Ninghui Li
Mahesh V. Tripunitara
Abstract
The administration of large role-based access control (RBAC) systems is a challenging problem. In order to administer such systems, decentralization of administration tasks by the use of delegation is an effective approach. While the use of delegation greatly enhances flexibility and scalability, it may reduce the control that an organization has over its resources, thereby diminishing a major advantage RBAC has over discretionary access control (DAC). We propose to use security analysis techniques to maintain desirable security properties while delegating administrative privileges. We give a precise definition of a family of security analysis problems in RBAC, which is more general than safety analysis that is studied in the literature. We show that two classes of problems in the family can be reduced to similar analysis in the RT[↞∩] role-based trust-management language, thereby establishing an interesting relationship between RBAC and the RT framework. The reduction gives efficient algorithms for answering most kinds of queries in these two classes and establishes the complexity bounds for the intractable cases.
- Ahn, G.-J. and Sandhu, R. S. 2000. Role-based authorization constraints specification. ACM Transactions on Information and System Security 3, 4 (Nov.), 207--226. Google Scholar
- Crampton, J. 2002. Authorizations and antichains. Ph.D. thesis, Birbeck College, University of London, UK.Google Scholar
- Crampton, J. 2003. Specifying and enforcing constraints in role-based access control. In Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies (SACMAT 2003). Como, Italy. 43--50. Google Scholar
- Crampton, J. and Loizou, G. 2003. Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security 6, 2 (May), 201--231. Google Scholar
- Ferraiolo, D. F., Sandhu, R. S., Gavrila, S., Kuhn, D. R., and Chandramouli, R. 2001. Proposed NIST standard for role-based access control. ACM Transactions on Information and Systems Security 4, 3 (Aug.), 224--274. Google Scholar
- Ferraiolo, D. F., Chandramouli, R., Ahn, G.-J., and Gavrila, S. 2003. The role control center: Features and case studies. In Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies. Google Scholar
- Garey, M. R. and Johnson, D. J. 1979. Computers And Intractability: A Guide to the Theory of NP-Completeness. Freeman, San Francisco, CA. Google Scholar
- Graham, G. S. and Denning, P. J. 1972. Protection---principles and practice. In Proceedings of the AFIPS Spring Joint Computer Conference. Vol. 40. AFIPS Press, Montvale, N.J. 417--429.Google Scholar
- Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. 1976. Protection in operating systems. Communications of the ACM 19, 8 (Aug.), 461--471. Google Scholar
- Jaeger, T. and Tidswell, J. E. 2001. Practical safety in flexible access control models. ACM Transactions on Information and System Security 4, 2 (May), 158--190. Google Scholar
- Koch, M., Mancini, L. V., and Parisi-Presicce, F. 2002a. Decidability of safety in graph-based models for access control. In Proceedings of the Seventh European Symposium on Research in Computer Security (ESORICS 2002). Springer, New York. 229--243. Google Scholar
- Koch, M., Mancini, L. V., and Parisi-Presicce, F. 2002b. A graph-based formalism for RBAC. ACM Transactions on Information and System Security 5, 3 (Aug.), 332--365. Google Scholar
- Koch, M., Mancini, L. V., and Parisi-Presicce, F. 2004. Administrative scope in the graph-based framework. In Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies (SACMAT 2004). 97--104. Google Scholar
- Lampson, B. W. 1971. Protection. In Proceedings of the 5th Princeton Conference on Information Sciences and Systems. Reprinted in ACM Operating Systems Review 8, 1, 18--24 (Jan 1974). Google Scholar
- Li, N. and Tripunitara, M. V. 2004. Security analysis in role-based access control. In Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies (SACMAT 2004). 126--135. Google Scholar
- Li, N., Winsborough, W. H., and Mitchell, J. C. 2003. Distributed credential chain discovery in trust management. Journal of Computer Security 11, 1 (Feb.), 35--86. Google Scholar
- Li, N., Mitchell, J. C., and Winsborough, W. H. 2002. Design of a role-based trust management framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Washington, DC. 114--130. Google Scholar
- Li, N., Mitchell, J. C., and Winsborough, W. H. 2005. Beyond proof-of-compliance: Security analysis in trust management. Journal of the ACM 52, 3 (May), 474--514. (Preliminary version appeared in Proceedings of 2003 IEEE Symposium on Security and Privacy.) Google Scholar
