research-article

Security Constraints in Temporal Role-Based Access-Controlled Workflows

Authors:
Carlo Combi

Università di Verona, Verona, Italy

Università di Verona, Verona, Italy
View Profile

,
Luca Viganò

King's College London, London, United Kingdom

King's College London, London, United Kingdom
View Profile

,
Matteo Zavatteri

Università di Verona, Verona, Italy

Università di Verona, Verona, Italy
View Profile

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and PrivacyMarch 2016Pages 207–218https://doi.org/10.1145/2857705.2857716

Published:09 March 2016Publication History

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Pages 207–218

ABSTRACT

Workflows and role-based access control models need to be suitably merged, in order to allow users to perform processes in a correct way, according to the given data access policies and the temporal constraints. Given a mapping between workflow models and simple temporal networks with uncertainty, we discuss a mapping between role temporalities and simple temporal networks, and how to connect the two resulting networks to make explicit who can do what, when. If the connected network is still executable, we show how to compute the set of authorized users for each task. Finally, we define security constraints (to prevent users from doing unauthorized actions) and security constraint propagation rules (to propagate security constraints at runtime). We also provide an algorithm to check whether a set of propagation rules is safe, and we extend an existing execution algorithm to take into account these new security aspects.

References

A. Armando and S. Ranise. Automated Symbolic Analysis of ARBAC-Policies. In Proc. of STM, pages 17--34, 2010. Google ScholarDigital Library
E. Bertino, C. Bettini, E. Ferrari, and P. Samarati. An access control model supporting periodicity constraints and temporal reasoning. ACM Trans. Database Syst., 23(3):231--285, 1998. Google ScholarDigital Library
E. Bertino, P. A. Bonatti, and E. Ferrari. TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur., 4(3):191--233, 2001. Google ScholarDigital Library
E. Bertino, P. A. Bonatti, E. Ferrari, and M. L. Sapino. Temporal authorization bases: From specification to integration. Journal of Computer Security, 8(4):309--353, 2000. Google ScholarDigital Library
E. Bertino, E. Ferrari, and V. Atluri. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur., 2(1):65--104, 1999. Google ScholarDigital Library
D. Cohen, J. Crampton, A. Gagarin, G. Gutin, and M. Jones. Iterative plan construction for the workflow satisfiability problem. JAIR, 51:555--577, 2014. Google ScholarDigital Library
C. Combi, M. Gambini, S. Migliorini, and R. Posenato. Representing business processes through a temporal data-centric workflow modeling language: An application to the management of clinical pathways. IEEE T. Systems, Man, and Cybernetics: Systems, 44(9):1182--1203, 2014.Google Scholar
C. Combi, L. Viganò, and M. Zavatteri. Security Constraints in Temporal Role-Based Access-Controlled Workflows (Extended Version). http://arxiv.org/abs/1512.06404, 2015.Google Scholar
T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. Introduction to Algorithms. MIT Press, 2009. Google ScholarDigital Library
J. Crampton. A reference monitor for workflow systems with constrained task execution. In Proc. of SACMAT, pages 38--47. ACM Press, 2005. Google ScholarDigital Library
J. Crampton, A. V. Gagarin, G. Gutin, and M. Jones. On the Workflow Satisfiability Problem with Class-independent Constraints. In Proc. of IPEC, pages 66--77, 2015.Google Scholar
J. Crampton, G. Gutin, and A. Yeo. On the parameterized complexity and kernelization of the workflow satisfiability problem. ACM Trans. Inf. Syst. Secur., 16(1):4, 2013. Google ScholarDigital Library
J. Crampton, M. Huth, and J. H. Kuo. Authorized workflow schemas: deciding realizability through LTL(F) model checking. STTT, 16(1):31--48, 2014.Google ScholarDigital Library
R. Dechter, I. Meiri, and J. Pearl. Temporal Constraint Networks. In Proc. of KR, pages 83--93, 1989. Google ScholarDigital Library
L. Hunsberger, R. Posenato, and C. Combi. The Dynamic Controllability of Conditional STNs with Uncertainty. In Proc. of PlanEx, pages 1--8, 2012.Google Scholar
S. Mondal and S. Sural. Security analysis of temporal-rbac using timed automata. In Proc. of IAS 2008, pages 37--40, 2008. Google ScholarDigital Library
P. H. Morris. A structural characterization of temporal dynamic controllability. In Proc. of CP, pages 375--389, 2006. Google ScholarDigital Library
P. H. Morris and N. Muscettola. Execution of temporal plans with uncertainty. In Proc. of AAAI, pages 491--496, 2000. Google ScholarDigital Library
P. H. Morris and N. Muscettola. Temporal Dynamic Controllability Revisited. In Proc. of AAAI, pages 1193--1198, 2005. Google ScholarDigital Library
P. H. Morris, N. Muscettola, and T. Vidal. Dynamic Control Of Plans With Temporal Uncertainty. In Proc. of IJCAI, pages 494--502, 2001. Google ScholarDigital Library
M. Niezette and J. Stevenne. An Efficient Symbolic Representation of Periodic Time. In Proc. of CIKM, pages 161--168. ISMM, 1992.Google Scholar
F. Paci, E. Bertino, and J. Crampton. An access-control framework for WS-BPEL. Int. J. Web Service Res., 5(3):20--43, 2008.Google ScholarCross Ref
S. Ranise, A. Tuan Truong, and L. Viganò. Automated analysis of RBAC policies with temporal constraints and static role hierarchies. In Proc. of SAC, pages 2177--2184, 2015. Google ScholarDigital Library
R. S. Sandhu. Roles versus groups. In ACM Workshop on Role-Based Access Control, 1995. Google ScholarDigital Library
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996. Google ScholarDigital Library
D. Toman and J. Chomicki. Datalog with integer periodicity constraints. J. Log. Program., 35(3):263--290, 1998.Google ScholarCross Ref
T. Vidal and H. Fargier. Handling contingency in temporal constraint networks: from consistency to controllabilities. J. Exp. Theor. Artif. Intell., 11(1):23--45, 1999.Google ScholarCross Ref
Q. Wang and N. Li. Satisfiability and resiliency in workflow authorization systems. ACM Trans. Inf. Syst. Secur., 13(4):40, 2010. Google ScholarDigital Library

