Specification and enforcement of flexible security policy for active cooperation☆
Section snippets
Introduction and motivation
Today enterprises heavily rely on information systems and applications. As a result many tasks that in the past were carried by humans are today automatically executed by computer systems. As a consequence sharing, interoperating and combining services across multiple enterprises are today easier. To keep ahead in strong competition environments, enterprises should provide flexible and comprehensive services to partners and support active collaborations with partners and customers. Achieving
Related work
RBAC is a widely adopted access control model to secure resources in an information system [17]. In RBAC, permissions are associated with roles, and users acquire permissions by being assigned roles. Roles within an organization typically have overlapping sets of permissions and thus they can be organized according to role hierarchies. Constraints are used to reflect security policies of an organization, like Separation of Duty (SoD) that formulates multi-person control policies to discourage
Active authorization management model
This section first presents an overview of the proposed model and then describes in details the various components of the model.
Calculation of restraint rules
Since security policies are expressed in terms of restraint rules, access control relies on the evaluation of the conditions in restraint rules. In this section, we focus on how to efficiently evaluate conditions. We first explore a new data structure, referred to as condition tree, to encode conditions. Then we discuss how to efficiently evaluate the conditions with the help of key nodes and strong nodes on condition tree. Finally, we give the details of determination process and corresponding
Case study
In this section, we would present a comprehensive example to illustrate how to specify and enforce a flexible security policy by our method.
Suppose that in a supply chain management system, a supermarket enterprise, like Wal-Mart, is planning to enforce following flexible security policies in transaction databases and application systems:
- 1.
Access rights to sensitive information are assigned to users according to the roles they have. Senior roles are assigned more rights than juniors.
- 2.
Users are
System overview
In this section, we would discuss how to integrate the proposed method into legacy systems. Generally, a security administrator of an enterprise is responsible for specifying restraint rules according to security requirements and business missions. The system architecture to implement the proposed model is presented in Fig. 8, in which black thin arrow lines denote commands while thick arrow lines denote data flows. To support interoperation among heterogeneous platform, we adopt XACML to
Conclusions and future work
In this paper we have proposed a novel approach to specify and enforce flexible security policies for active cooperation. It extends the RBAC model with the notion of restraint rules that are enforced by authorization processes. To support flexible policy specification, we introduce the concept impact weight in the conditions of restraint rules. We have also presented the condition tree data structure that efficiently supports condition evaluation. Furthermore, we have discussed the system
Acknowledgements
The authors would like to sincerely appreciate Dr. Ninghui Li, from CERIAS and Department of Computer Science of Purdue University, for his suggestions and comments on this paper. We also thank the anonymous reviewers for their valuable suggestions. Part of the first author’s work was completed when she was as a visiting scholar at Purdue University of US. This work is supported by the National High Technology Research and Development Program (863 Program) of China (2006AA01A113), by the US NSF
References (23)
- R. Adaikkalavan, S. Chakravarthy, Active authorization rules for enforcing role-based access control and its...
- et al.
A content-based authorization model for digital libraries
IEEE Transactions on Knowledge and Data Engineering
(2002) - M.A. AI-Kahtani, R.S. Sandhu, A model for attribute-based user-role assignment, in: Proceedings of 18th Annual Computer...
- M.A. AI-Kahtani, R. Sandhu, Induced role hierarchies with attribute-based RBAC, in: Proceeding of ACM SACMAT, Como...
- et al.
A model of OASIS role-based control and its support for active security
ACM Transaction on Information and System Security (TISSEC)
(2002) - et al.
An extended authorization model
IEEE Transactions on Knowledge and Data Engineering
(1997) Computer Security: Art and Science
(2003)- J. Biskup, S. Wortmann, Towards a credential-based implementation of compound access control policies, in: Proceedings...
- S. Busch, B. Muschall, G. Pernul, T. Priebe, Authrule: a generic rule-based authorization module, in: Proceedings of...
- D.F. Ferraiolo, S. Gavrila, V. Hu, D.R. Kuhn, Composing and combining policies under the policy machine, in:...
Cited by (0)
- ☆
Research supported in part by the National High Technology Research and Development Program (863 Program) of China (2006AA01A113), by the US NSF Grant 0712846 “IPS: Security Services for Healthcare Applications”, by the NSF grant of Shandong Province of China (Y2008G28), and by the sponsor of CERIAS.