- Lipton, R. J. and Snyder, L. 1977. A linear time algorithm for deciding subject security. Journal of the ACM 24, 3, 455--464. Google Scholar
- Munawer, Q. and Sandhu, R. S. 1999. Simulation of the augmented typed access matrix model (ATAM) using roles. In Proceedings of INFOSECU99 International Conference on Information and Security.Google Scholar
- Oh, S. and Sandhu, R. S. 2002. A model for role admininstration using organization structure. In Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies (SACMAT 2002). Google Scholar
- Park, J. and Sandhu, R. S. 2004. The UCONABC usage control model. ACM Transactions on Information and System Security 7, 128--174. Google Scholar
- Sandhu, R. S. 1988. The schematic protection model: Its definition and analysis for acyclic attenuating systems. Journal of the ACM 35, 2, 404--432. Google Scholar
- Sandhu, R. S. 1992. The typed access matrix model. In Proceedings of the 1992 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Washington, DC. 122--136. Google Scholar
- Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-based access control models. IEEE Computer 29, 2 (Feb.), 38--47. Google Scholar
- Sandhu, R. S., Bhamidipati, V., and Munawer, Q. 1999. The ARBAC97 model for role-based aministration of roles. ACM Transactions on Information and Systems Security 2, 1 (Feb.), 105--135. Google Scholar
- Schaad, A., Moffett, J., and Jacob, J. 2001. The role-based access control system of a European bank: A case study and discussion. In Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies. ACM Press, New York. 3--9. Google Scholar
- Tripunitara, M. V. and Li, N. 2004. Comparing the expressive power of access control models. In Proceedings of 11th ACM Conference on Computer and Communications Security (CCS-11). ACM Press, New York. 62--71. Google Scholar
- Zhang, X., Park, J., Parisi-Presicce, F., and Sandhu, R. S. 2004. A logical specification for usage control. In Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies (SACMAT 2004). Google Scholar
- Zhang, X., Parisi-Presicce, F., Sandhu, R. S., and Park, J. 2005. Formal model and policy specification of usage control. ACM Transactions on Information and System Security 8, 351--387. Google Scholar
Index Terms
- Security analysis in role-based access control
Recommendations
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Security analysis in role-based access control
SACMAT '04: Proceedings of the ninth ACM symposium on Access control models and technologiesDelegation is often used in administrative models for Role-Based Access Control (RBAC) systems to decentralize administration tasks. While the use of delegation greatly enhances flexibility and scalability, it may reduce the control that an organization ...
Delegation in role-based access control
User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Reviews
George R. Mayforth
Role-based access control (RBAC) permits an organization to define a role as being associated with specific resources. When individuals are assigned to a role, they are provided access to that role's resources. This aggregation of permissions simplifies administration compared to discretionary access control (DAC), wherein access is granted on a per-resource basis. In large organizations with large numbers of people and resources, DAC can be quite labor intensive, which motivates interest in and investigations of RBAC. As might be expected, there are tradeoffs to consider when RBAC is employed. In large organizations, it is normal to delegate administration fairly widely. This presents the problem of verifying that delegations in an RBAC system do not interfere with each other, and unintentionally violate the security that RBAC is trying to enforce. This paper provides a mathematical definition of two classes of problems in RBAC, and uses it to reduce analysis of the classes to equivalent analyses in RT, a role-based trust management language. Because RT is designed to enforce consistent security policies regarding access control, the reduction permits rigorous analysis of the two classes of RBAC problems. To quote the authors: "The reduction gives efficient algorithms for answering most kinds of queries in these two classes and establishes the complexity bounds for the intractable cases." This work takes an important step toward a rigorous understanding of the security analysis of RBAC. It is, however, only a starting point. The authors point out areas that could be studied in future efforts. The paper is clearly written, and provides detailed proofs of its major assertions. It should be of interest to researchers and implementers in this field.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments