to allow grantors of delegations to express degrees of certainties about their delegations and grants of authorizations. This expression of certainty gives the subjects (e.g. users) more flexibility to control their delegations of access rights. We propose a new conflict resolution policy based on weighted lengths of authorization paths. This policy provides a greater degree of flexibility in that it enables to specify and analyse the effect of predecessor-successor relationship as well as the weights of authorizations on the conflicts. We present a detailed algorithm to evaluate authorization delegations and conflict resolutions. The correctness proof and time complexity of the algorithm are also provided. Since in a dynamic environment, the authorization state is not static, we have considered how authorization state changes occur and have developed an algorithm to analyse authorization state transformations and given correctness proofs. Finally, we discuss how to achieve a global decision policy from local authorization policies in a distributed environment. Three integration models based on the degrees of node autonomy are proposed, and different strategies of integrating the local policies into the global policies in each model are systematically discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15(4), 706–734 (1993)

    Article  Google Scholar 

  2. Barka, E., Sandhu, R.: Framework for role-based delegation models. In: Proceedings of 16th Annual Computer Security Applications Conference, pp. 168–176 (2000)

  3. Bertino, E., Samarati, P., Jajodia, S.: An extended authorization model for relational databases. IEEE Trans. Knowl. Data Eng. 9(1), 85–101 (1997)

    Article  Google Scholar 

  4. Bertino, E., Jajodia, S., Samarati, P.: A flexible authorization mechanism for relational data management systems. ACM Trans. Inf. Syst. 17(2), 101–140 (1999)

    Article  Google Scholar 

  5. Bertino, E., Buccafurri, F., Ferrari, E., Rullo, P.: A logical framework for reasoning on data access control policies. In: Proceedings of the 12th IEEE Computer Society Foundations Workshop, pp. 175–189. IEEE Computer Society Press, Los Alamitos (1999)

    Chapter  Google Scholar 

  6. Castano, S., Fugini, M., Martella, G., Samarati, P.: Database Security. Addison-Wesley, Reading (1995)

    MATH  Google Scholar 

  7. Essmayr, W., Kastner, F., Preishuber, S., et al.: Access controls for federated database environments-taxonomy of design choices. In: Joint IFIP TC 6 & 11 Working Conference on Communications and Multimedia Security. Graz, Austria, September 1995, pp. 117–132. Chapman & Hall, London (1995)

    Google Scholar 

  8. Fagin, R.: On an authorization mechanism. ACM Trans. Database Syst. 3, 310–319 (1978)

    Article  Google Scholar 

  9. Gal-Oz, N., Gudes, E., Fernandez, E.B.: A model of methods access authorization in object-oriented databases. In: Proceedings of International Conference on Very Large Data Bases, pp. 52–61 (1993)

  10. Jajodia, S., Samarati, P., Subrahmanian, V.S.: A logical language for expressing authorizations. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy, pp. 31–42. IEEE Computer Society Press, Los Alamitos (1997)

    Google Scholar 

  11. Jaeger, T., Tidswell, J.E.: Practical safety in flexible access control models. ACM Trans. Inf. Syst. Secur. 4(2), 158–190 (2001)

    Article  Google Scholar 

  12. Jajodia, S., Samarati, P., Subrahmanian, V.S., Bertino, E.: A unified framework for enforcing multiple access control policies. In: Proceedings of ACM SIGMOD Conference on Management of Data, pp. 474–485 (1997)

  13. Koch, M., Mancini, L.V., Parisi-Presicce, F.: Administrative scope in the graph-based framework. In: Proceedings of the ninth ACM Symposium on Access control Models and Technologies, pp. 97–104 (2004)

  14. Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: a logic-based approach to distributed authorization. ACM Trans. Inf. Syst. Secur. 6(1), 128–171 (2003)

    Article  Google Scholar 

  15. Lunt, T.F., Denning, D.E., Scheel, R.R., Heckman, M., Shockley, W.R.: The SeaView security model. IEEE Trans. Softw. Eng. 16(6), 593–607 (1990)

    Article  Google Scholar 

  16. Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. J. ACM 24(3), 455–464 (1977)

    Article  MATH  MathSciNet  Google Scholar 

  17. Nyanchama, M., Osborn, S.L.: The role graph model and conflict of interest. ACM Trans. Inf. Syst. Secur. 1(2), 3–33 (1999)

    Article  Google Scholar 

  18. Rosen, K.H.: Discrete Mathematics and Its Applications. McGraw-Hill, New York (1991)

    Google Scholar 

  19. Ruan, C., Varadharajan, V.: Resolving conflicts in authorization delegations, 2002. In: Proceedings of the 7th Australasian Conference on Information Security and Privacy, pp. 271–285 (2002)

  20. Rabitti, F., Bertino, E., Kim, W., Woelk, D.: A model of authorization for next generation database systems. ACM Trans. Database Syst. 16(1), 88–131 (1991)

    Article  Google Scholar 

  21. Sandhu, R., Samarati, P.: Access control: principles and practice. IEEE Commun. 32(9), 40–48 (1994)

    Article  Google Scholar 

  22. Sandhu, R.: A perspective on graphs and access control models. In: ICGT, pp. 2–12 (2004)

  23. Schaad, A.: Conflict detection in a role-based delegation model. In: Proceedings of Annual Computer Security Applications Conference (2001)

  24. Satyanarayanan, M.: Integrating security in a large distributed system. ACM Trans. Comput. Syst. 7(3), 247–280 (1989)

    Article  Google Scholar 

  25. Woo, T., Lam, S.: Authorization in distributed systems: a formal approach. In: Proceedings of IEEE on Research in Security and Privacy, pp. 33–50 (1992)

  26. Zhang, X., Oh, S., Sandhu, R.: PBDM: a flexible delegation model in RBAC. In: Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (2003)

Download references

Author information

Authors and Affiliations

  1. School of Computing and Mathematics, University of Western Sydney, Penrith South, DC, NSW 1797, Australia

    Chun Ruan & Vijay Varadharajan

  2. Department of Computing, Macquarie University, North Ryde, NSW 2109, Australia

    Vijay Varadharajan

Authors
  1. Chun Ruan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vijay Varadharajan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chun Ruan.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Ruan, C., Varadharajan, V. A graph theoretic approach to authorization delegation and conflict resolution in decentralised systems. Distrib Parallel Databases 27, 1–29 (2010). https://doi.org/10.1007/s10619-009-7044-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10619-009-7044-9

Keywords

Search

Navigation