skip to main content
10.1145/1809842.1809861acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
research-article

Capability-based delegation model in RBAC

Published: 11 June 2010 Publication History

Abstract

For flexible and dynamic resource management in environments where users collaborate to fulfill their common tasks, various attempts at modeling delegation of authority have been proposed using the role-based access control (RBAC) model. However, to achieve a higher level of collaboration in large-scale networked systems, it is worthwhile supporting cross-domain delegation with low administration cost. For that purpose, we propose a capability-role-based access control (CRBAC) model, by integrating a capability-based access control mechanism into the RBAC96 model. Central to this scheme is the mapping of capabilities to permissions as well as to roles in each domain, thereby realizing the delegation of permissions and roles by capability transfer. By taking this approach of capability-based access control, our model has the advantages of flexibility and reduced administration costs. We also demonstrate the effectiveness of our model by using examples of various types of delegation in clinical information systems.

References

[1]
V. Atluri and J. Warner. Supporting conditional delegation in secure workflow management systems, Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT'05), pp.49--58, 2005.
[2]
E. Barka and R. Sandhu. A Role-based Delegation Model and Some Extensions. Proceedings of the 23rd National Information Systems Security Conference, pp.101--114, 2000.
[3]
E. Barka and R. Sandhu. Role-Based Delegation Model/Hierarchical Roles, Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), pp.396--404, 2004.
[4]
D. W. Chadwick and A. Otenko. The PERMIS X.509 Role Based Privilege Management Infrastructure, Proceedings of the 10th IFIP Open Conference on Communications and Multimedia Security (CMS'06), pp.67--86, 2006.
[5]
E. M. Clarke, O Grumberg, and D. A. Peled. Model Checking, MIT Press, 2000.
[6]
J. Crampton and H. Khambhammettu. Delegation in Role-Based Access Control, Proceedings of the 11th European Symposium on Research in Computer Security (ESORICS'06), LNCS vol.4189, pp.174--191, 2006.
[7]
R. Geambasu, M. Balazinska, S. D. Gribble, and M. Levy. HomeViews: Peer-to-Peer Middleware for Personal Data Sharing Applications, Proceedings of the ACM SIGMOD International Conference on Management of Data, pp.235--246, 2007.
[8]
H. Gomi, M. Hatakeyama, S. Hosono, and S. Fujita. A Delegation Framework for Federated Identity Management, Proceedings of the ACM Workshop on Digital Identity Management (DIM'05), pp.94--103, 2005.
[9]
L. Gong. A Secure Identity-Based Capability System, IEEE Symposium on Security and Privacy, pp.56--63, 1989.
[10]
H. M. Levy. Capability-Based Computer Systems, Digital Equipment Corporation, 1984.
[11]
B. C. Neuman. Proxy-Based Authorization and Accounting for Distributed Systems, Proceedings of the 13th International Conference on Distributed Computing Systems, pp.283--291, 1993.
[12]
Q. Pham, J. Reid, A. McCullagh, and E. Dawson. On a Taxonomy of Delegation, the FIFP International Information Security Conference (IFIP/SEC-2009), pp.353--363, 2009.
[13]
J. T. Regan and C. D. Jensen. Capability File Names: Separating Authorization from User Management in an Internet File System, Proceedings of the USENIX Security Symposium, pp.211--233, 2001.
[14]
R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-Based Access Control Models, IEEE Computer, vol.29, no.2, pp.38--47, 1996.
[15]
L. Snyder. Formal Models of Capability-Based Protection Systems, IEEE Trans. on Computers, vol.c-30, no.3, pp.172--181, 1981.
[16]
K. Sohr, M. Drouineaud, and G-J. Ahn. Formal Specification of Role--based Security Policies for Clinical Information Systems, Proceedings of the 20th Annual ACM Symposium on Applied Computing (SAC'05), pp.332--339, 2005.
[17]
J. G. Steiner, B. C. Neuman, and J. I. Schiller. Kerberos: An Authentication Service for Open Network Systems, Proceedings of the Winter 1988 USENIX Conference, pp.191--201, 1988.
[18]
J. Wainer and A Kumar. A Fine-grained, Controllable, User to User Delegation Method in RBAC, Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT'05), pp.59--66, 2005.
[19]
L. Zhang, G. Ahn, B. T. Chu. A rule-based framework for role based delegation, Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT'01), pp.153--162, 2001.
[20]
L. Zhang, G. Ahn, and B. T. Chu. A Role-Based Delegation Framework for Healthcare Information Systems, Proceedings of the 7th ACM Symposium on Access Control Models and Technologies (SACMAT'02), pp.125--134, 2001.
[21]
X. Zhang, S. Oh, and R. Sandhu. PBDM: A Flexible Delegation Model in RBAC, Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT'03), pp.149--157, 2003.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SACMAT '10: Proceedings of the 15th ACM symposium on Access control models and technologies
June 2010
212 pages
ISBN:9781450300490
DOI:10.1145/1809842
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2010

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. capability-based access control
  2. delegation
  3. rbac

Qualifiers

  • Research-article

Conference

SACMAT'10
Sponsor:

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)5
  • Downloads (Last 6 weeks)0
Reflects downloads up to 13 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Secure Delegation Using Enhanced Capability ModelSecurity and Communication Networks10.1155/2022/85002782022Online publication date: 1-Jan-2022
  • (2022)A Blockchain-Based IoT Data Secure Vickery Auction SystemAdvances in Artificial Intelligence and Security10.1007/978-3-031-06764-8_10(119-133)Online publication date: 8-Jul-2022
  • (2021)Delegation of Access RightsInternet of Things and Access Control10.1007/978-3-030-64998-2_6(143-176)Online publication date: 28-Jan-2021
  • (2020)A Distributed Approach to Delegation of Access Rights for Electronic Health Records2020 International Conference on Electronics, Information, and Communication (ICEIC)10.1109/ICEIC49074.2020.9051092(1-6)Online publication date: Jan-2020
  • (2019)Design and implementation of a secure and flexible access-right delegation for resource constrained environmentsFuture Generation Computer Systems10.1016/j.future.2019.04.03599:C(593-608)Online publication date: 1-Oct-2019
  • (2017)An ECC-Based Algorithm to Handle Secure Communication Between Heterogeneous IoT DevicesAdvances in Electronics, Communication and Computing10.1007/978-981-10-4765-7_37(351-362)Online publication date: 29-Oct-2017
  • (2016)A patient-centric approach to delegation of access rights in healthcare information systems2016 International Conference on Engineering & MIS (ICEMIS)10.1109/ICEMIS.2016.7745308(1-6)Online publication date: Sep-2016
  • (2016)A generic Kerberos-based access control system for the cloudAnnals of Telecommunications10.1007/s12243-016-0534-771:9-10(555-567)Online publication date: 6-Jul-2016
  • (2016)A Discretionary Delegation Framework for Access Control SystemsOn the Move to Meaningful Internet Systems: OTM 2016 Conferences10.1007/978-3-319-48472-3_54(865-882)Online publication date: 18-Oct-2016
  • (2015)A novel evaluation criteria to cloud based access control modelsProceedings of the 2015 11th International Conference on Innovations in Information Technology (IIT)10.1109/INNOVATIONS.2015.7381517(68-73)Online publication date: 1-Nov-2015
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media