Skip to main content
SpringerLink
Log in

A distributable security management architecture for enterprise systems spanning multiple security domains

  • Published:
Electronic Commerce Research Aims and scope Submit manuscript

Abstract

Administering security in modern enterprise systems may prove an extremely complex task. Their large scale and dynamic nature are the main factors that contribute to this fact. A robust and flexible model is needed in order to guarantee both the easy management of security information and the efficient implementation of security mechanisms. In this paper, we present the foundations and the prototypical implementation of a new access control framework. The framework is mainly targeted to highly dynamic, large enterprise systems (e.g., service provisioning platforms, enterprise portals etc.), which contain various independent functional entities. Significant advantages gained from the application of the designated framework in such systems are epitomized in the easiness of managing access to their hosted resources (e.g., services) and the possibility of applying distributable management schemes for achieving it. The proposed framework allows for multi-level access control through the support of both role-based and user-based access control schemes. Discussion is structured in three distinct areas: the formal model of the proposed framework, the data model for supporting its operation, and the presentation of a prototypical implementation. The development of the framework is based on open technologies like XML, java and Directory Services. At the last part of the paper the results of a performance assessment are presented, aiming to quantify the delay overhead, imposed by the application of the new framework in a real system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Barford, P., & Crovella, M. (1998). Generating representative web workloads for network and server performance evaluation. In proceedings of ACM SIGMETRICS.

  2. Barka, E., & Sandhu, R. (2004). Role-based delegation model/ hierarchical roles (RBDM1). In proceedings of 20th Annual Computer Security Applications Conference (ACSAC’04), (pp. 396–404), Tuscon, Arizona.

  3. Barkley, J. (1995). Implementing role based access control using object technology. In proceedings of 1st ACM Workshop on Role-Based Access Control. Gaithersburg, Maryland, November 30-December 1.

  4. Catledge, L., & Pitkow, J. (1995). Characterizing browsing strategies in the world-wide web. In Proceedings of the Third International WWW Conference. Darmstadt, Germany.

  5. Cattell, R. et al. (2000). Java 2 platform, enterprise edition : Platform and component specifications. Addison-Wesley.

  6. Chandramouli, R., & Sandhu, R.(1998). Role based access control features in commercial database management systems. 21st National Information Systems Security Conference. Crystal City, Virginia.

  7. Crocker, D.H. (1982). Standard for the format of ARPA internet text messages STD11, RFC 822, UDEL.

  8. Duckett, J. et al. (2001). Professional XML schemas. 1st edition, Wrox Press Inc.

  9. Enterprise Java Beans Specification version 2.1, Final Release, Sun Microsystems, November (2003).

  10. Ferraiolo, D., & Kuhn, D.R. (1992). Role based access control. In proceedings of the 15th Annual Conference on National Computer Security. National Institute of Standards and Technology (pp. 554–563). Gaithersburg, MD.

  11. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R. & Chandramouli, R. (2001). Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), 4.

  12. Guiri, L. (1995). A new model for role-based access control. In proceedings of the 11th Annual Conference on Computer Security Applications. New Orleans, LA.

  13. Guiri, L., & Iglio, P.A. (1996). Formal model for role-based access control with constraints. In proceedings of 9th IEEE Workshop on Computer Security Foundations, Kenmare, Ireland.

  14. Hodges, J., & Morgan, R. (2002). Lightweight directory access protocol (v3): Technical specification. IETF Network WG, RFC, 3377.

  15. Horstmann, C., & Cornell, G. (2004). Core Java 2: Volume1-fundamentals. Prentice-Hall.

  16. Howes, T., Smith, M., & Good, G. (1999). Understanding and deploying LDAP directory services. Macmillan Publishing Co., Inc., Indianapolis, IN.

  17. Kalakota, R., & Whinston, A.B. (1999). Electronic commerce. Addison-Wesley.

  18. Menascé, D.A. (2003). Web server software architectures. IEEE internet computing, 7(6), 78–81.

    Article  Google Scholar 

  19. Osborn, S., Sahdhu, R.S., & Mutanawer, Q. (2000). Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions On Information and System Security, 3.

  20. Park, J., Ahn, G-J., & Sandhu, R. (2002). Role-based Access Control on the Web Using LDAP, database security XV: Status and prospects. Kluwer.

