skip to main content
10.1145/2133601.2133631acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
short-paper

Efficient run-time solving of RBAC user authorization queries: pushing the envelope

Published: 07 February 2012 Publication History

Abstract

The User Authorization Query (UAQ) Problem for Role- Based Access Control (RBAC) amounts to determining a set of roles to be activated in a given session in order to achieve some permissions while satisfying a collection of authorization constraints governing the activation of roles. Techniques ranging from greedy algorithms to reduction to (variants of) the propositional satisfiability (SAT) problem have been used to tackle the UAQ problem. Unfortunately, available techniques su er two major limitations that seem to question their practical usability. On the one hand, authorization constraints over multiple sessions or histories are not considered. On the other hand, the experimental evaluations of the various techniques are not satisfactory since they do not seem to scale to larger RBAC policies.
In this paper, we describe a SAT-based technique to solve the UAQ problem which overcomes these limitations. First, we show how authorization constraints over multiple sessions and histories can be supported. Second, we carefully tune the reduction to the SAT problem so that most of the clauses need not to be generated at run-time but only in a pre-processing step. Finally, we present an extensive experimental evaluation of an implementation of our techniques on a significant set of UAQ problem instances that show the practical viability of our approach; e.g., problems with 300 roles are solved in less than a second.

References

[1]
M. Komlenovic, M. V. Tripunitara, and T. Zitouni. An empirical assessment of approaches to distributed enforcement in role-based access control (rbac). In CODASPY, pages 121--132, 2011.
[2]
M. Koshimura. Qmaxsat: Q-dai maxsat solver. In http://sites.google.com/site/qmaxsat/, 2011.
[3]
R. Sandhu, E. Coyne, H. Feinstein, and C. Youmann. Role-Based Access Control Models. IEEE Computer, 2(29):38--47, 1996.
[4]
C. Sinz. Towards an optimal cnf encoding of boolean cardinality constraints. In Principles and Practice of Constraint Programming (CP), pages 827--831, 2005.
[5]
G. T. Wickramaarachchi, W. H. Qardaji, and N. Li. An efficient framework for user authorization queries in rbac systems. In SACMAT, pages 23--32, 2009.
[6]
Y. Zhang and J. B. D. Joshi. UAQ: a framework for user authorization query processing in RBAC extended with hybrid hierarchy and constraints. In SACMAT, pages 83--92, 2008.

Cited By

View all
  • (2021)Towards Better Understanding of User Authorization Query Problem via Multi-variable Complexity AnalysisACM Transactions on Privacy and Security10.1145/345076824:3(1-22)Online publication date: 19-Aug-2021
  • (2020)AQUAProceedings of the 25th ACM Symposium on Access Control Models and Technologies10.1145/3381991.3396225(153-154)Online publication date: 10-Jun-2020
  • (2020)Benchmarking UAQ SolversProceedings of the 25th ACM Symposium on Access Control Models and Technologies10.1145/3381991.3395616(145-152)Online publication date: 10-Jun-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy
February 2012
338 pages
ISBN:9781450310918
DOI:10.1145/2133601
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 February 2012

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. mutually exclusive roles
  2. role based access control
  3. sat

Qualifiers

  • Short-paper

Conference

CODASPY'12
Sponsor:

Acceptance Rates

CODASPY '12 Paper Acceptance Rate 21 of 113 submissions, 19%;
Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)4
  • Downloads (Last 6 weeks)2
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2021)Towards Better Understanding of User Authorization Query Problem via Multi-variable Complexity AnalysisACM Transactions on Privacy and Security10.1145/345076824:3(1-22)Online publication date: 19-Aug-2021
  • (2020)AQUAProceedings of the 25th ACM Symposium on Access Control Models and Technologies10.1145/3381991.3396225(153-154)Online publication date: 10-Jun-2020
  • (2020)Benchmarking UAQ SolversProceedings of the 25th ACM Symposium on Access Control Models and Technologies10.1145/3381991.3395616(145-152)Online publication date: 10-Jun-2020
  • (2017)Towards an Efficient Approximate Solution for the Weighted User Authorization Query ProblemIEICE Transactions on Information and Systems10.1587/transinf.2016ICP0002E100.D:8(1762-1769)Online publication date: 2017
  • (2017)Supporting User Authorization Queries in RBAC Systems by Role-Permission ReassignmentCyberspace Safety and Security10.1007/978-3-319-69471-9_35(468-476)Online publication date: 21-Oct-2017
  • (2015)Hard Instances for Verification Problems in Access ControlProceedings of the 20th ACM Symposium on Access Control Models and Technologies10.1145/2752952.2752959(161-164)Online publication date: 1-Jun-2015
  • (2015)Towards complexity analysis of User Authorization Query problem in RBACComputers and Security10.1016/j.cose.2014.10.00348:C(116-130)Online publication date: 1-Feb-2015
  • (2012)Mitigating the intractability of the user authorization query problem in role-based access control (RBAC)Proceedings of the 6th international conference on Network and System Security10.1007/978-3-642-34601-9_39(516-529)Online publication date: 21-Nov-2012

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media