Delegation in role-based access control

User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively studied grant delegations, but transfer delegations have largely been ignored. This is largely because enforcing transfer delegation policies is more complex than grant delegation policies. This paper, primarily, studies transfer delegations for role-based access control models. We also include grant delegations in our model for completeness. We present various mechanisms that authorize delegations in our model. In particular, we show that the use of administrative scope for authorizing delegations is more efficient than using relations. We also discuss the enforcement and revocation of delegations. Finally, we study delegation in the context of workflow systems. In particular, we demonstrate the application of the administrative scope and administrative domain concepts to control delegation of tasks in worklist-based workflow systems.     

角色转授权模型中授权冲突问题的解决方案

针对现有用户-用户的角色转授权模型存在授权冲突问题,基于转授权的组件、相关性质以及约束规则,提出了一种约束转授权模型,该模型满足最小特权和职责分离两安全原则,给出了该模型的体系架构和功能描述;以此模型为背景介绍了一种约束描述语言及其形式化语义描述;通过规约算法和构造算法论证了它与严格形式上的一阶谓词逻辑是等价的,并对该约束语言的合理性和完整性进行了讨论;最后用该约束语言给出了模型的表现能力,较好的解决了转授权冲突问题。     

Roles in information security – A survey and classification of the research area

The concept of roles has been prevalent in the area of Information Security for more than 15 years already. It promises simplified and flexible user management, reduced administrative costs, improved security, as well as the integration of employees’ business functions into the IT administration. A comprehensive scientific literature collection revealed more than 1300 publications dealing with the application of sociological role theory in the context of Information Security up to now. Although there is an ANSI/NIST standard and an ISO standard proposal, a variety of competing models and interpretations of the role concept have developed. The major contribution of this survey is a categorization of the complete underlying set of publications into different classes. The main part of the work is investigating 32 identified research directions, evaluating their importance and analyzing research tendencies. An electronic bibliography including all surveyed publications together with the classification information is provided additionally. As a final contribution potential future developments in the area of role-research are considered.     

Integrating role graphs: a tool for security integration

Role-based access control provides a very flexible set of mechanisms for managing the access control of a complex system with many users, objects and applications. The role graph model of Nyanchama and Osborn is one example of how role administration algorithms can be implemented. In our previous research, we have also shown how the access control information of existing systems can be extracted and represented as a role graph. In this paper, we extend this research by showing how, when two systems are being integrated, their role graphs can also be integrated.     

Role engineering: From design to evolution of security schemes

This paper presents a methodology to design the RBAC (Role-Based Access Control) scheme during the design phase of an Information System. Two actors, the component developer and the security administrator, will cooperate to define and set up the minimal set of roles in agreement with the application constraints and the organization constraints that guarantee the global security policy of an enterprise. In order to maintain the global coherence of the existing access control scheme, an algorithm is proposed to detect the possible inconsistencies before the integration of a new component in the Information System.     

具有安全审计功能的RBAC委托模型

针对访问控制中委托在安全性和功能性上的不足,通过对比分析RBAC委托模型的特点,结合安全审计概念提出了具有安全审计功能的RBAC委托模型,并给出了形式化的定义和描述。该模型定义了委托的限制条件和传递约束来体现委托的特性,利用审计记录集合实现了委托、撤销和会话授权的过程,通过审计监控和规则事件响应完善了安全审计功能,使委托授权具有自主性和可变性的特点。在管理信息系统的应用和实践表明,该模型是一种安全易管理的委托授权机制,能适应多种委托策略。     

“Chinese Wall”安全策略中的委托研究

Chinese Wall下的委托要求委托过程不但满足常见的委托约束条件外,还需要满足Chinese Wall Security Policy（CWSP）。现有的委托模型很少关注CWSP下的委托。分析了CWSP下委托的需求和特殊性。在对现有委托模型扩充的基础上,定义了冲突角色和角色激活历史来体现CWSP,给出了CWSP下进行委托需要满足的关系。提出了基于角色的CWSP下委托的方法与步骤。给出了系统实现框架和主要算法。     

A function-based user authority delegation model

User authority delegation is granting or withdrawing access to computer-based information by entities that own and/or control that information. These entities must consider who should be granted access to specific information in the organization and determine reasonable authority delegation. Role Based Access Control (RBAC) delegation management, where user access authority is granted for the minimum resources necessary for users to perform their tasks, is not suitable for the actual working environment of an organization. Currently, RBAC implementations cannot correctly model inheritance and rules for different delegations are in conflict. Further, these systems require that user roles, positions, and information access be continuously and accurately updated, resulting in a manual, error-prone access delegation system. This paper presents a proposal for a new authority delegation model, which allows users to identify their own function-based delegation requirements as the initial input to the RBAC process. The conditions for delegations are identified and functions to implement these delegations are defined. The criteria for basic authority delegation, authentication and constraints are quantified and formulated for evaluation. An analysis of the proposed model is presented showing that this approach both minimizes errors in delegating authority and is more suitable for authority delegation administration in real organizational applications.     

