N.F. Bogachenko

DOI: https://doi.org/10.48550/arXiv.1812.09721

2018-12-23

Cryptography and Security

Abstract:The problems which are important for the effective functioning of an access control policy in a large information system (LIS) are selected. The general concept of a local optimization of a role-based access control (RBAC) model is formulated. The optimization criteria are proposed. The algorithms of a local optimization of the RBAC model are defined and justified. The developed algorithms are used in the methods of the solution of the following problems: the assessment of risks of the leakage of permissions in the RBAC policy, the access control in the distributed hierarchical systems, the combining of role-based and mandatory access control models. In the first problem the question of the permissions distribution in the role hierarchy is researched. The analytic hierarchy process (AHP) is applied to creation of the estimates. The method is based on the hierarchical structure of a role set. The offered technique can order the permissions according to the value of the risks of their leakage. In the second problem the algorithm of the distribution of the cryptographic keys in the system with a hierarchical arrangement of the objects is offered. The cryptography protocols for the practical use of this algorithm are defined. The conditions of the implementation of the discretionary and mandatory principles of the access control on the basis of the developed algorithm are formulated.

S. V. Belim,N. F. Bogachenko,A. N. Kabanov,S.V. Belim,N.F. Bogachenko,A.N. Kabanov

DOI: https://doi.org/10.48550/arXiv.1812.11404

2018-12-29

Cryptography and Security

Abstract:The analysis of hidden channels of information leakage with respect to role-based access control includes monitoring of excessive permissions among users. It is not always possible to completely eliminate redundancy. The problem of ranking permissions arises in order to identify the most significant, for which redundancy is most not desirable. A numerical characteristic that reflects the value or importance of permissions is called the "severity level". A number of heuristic assumptions have been formulated that make it possible to establish the dependence of the severity level of permissions on the structure of the role hierarchy. A methodology for solving the problem is proposed, using analytic hierarchy process and taking into account these assumptions. The main idea is that the decision tree of the process will be the role graph.

Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1109/icsmc.2004.1401072

2004-01-01

Abstract:The idea of role has been widely applied to solving the authority, responsibility, function and interaction, which are associated with member station in organizations. Access control is a key security issue in distributed collaboration systems. After analyzing corresponding security requirements and the present status of security in distributed collaboration system, this paper presents an extensive role-based access control (ERBAC) architecture based on differentiated domain management. In this architecture, security management is classified into inter-domain one and infra-domain one, whilst, it can integrate new security policies. Based on definition of role permission type, the paper introduces a function of permission type change to make ERBAC architecture flexible. In addition, the authors discuss the methods by which the security can be implemented in an agent-based framework. The practices signify that this system can be flexibly applied various existing policy languages and protocols.

S.V. Belim,N.F. Bogachenko,Y.S. Rakitskiy,A.N. Kabanov

DOI: https://doi.org/10.48550/arXiv.1812.08030

2018-12-19

Abstract:During the development of the security subsystem of modern information systems, a problem of the joint implementation of several access control models arises quite often. Traditionally, a request for the user's access to resources is granted in case of simultaneous access permission by all active security policies. When there is a conflict between the decisions of the security policies, the issue of granting access remains open. The proposed method of combining multiple security policies is based on the decision support algorithms and provides a response to the access request, even in case of various decisions of active security policies. To construct combining algorithm we determine a number of weight coefficients, use a weighted sum of the clearance levels of individual security policies and apply the analytic hierarchy process. The weight coefficients are adjustable parameters of the algorithm and allow administrator to manage the impact of the various security rules flexibly.

Cryptography and Security

Yongsheng Zhang

2010-01-01

Abstract:Delegation is a very important part of access control model and has become an important access control management mechanism under the distributed computing environment.An improved authorization delegation model based on user attribute is presented.Delegating role to users not only consider the user's position,but also the user's trustworthiness and ability and then make a user attribute levels,the different attribute levels correspond to different roles and thus correspond to different access permissions to control users' access.This model is an attribute-based role delegation model.Compared with the traditional authorization delegation model,this model has a fine-grained access control and higher security.

TIAN Li-qin,JI Tie-guo,LIN Chuang,YIANG Yiang

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.19.004

2008-01-01

Abstract:The paper establishes a user behaviour trust and Role-Based Access Control(RBAC) model,which introduces the attribute concept and adds the user behaviour trust degree set on the basis of RBAC model.The detailed description and the authorization flow are given in the article.At last the model is analyzed from the dynamic performance and trust mechanism and role numbers and work performance.The new access control achieves the dynamic authorization by the dynamic assignment of role attributes and achieves the connection identity trust with behavior trust by setting the trust degree as an obligatory attribute,which changes the static authorization only based the identity of existing access control models.The model can reduce the role number by setting the attributes for the role,which can lighten the role management burden caused by the large number roles and improve the performance at the same time.