Index Terms

Security Constraints in Temporal Role-Based Access-Controlled Workflows
1. Computing methodologies
  1. Artificial intelligence
    1. Knowledge representation and reasoning
      1. Temporal reasoning
2. Security and privacy
  1. Formal methods and theory of security
  2. Security services
    1. Access control
    2. Authorization

Recommendations

Security analysis for temporal role based access control

Providing restrictive and secure access to resources is a challenging and socially important problem. Among the many formal security models, Role Based Access Control (RBAC) has become the norm in many of today's organizations for enforcing security. ...
Read More
A Generalized Temporal Role-Based Access Control Model

Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. In many practical scenarios, users may be restricted to assume roles only at predefined time ...
Read More
Security analysis in role-based access control
SACMAT '04: Proceedings of the ninth ACM symposium on Access control models and technologies

Delegation is often used in administrative models for Role-Based Access Control (RBAC) systems to decentralize administration tasks. While the use of delegation greatly enhances flexibility and scalability, it may reduce the control that an organization ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy
March 2016
340 pages
ISBN:9781450339353
DOI:10.1145/2857705
General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Alexander Pretschner
Technische Universität München, Germany
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 9 March 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
access-controlled workflow
security constraint propagation rules
stnu
temporal separation of duties
trbac
Qualifiers
- research-article
Conference

Acceptance Rates
CODASPY '16 Paper Acceptance Rate22of115submissions,19%Overall Acceptance Rate149of789submissions,19%
More
Upcoming Conference
CODASPY '24

Sponsor:

sigsac

Fourteenth ACM Conference on Data and Application Security and Privacy

June 19 - 21, 2024

Porto , Portugal
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 4
  Total Citations
  View Citations
- 180
  Total Downloads
- Downloads (Last 12 months)5
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Security Constraints in Temporal Role-Based Access-Controlled Workflows

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

ABSTRACT

References

Cited By

Index Terms

Recommendations

Security analysis for temporal role based access control

A Generalized Temporal Role-Based Access Control Model

Security analysis in role-based access control