ABSTRACT
In existing access control systems, it is assumed that access control authorisation rules are defined on elementary actions and over concrete objects. This assumption does not hold in general. This paper proposes a slight extension of access control models where both elementary and non-elementary actions can be represented. A non-elementary action, called a plan, is a sequence of elementary actions, to be applied on objects, in order to achieve some task. We propose to represent a plan, denoted by P, as a partial pre-order over a subset of A x O where A is a set of elementary actions and O is a set of objects. We show how to derive explicit prohibitions in the presence of authorisation rules over plans.
- Muhammad Umar Aftab, Muhammad Asif Habib, Nasir Mehmood, Mubeen Aslam, and Muhammad Irfan. Attributed role based access control model. In 2015 Conference on Information Assurance and Cyber Security (CIACS), pages 83--89. IEEE, 2015.Google ScholarCross Ref
- Salem Benferhat, Mouslim Tolba, Karim Tabia, and Abdelkader belkhir. Integrating non elementary actions in access control models. In To appear in proceedings of 9th International Conference on Security of Information and Networks, 2016. Google ScholarDigital Library
- David F Ferraiolo, Ravi Sandhu, Serban Gavrila, D Richard Kuhn, and Ramaswamy Chandramouli. Proposed nist standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), 4(3):224--274, 2001. Google ScholarDigital Library
- Michael A Harrison, Walter L Ruzzo, and Jeffrey D Ullman. Protection in operating systems. Communications of the ACM, 19(8):461--471, 1976. Google ScholarDigital Library
- Lihui Hu, Jean Mayo, and Charles Wallace. An empirical study of three access control systems. In Proceedings of the 6th International Conference on Security of Information and Networks, pages 287--291. ACM, 2013. Google ScholarDigital Library
- Aziz Kaddani, Amine Baina, and Loubna Echabbi. Towards a model driven security for critical infrastructures using orbac. In Multimedia Computing and Systems (ICMCS), 2014 International Conference on, pages 1235--1240. IEEE, 2014.Google ScholarCross Ref
- Anas Abou El Kalam, RE Baida, Philippe Balbiani, Salem Benferhat, Frédéric Cuppens, Yves Deswarte, Alexandre Miege, Claire Saurel, and Gilles Trouessin. Organization based access control. In Policies for Distributed Systems and Networks, 2003. Proceedings. POLICY 2003. IEEE 4th International Workshop on, pages 120--131. IEEE, 2003. Google ScholarDigital Library
- Representing sequences of actions in access control security policies
Recommendations
Integrating non elementary actions in access control models
SIN '16: Proceedings of the 9th International Conference on Security of Information and NetworksAccess control models play a crucial role in computer security. Their aim is to restrict the access to the sensitive data to only authorized users, on the basis of a security policy. In existing access control models, security policies are often defined ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsRole-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Comments