一种工作流管理系统中的访问控制模型

在RBAC96模型的基础上，提出了应用于工作流管理系统的权限管理和访问控制模型Wf-RBAC，以使得工作流系统中的访问控制管理更加有效而灵活。提出了一种该模型的三层控制策略，并通过一个实例来说明该模型和策略的实现机制。     

A distributable security management architecture for enterprise systems spanning multiple security domains

Administering security in modern enterprise systems may prove an extremely complex task. Their large scale and dynamic nature are the main factors that contribute to this fact. A robust and flexible model is needed in order to guarantee both the easy management of security information and the efficient implementation of security mechanisms. In this paper, we present the foundations and the prototypical implementation of a new access control framework. The framework is mainly targeted to highly dynamic, large enterprise systems (e.g., service provisioning platforms, enterprise portals etc.), which contain various independent functional entities. Significant advantages gained from the application of the designated framework in such systems are epitomized in the easiness of managing access to their hosted resources (e.g., services) and the possibility of applying distributable management schemes for achieving it. The proposed framework allows for multi-level access control through the support of both role-based and user-based access control schemes. Discussion is structured in three distinct areas: the formal model of the proposed framework, the data model for supporting its operation, and the presentation of a prototypical implementation. The development of the framework is based on open technologies like XML, java and Directory Services. At the last part of the paper the results of a performance assessment are presented, aiming to quantify the delay overhead, imposed by the application of the new framework in a real system. Ioannis Priggouris received his B.Sc. in Informatics from the Department of Informatics & Telecommunications of the University of Athens, Greece in 1997 and his M.Sc. in Communication Systems and Data Networks from the same Department in 2000. Over the last years he has been a PhD candidate in the department. Since 1999, he has been a member of the Communication Networks Laboratory (CNL) of the University of Athens. As a senior researcher of the CNL he has participated in several EU projects implemented in the context of IST, namely the EURO-CITI and the PoLoS projects. He has also been extensively involved in several National IT Research projects. His research interests are in the areas of mobile computing, QoS and mobility support for IP networks, and network security. He is the author of several papers and book chapters in the aforementioned areas. Stathes Hadjiefthymiades received his B.Sc. (honors) and M.Sc. in Informatics from the Dept. of Informatics, University of Athens, Greece, in 1993 and 1996 respectively. In 1999 he received his Ph.D. from the University of Athens (Dept. of Informatics and Telecommunications). In 2002 he received a joint engineering-economics M.Sc. from the National Technical University of Athens. In 1992 he joined the Greek consulting firm Advanced Services Group, Ltd., where he was involved in the analysis, design and implementation of telematic applications and other software systems. In 1995 he joined, as research engineer, the Communication Networks Laboratory (UoA-CNL) of the University of Athens. During the period September 2001-July 2002, he served as a visiting assistant professor at the University of Aegean, Dept. of Information and Communication Systems Engineering. On the summer of 2002 he joined the faculty of the Hellenic Open University (Dept. of Informatics), Patras, Greece, as an assistant professor. Since December 2003, he is in the faculty of the Dept. of Informatics and Telecommunications, University of Athens, where he is presently an assistant professor and coordinator of the Pervasive Computing Research Group. He has participated in numerous projects realized in the context of EU programs (ACTS, ORA, TAP, and IST), EURESCOM projects, as well as national initiatives. His research interests are in the areas of web engineering, wireless/mobile computing, and networked multimedia applications. He is the author of over 100 publications in the above areas.     

ACTEN: A conceptual model for security systems design

This paper describes ACTEN, a conceptual model for the design of security systems. Security information is represented by action-entity pairs and organized into a framework composed of graphs and tables. The rules permitting the building and management of this framework are introduced.The model describes both static and dynamic aspects of the security system; in fact, it shows the access modalities between objects in the system and the evolution of such modalities due to grant and revocation of rights within the security system.ACTEN also allows the identification of the authority and protection level of each component of the system. The tools for this analysis are introduced and an example is given.     

