skip to main content
article

X-gtrbac admin: A decentralized administration model for enterprise-wide access control

Published: 01 November 2005 Publication History

Abstract

The modern enterprise spans several functional units or administrative domains with diverse authorization requirements. Access control policies in an enterprise environment typically express these requirements as authorization constraints. While desirable for access control, constraints can lead to conflicts in the overall policy in a multidomain environment. The administration problem for enterprise-wide access control, therefore, not only includes authorization management for users and resources within a single domain but also conflict resolution among heterogeneous access control policies of multiple domains to allow secure interoperation within the enterprise. This work presents design and implementation of X-GTRBAC Admin, an administration model that aims at enabling administration of role-based access control (RBAC) policies in the presence of constraints with support for conflict resolution in a multidomain environment. A key feature of the model is that it allows decentralization of policy administration tasks through the abstraction of administrative domains, which not only simplifies authorization management, but is also fundamental to the concept of decentralized conflict resolution presented. The paper also illustrates the applicability of the outlined administrative concepts in a realistic enterprise environment using an implementation prototype that facilitates policy administration in large enterprises.

References

[1]
Bacon, J., Moody, K., and Yao, W. 2002. A model of OASIS role-based access control and its support for active security. ACM Transactions on Information and System Security (TISSEC) 5, 4(Nov.).
[2]
Bhatti, R., Joshi, J. B. D., Bertino, E., and Ghafoor, A. 2005. X-GTRBAC: An XML-based policy specification framework and architecture for enterprise-wide access control. ACM Transactions on Information and System Security (TISSEC), 8, 2 (May).
[3]
Bonatti, P. A., Sapino, M. L., and Subrahmanian, V. S. 1996. Merging heterogeneous security orderings. ESORICS. 183--197.
[4]
Bonatti, P. A., Vimercati, S., and Samarati, P. 2002. An algebra for composing access control policies ACM Transactions on Information and System Security, 5, 1 (Feb.). 1--35.
[5]
Crampton, J. and Loizou, G. 2002. Administrative scope and role hierarchy operations. In Proceedings of 7th ACM Symposium on Access Control Models and Technologies (June).
[6]
Dawson, S., Qian, S., and Samarati, P. 2000. Providing security and interoperation of heterogeneous systems. Distributed and Parallel Databases, 8, 1, 119--145.
[7]
Ferraiolo, D. F., Sandhu, R., Gavrila, S., Richard Kuhn, D., and Chandramouli, R. 2001. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), 4, 3 (Aug.).
[8]
Gong, L. and Qian, X. 1996. Computational issues in secure interoperation. IEEE Transaction on Software and Engineering, 22, 1 (Jan.).
[9]
Joshi, J. B. D., Bertino, E., Latif, U., and Ghafoor, A. 2005. Generalized temporal role based access control model (GTRBAC)- Specification and modeling. IEEE Transaction on Knowledge and Data Engineering, 17, 1 (Jan.).
[10]
Joshi, J. B. D., Bertino, E., Ghafoor, A. 2002. Temporal hierarchies and inheritance semantics for GTRBAC. In Proceedings of 7th ACM Symposium on Access Control Models and Technologies (June).
[11]
Joshi, J. B. D., Bhatti, R., Bertino, E., and Ghafoor, A. 2004. X- RBAC An access control language for multidomain environments. IEEE Internet Computing, 8, 6, 40--50 (Nov./Dec.).
[12]
Oh, S. and Sandhu, R. 2002. A model for role administration using organization structure. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies (June).
[13]
Sandhu, R., Coyne, E. J., Feinstein, H. L., and Yeoman, C. E. 1996. Role based access control models. IEEE Computer 29, 2 (Feb.).
[14]
Sandhu, R. 1998. Role activation hierarchies. In Proceedings of the 3rd ACM Workshop on Role-Based Access Control (Oct.). 33--40.
[15]
Sandhu. R. and Munawer, Q. 1999. The ARBAC99 model for administration of roles. In Proceedings of the 15th Annual Computer Security Applications Conference (Dec.).
[16]
Shafiq, B., Joshi, J., Bertino, E., and Ghafoor, A. 2005. Secure interoperation in a multidomain environment. Accepted for publication in IEEE Transaction on Knowledge and Data Engineering, 17, 11 (Nov.).
[17]
Zhang, H. 2001. Improving constrained nonlinear search algorithms through constraint relaxation. Masters thesis, University of Illinois at Urbana Champaign, Urbana, IL.

Cited By

View all
  • (2021)Role-Based Administration of Role-Based Smart Home IoTProceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems10.1145/3445969.3450426(49-58)Online publication date: 28-Apr-2021
  • (2016)Securing Loosely-Coupled Collaboration in Cloud Environment through Dynamic Detection and Removal of Access ConflictsIEEE Transactions on Cloud Computing10.1109/TCC.2014.23615274:3(349-362)Online publication date: 1-Jul-2016
  • (2015)A Framework for Composition and Enforcement of Privacy-Aware and Context-Driven Authorization Mechanism for Multimedia Big DataIEEE Transactions on Multimedia10.1109/TMM.2015.245829917:9(1484-1494)Online publication date: 10-Aug-2015
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security
ACM Transactions on Information and System Security  Volume 8, Issue 4
November 2005
108 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/1108906
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2005
Published in TISSEC Volume 8, Issue 4

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. XML
  2. policy administration
  3. role-based access control
  4. secure interoperation

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2021)Role-Based Administration of Role-Based Smart Home IoTProceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems10.1145/3445969.3450426(49-58)Online publication date: 28-Apr-2021
  • (2016)Securing Loosely-Coupled Collaboration in Cloud Environment through Dynamic Detection and Removal of Access ConflictsIEEE Transactions on Cloud Computing10.1109/TCC.2014.23615274:3(349-362)Online publication date: 1-Jul-2016
  • (2015)A Framework for Composition and Enforcement of Privacy-Aware and Context-Driven Authorization Mechanism for Multimedia Big DataIEEE Transactions on Multimedia10.1109/TMM.2015.245829917:9(1484-1494)Online publication date: 10-Aug-2015
  • (2015)Risk Aware Query Replacement Approach for Secure Databases Performance ManagementIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2014.230667512:2(217-229)Online publication date: Mar-2015
  • (2014)Collaborative Policy AdministrationIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2013.14725:2(498-507)Online publication date: 1-Feb-2014
  • (2012)XFPM‐RBAC: XML‐based specification language for security policies in multidomain mobile networksSecurity and Communication Networks10.1002/sec.4116:12(1420-1444)Online publication date: 27-Jan-2012
  • (2011)RBAC for High Performance Computing Systems Integration in Grid Computing and Cloud ComputingProceedings of the 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and PhD Forum10.1109/IPDPS.2011.237(914-921)Online publication date: 16-May-2011
  • (2011)Security analysis of GTRBAC and its variants using model checkingComputers and Security10.1016/j.cose.2010.09.00230:2-3(128-147)Online publication date: 1-Mar-2011
  • (2009)XML-based policy specification framework for spatiotemporal access controlProceedings of the 2nd international conference on Security of information and networks10.1145/1626195.1626220(98-103)Online publication date: 6-Oct-2009
  • (2008)Towards movement-aware access controlProceedings of the SIGSPATIAL ACM GIS 2008 International Workshop on Security and Privacy in GIS and LBS10.1145/1503402.1503410(39-45)Online publication date: 4-Nov-2008
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media