ABSTRACT
A key issue in RBAC systems is how to efficiently handle the user authorization process. That is, whether or not to grant a user's request to acquire a set of requested permissions or to activate a set of requested roles in a single session. The presence of hybrid hierarchies as well as the cardinality and dynamic separation of duty constraints make the issue more complex. In this paper, we define this issue as the user authorization query problem consisting of a role mapping problem and an activation checking problem. We also propose a set of algorithms to solve the role mapping and the activation checking problems. We show that our model is practical and flexible, and can deal with various cases in presence of the hybrid hierarchy and cardinality/DSoD constraints.
- S. M. Chandran, J. B. D. Joshi, "Towards Administration of a Hybrid Role Hierarchy", IEEE International Conference on Information Reuse and Integration, 2005.Google ScholarCross Ref
- T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein, "Introduction to Algorithms", Second Edition, MIT Press, 2001, ISBN 0-262-03293-7 Google ScholarDigital Library
- S. Du, and J. B. D. Joshi, "Supporting Authorization Query and Inter-domain Role Mapping in Presence of Hybrid Role Hierarchy," The 11th ACM Symposium on Access Control Models and Technologies, USA, June 2006. Google ScholarDigital Library
- D. Ferraiolo, R. Sandhu, S. Gavrila, D. Kuhn, and R. Chandramouli, "Proposed NIST standard for role-based access control," ACM Transactions on Information and Systems Security, vol. 4, no. 3, pp. 224--274, August 2001. Google ScholarDigital Library
- J. B. D. Joshi, E. Bertino, U. Latif, and A. Ghafoor, "Generalized Temporal Role Based Access Control Model," IEEE Transactions on Knowledge and Data Engineering, Volume 7, Issue 1, Jan. 2005. Google ScholarDigital Library
- J. B. D. Joshi, E. Bertino, and A. Ghafoor, "Temporal hierarchies and inheritance semantics for GTRBAC", In Proceedings of the 7th ACM symposium on Access control models and technologies, ACM Press, New York, NY, USA, 74--83. Google ScholarDigital Library
- James, B.D. Joshi, Elisa Bertino, Arif Ghafoor and Yue Zhang, "Formal Foundations for hybrid hierarchies in GTRBAC", accepted by ACM Transactions on Information and System Security. Google ScholarDigital Library
- Ninghui Li, Ji-Won Byun, Elisa Bertino, "A Critique of the ANSI Standard on Role-Based Access Control," IEEE Security and Privacy, vol. 5, no. 6, pp. 41--49, Nov/Dec, 2007 Google ScholarDigital Library
- J. D. Moffett and E. C. Lupu, "The uses of role hierarchies in access control", Proceedings of the fourth ACM workshop on Role-based access control, Fairfax, Virginia, United States, 1999, pp. 153--160. Google ScholarDigital Library
- S. Piromruen, and J. B. D. Joshi, "An RBAC Framework for Time Constrained Secure Interoperation in Multi-domain Environment", IEEE Workshop on Object-oriented Realtime Databases (WORDS-2005), 2005. Google ScholarDigital Library
- R. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, "Role-Based Access Control Models", IEEE Computer 29(2): 38--47, IEEE Press, 1996. Google ScholarDigital Library
- R. Sandhu, "Role activation hierarchies", Proceedings of the third ACM workshop on Role-based access control, Fairfax, Virginia, United States, 1998, pp. 33--40. Google ScholarDigital Library
- J.Barkley, A.V. Cincotta, D.F. Ferraiolo, S. Gavrila, , D.R. Kuhn, "Role Based Access Control for the World Wide Web", 20th National Computer Security Conference (1997)Google Scholar
- Chen, L. and Crampton, J. 2007. Inter-domain role mapping and least privilege. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (Sophia Antipolis, France, June 20 - 22, 2007). SACMAT'07. ACM, New York, NY, 157--162. Google ScholarDigital Library
Index Terms
- UAQ: a framework for user authorization query processing in RBAC extended with hybrid hierarchy and constraints
Recommendations
A role-based XACML administration and delegation profile and its enforcement architecture
SWS '09: Proceedings of the 2009 ACM workshop on Secure web servicesThe OASIS technical committee published the XACML v3.0 administration and delegation profile (XACML-Admin) working draft on 16 April 2009 [3] in order to provide policy administration and dynamic delegation services to the XACML runtime. We enhance this ...
Fine-grained role-based delegation in presence of the hybrid role hierarchy
SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologiesDelegation of authority is an important process that needs to be captured by any access control model. In role-based access control models, delegation of authority involves delegating roles that a user can assume or the set of permissions that he can ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
Comments