基于角色的访问控制模型分析

介绍了一种新型的访问控制机制－－基于角色的访问控制ＲＢＡＣ（Ｒｏｌｅ－Ｂａｓｅｄ Ａｃｃｅｓｓ Ｃｏｎｔｒｏｌ）的研究背景与基本特征,对它的规则模型ＲＢＡＣ９６与管理模型ＡＲＢＡＣ９７进行了重点描述,并在最后给出了一个设计实例。     

A practical mandatory access control model for XML databases

A practical mandatory access control (MAC) model for XML databases is presented in this paper. The label type and label access policy can be defined according to the requirements of different applications. In order to preserve the integrity of data in XML databases, a constraint between a read-access rule and a write-access rule in label access policy is introduced. Rules for label assignment and propagation are presented to alleviate the workload of label assignments. Furthermore, a solution for resolving conflicts in label assignments is proposed. Rules for update-related operations, rules for exceptional privileges of ordinary users and the administrator are also proposed to preserve the security of operations in XML databases. The MAC model, we proposed in this study, has been implemented in an XML database. Test results demonstrated that our approach provides rational and scalable performance.     

A reference model for team-enabled workflow management systems

Today's workflow systems assume that each work item is executed by a single worker. From the viewpoint of the system, a worker with the proper qualifications selects a work item, executes the associated work, and reports the result. There is usually no support for teams, i.e., groups of people collaborating by jointly executing work items (e.g., the program committee of a conference, the management team of a company, a working group, and the board of directors). In this paper, we propose the addition of a team concept to today's workflow management systems. Clearly, this involves a marriage of workflow and groupware technology. To shed light on the introduction of teams, we extend the traditional organizational meta model with teams and propose a team-enabled workflow reference model. For this reference model and to express constraints with respect to the distribution of work to teams, we use object constraint language (OCL).     

An object-oriented organizational model to support dynamic role-based access control in electronic commerce

Role-based access control (RBAC) provides flexibility to security management over the traditional approach of using user and group identifiers. In RBAC, access privileges are given to roles rather than to individual users. Users acquire the corresponding permissions when playing different roles. Roles can be defined simply as a label, but such an approach lacks the support to allow users to automatically change roles under different contexts; using static method also adds administrative overheads in role assignment. In electronic commerce (E-Commerce) and other cooperative computing environments, access to shared resources has to be controlled in the context of the entire business process; it is therefore necessary to model dynamic roles as a function of resource attributes and contextual information.In this paper, an object-oriented organizational model, Organization Modeling and Management (OMM), is presented as an underlying model to support dynamic role definition and role resolution in E-Commerce solution. The paper describes the OMM reference model and shows how it can be applied flexibly to capture the different classes of resources within a corporation, and to maintain the complex and dynamic roles and relationships between the resource objects. Administrative tools use the role model in OMM to define security policies for role definition and role assignment. At runtime, the E-Commerce application and the underlying resource manager queries the OMM system to resolve roles in order to authorize any access attempts. Contrary to traditional approaches, OMM separates the organization model from the applications; thus, it allows independent and flexible role modeling to support realistically the dynamic authorization requirements in a rapidly changing business world.     

基于角色的权限代理模型及其实现*

提出了一种基于角色的授权代理模型——SBDM,讨论了SBDM的基本思想、体系结构、组成要素以及权限代理约束和判定,并提供了一种有参考价值的实现权限代理模型的设计思路,它将在大型分布式网络、工作流管理系统中有广泛应用。     

基于角色的代理模型的实现

讨论了用户之间的基于角色的代理,以RBAC96中的模型作为基础,分别考虑不存在角色继承和约束情况下,存在角色继承情况下以及存在角色约束情况下,用户之间的代理行为。     

工作流系统上下文相关访问控制模型

访问控制是提高工作流系统安全性的重要机制。基于角色的访问控制（RBAC）被绝大多数工作流系统所采用,已成为工作流领域研究的热点。但是,现有的基于角色的访问控制模型没有考虑工作流上下文对任务执行授权安全的影响,容易造成权限冗余,也不支持职责分离策略。该文提出一种工作流上下文相关访问控制模型WfCAC,首先,定义该模型的构成要素和体系结构,然后讨论工作流职责分离和访问控制机制,并对模型性质进行分析。WfCAC模型支持用户组及其层次结构,支持最小权限授权策略和职责分离策略,实现了工作流上下文相关访问控制。     

安全工作流用户分配策略

根据工作流执行的特点,在基于任务角色访问控制模型的基础上,提出了用户基本分配策略、用户负载均衡、用户职责分离、用户基数约束等分配方案,有效地提高了资源的利用率和工作流的执行效率.