Abstract
The problem of resolving conflicts in delegated authorizations has not been systematically addressed by researchers. In (Ruan and Varadharajan in Proceedings of the 7th Australasian Conference on Information Security and Privacy, pp. 271–285, 2002) we proposed a graph based framework that supports authorization delegation and conflict resolution. In this paper, we have extended the model to allow grantors of delegations to express degrees of certainties about their delegations and grants of authorizations. This expression of certainty gives the subjects (e.g. users) more flexibility to control their delegations of access rights. We propose a new conflict resolution policy based on weighted lengths of authorization paths. This policy provides a greater degree of flexibility in that it enables to specify and analyse the effect of predecessor-successor relationship as well as the weights of authorizations on the conflicts. We present a detailed algorithm to evaluate authorization delegations and conflict resolutions. The correctness proof and time complexity of the algorithm are also provided. Since in a dynamic environment, the authorization state is not static, we have considered how authorization state changes occur and have developed an algorithm to analyse authorization state transformations and given correctness proofs. Finally, we discuss how to achieve a global decision policy from local authorization policies in a distributed environment. Three integration models based on the degrees of node autonomy are proposed, and different strategies of integrating the local policies into the global policies in each model are systematically discussed.
Similar content being viewed by others
References
Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15(4), 706–734 (1993)
Barka, E., Sandhu, R.: Framework for role-based delegation models. In: Proceedings of 16th Annual Computer Security Applications Conference, pp. 168–176 (2000)
Bertino, E., Samarati, P., Jajodia, S.: An extended authorization model for relational databases. IEEE Trans. Knowl. Data Eng. 9(1), 85–101 (1997)
Bertino, E., Jajodia, S., Samarati, P.: A flexible authorization mechanism for relational data management systems. ACM Trans. Inf. Syst. 17(2), 101–140 (1999)
Bertino, E., Buccafurri, F., Ferrari, E., Rullo, P.: A logical framework for reasoning on data access control policies. In: Proceedings of the 12th IEEE Computer Society Foundations Workshop, pp. 175–189. IEEE Computer Society Press, Los Alamitos (1999)
Castano, S., Fugini, M., Martella, G., Samarati, P.: Database Security. Addison-Wesley, Reading (1995)
Essmayr, W., Kastner, F., Preishuber, S., et al.: Access controls for federated database environments-taxonomy of design choices. In: Joint IFIP TC 6 & 11 Working Conference on Communications and Multimedia Security. Graz, Austria, September 1995, pp. 117–132. Chapman & Hall, London (1995)
Fagin, R.: On an authorization mechanism. ACM Trans. Database Syst. 3, 310–319 (1978)
Gal-Oz, N., Gudes, E., Fernandez, E.B.: A model of methods access authorization in object-oriented databases. In: Proceedings of International Conference on Very Large Data Bases, pp. 52–61 (1993)
Jajodia, S., Samarati, P., Subrahmanian, V.S.: A logical language for expressing authorizations. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy, pp. 31–42. IEEE Computer Society Press, Los Alamitos (1997)
Jaeger, T., Tidswell, J.E.: Practical safety in flexible access control models. ACM Trans. Inf. Syst. Secur. 4(2), 158–190 (2001)
Jajodia, S., Samarati, P., Subrahmanian, V.S., Bertino, E.: A unified framework for enforcing multiple access control policies. In: Proceedings of ACM SIGMOD Conference on Management of Data, pp. 474–485 (1997)
Koch, M., Mancini, L.V., Parisi-Presicce, F.: Administrative scope in the graph-based framework. In: Proceedings of the ninth ACM Symposium on Access control Models and Technologies, pp. 97–104 (2004)
Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: a logic-based approach to distributed authorization. ACM Trans. Inf. Syst. Secur. 6(1), 128–171 (2003)
Lunt, T.F., Denning, D.E., Scheel, R.R., Heckman, M., Shockley, W.R.: The SeaView security model. IEEE Trans. Softw. Eng. 16(6), 593–607 (1990)
Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. J. ACM 24(3), 455–464 (1977)
Nyanchama, M., Osborn, S.L.: The role graph model and conflict of interest. ACM Trans. Inf. Syst. Secur. 1(2), 3–33 (1999)
Rosen, K.H.: Discrete Mathematics and Its Applications. McGraw-Hill, New York (1991)
Ruan, C., Varadharajan, V.: Resolving conflicts in authorization delegations, 2002. In: Proceedings of the 7th Australasian Conference on Information Security and Privacy, pp. 271–285 (2002)
Rabitti, F., Bertino, E., Kim, W., Woelk, D.: A model of authorization for next generation database systems. ACM Trans. Database Syst. 16(1), 88–131 (1991)
Sandhu, R., Samarati, P.: Access control: principles and practice. IEEE Commun. 32(9), 40–48 (1994)
Sandhu, R.: A perspective on graphs and access control models. In: ICGT, pp. 2–12 (2004)
Schaad, A.: Conflict detection in a role-based delegation model. In: Proceedings of Annual Computer Security Applications Conference (2001)
Satyanarayanan, M.: Integrating security in a large distributed system. ACM Trans. Comput. Syst. 7(3), 247–280 (1989)
Woo, T., Lam, S.: Authorization in distributed systems: a formal approach. In: Proceedings of IEEE on Research in Security and Privacy, pp. 33–50 (1992)
Zhang, X., Oh, S., Sandhu, R.: PBDM: a flexible delegation model in RBAC. In: Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (2003)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ruan, C., Varadharajan, V. A graph theoretic approach to authorization delegation and conflict resolution in decentralised systems. Distrib Parallel Databases 27, 1–29 (2010). https://doi.org/10.1007/s10619-009-7044-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10619-009-7044-9