  21. Park, J., Sandhu, R., & Ahn, G.-J. (2001). Role-based access control on the web. ACM Transactions on Information and System Security (TISSEC), 4.

  22. Roman, Ed et al. (2002). Mastering enterprise javabeans. 2nd edition, Wiley Computer Publishing.

  23. Sandhu, R. (1995). Rationale for the RBAC96 family of access control models. In proceedings of the 1st ACM Workshop on Role-Based Access Control. Gaithersburg, Maryland.

  24. Sandhu, R., Bhamidipati V., & Munawer Q. (1999).The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security (TISSEC). Special issue on role-based access control, 2(1), 105–135.

    Google Scholar 

  25. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., & Youman, C.E. (1996). Role-based access control models. IEEE computer, 29(2), 38–47.

    Google Scholar 

  26. Stark, S. et al. (2002). Jboss administration and development 2nd edition. Jboss Group LLC, Atlanta.

  27. Thomas, T.M. (2001). Java data access: JDBC, JNDI, and JAXP, 1st edition. John Wiley & Sons.

  28. Viniotis, Y. (1998). Probability and random processes for electrical engineers, McGraw-Hill.

  29. Wahl, M., Howes, T., & Kille, S. (1997). Lightweight directory access protocol (v3). IETF Network WG, RFC 2251.

  30. Yao, W., Moody, K., & Bacon, J. (2001). A model of OASIS role-based access control and its support for active security. In Proceeding of SACMAT 2001, Virginia, USA.

  31. Zhang, X.W., Park, J., & Sandhu, R. (2003). Schema based XML security: RBAC approach. Technical Report, IFIP WG, 11.3.

Download references

Author information

Authors and Affiliations

  1. Department of Informatics and Telecommunications, University of Athens, Panepistimiopolis, Ilissia, GR-15784, Athens, Greece

    Ioannis Priggouris & Stathes Hadjiefthymiades

Authors
  1. Ioannis Priggouris
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stathes Hadjiefthymiades
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ioannis Priggouris.

Additional information

Ioannis Priggouris received his B.Sc. in Informatics from the Department of Informatics & Telecommunications of the University of Athens, Greece in 1997 and his M.Sc. in Communication Systems and Data Networks from the same Department in 2000. Over the last years he has been a PhD candidate in the department. Since 1999, he has been a member of the Communication Networks Laboratory (CNL) of the University of Athens. As a senior researcher of the CNL he has participated in several EU projects implemented in the context of IST, namely the EURO-CITI and the PoLoS projects. He has also been extensively involved in several National IT Research projects. His research interests are in the areas of mobile computing, QoS and mobility support for IP networks, and network security. He is the author of several papers and book chapters in the aforementioned areas.

Stathes Hadjiefthymiades received his B.Sc. (honors) and M.Sc. in Informatics from the Dept. of Informatics, University of Athens, Greece, in 1993 and 1996 respectively. In 1999 he received his Ph.D. from the University of Athens (Dept. of Informatics and Telecommunications). In 2002 he received a joint engineering-economics M.Sc. from the National Technical University of Athens. In 1992 he joined the Greek consulting firm Advanced Services Group, Ltd., where he was involved in the analysis, design and implementation of telematic applications and other software systems. In 1995 he joined, as research engineer, the Communication Networks Laboratory (UoA-CNL) of the University of Athens. During the period September 2001-July 2002, he served as a visiting assistant professor at the University of Aegean, Dept. of Information and Communication Systems Engineering. On the summer of 2002 he joined the faculty of the Hellenic Open University (Dept. of Informatics), Patras, Greece, as an assistant professor. Since December 2003, he is in the faculty of the Dept. of Informatics and Telecommunications, University of Athens, where he is presently an assistant professor and coordinator of the Pervasive Computing Research Group. He has participated in numerous projects realized in the context of EU programs (ACTS, ORA, TAP, and IST), EURESCOM projects, as well as national initiatives. His research interests are in the areas of web engineering, wireless/mobile computing, and networked multimedia applications. He is the author of over 100 publications in the above areas.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Priggouris, I., Hadjiefthymiades, S. A distributable security management architecture for enterprise systems spanning multiple security domains. Electron Commerce Res 6, 355–388 (2006). https://doi.org/10.1007/s10660-006-8679-5

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10660-006-8679-5

Keywords

Search

Navigation