Haidong Cui,Zheng Feng,Dongfang Ma

DOI: https://doi.org/10.1109/BESC48373.2019.8963258

2019-01-01

Abstract:In order to solve the problem that traditional user behavior trustworthiness assessment methods are too subjective and have poor dynamic adaptability when setting classification weight, in this paper, the traditional Analytic Hierarchy Process has been optimized and improved, a new trustworthiness evaluation model of user behavior based on improved AHP, rough set and game theory is proposed. This method combines user activity, reward and punishment factors to evaluate user behavior comprehensively, so that the evaluation results are more scientific and accurate. and demonstrates the feasibility of the method by an example. The results show that the evaluation model can adapt to the dynamic changes in user behavior trust, objectively determine the weight of each decision attribute, and can accurately and effectively assess the credibility of user behavior.

Yang Shuxin,Zheng Jian,Wang Jian

DOI: https://doi.org/10.3969/j.issn.1000-386X.2009.02.017

2009-01-01

Abstract:Some existing access control model for workflow systems are limited to tasks execution.It is difficult to satisfy the security requirement for adaptive workflow systems.To solve the problem,operation behaviors of adaptive workflow management systems are analyzed and summarized.Object,user and operation are considered as the main elements for research.Formal description and fine granularity partition about these elements are given.Finally,based on the above work,a role-based access control model and integration with systems are proposed,and relationships among role,user and operation are described.In addition,authorization method is given to guarantee operation security and rationality.The problem of security is solved effectively,and the users' flexible requirements for permission are satisfied.

Jason Crampton,Eduard Eiben,Gregory Gutin,Daniel Karapetyan,Diptapriyo Majumdar

2024-03-25

Abstract:Role mining is a technique used to derive a role-based authorization policy from an existing policy. Given a set of users $U$, a set of permissions $P$ and a user-permission authorization relation $\mahtit{UPA}\subseteq U\times P$, a role mining algorithm seeks to compute a set of roles $R$, a user-role authorization relation $\mathit{UA}\subseteq U\times R$ and a permission-role authorization relation $\mathit{PA}\subseteq R\times P$, such that the composition of $\mathit{UA}$ and $\mathit{PA}$ is close (in some appropriate sense) to $\mathit{UPA}$.

Computational Complexity,Artificial Intelligence

Arindam Roy,Shamik Sural,Arun Kumar Majumdar,Jaideep Vaidya,Vijayalakshmi Atluri

DOI: https://doi.org/10.1145/3403950

Abstract:For any successful business endeavor, recruitment of required number of appropriately qualified employees in proper positions is a key requirement. For effective utilization of human resources, reorganization of such workforce assignment is also a task of utmost importance. This includes situations when the under-performing employees have to be substituted with fresh applicants. Generally, the number of candidates applying for a position is large and hence, the task of identifying an optimal subset becomes critical. Moreover, a human resource manager would also like to make use of the opportunity of retirement of employees to improve manpower utilization. However, the constraints enforced by the security policies prohibit any arbitrary assignment of tasks to employees. Further, the new employees should have the capabilities required to handle the assigned tasks. In this article, we formalize this problem as the Optimal Recruitment Problem (ORP), wherein the goal is to select the minimum number of fresh employees from a set of candidates to fill the vacant positions created by the outgoing employees, while ensuring satisfiability of the specified security conditions. The model used for specification of authorization policies and constraints is Attribute Based Access Control (ABAC), since it is considered to be the de facto next generation framework for handling organizational security policies. We show that the ORP problem is NP-hard and propose a greedy heuristic for solving it. Extensive experimental evaluation shows both the effectiveness as well as efficiency of the proposed solution.

王宇,谷大武,苏丹

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.z1.107

2004-01-01

Abstract:This paper offers a system about authorization and access control. This system contains privilege management subsystem and access control subsystem. Privilege management subsystem makes all kinds of polices for the whole situation by diversified modules. In this subsystem, attribute authority (AA) or souse of authority (SOA) signed all kinds of policy attribute certificate, and administrators allocate privilege to users by attribute registration authority (ARA) and apply for users attribute certificate from AA. In the access control subsystem, the access control enforcement function (AEF) achieves users access requests and users identities and sends the information to the access control decision function (ADF). ADF calculates the users granted privilege and makes the permit or refuse decision based on the policy and the users attribute certificate made by the privilege management subsystem. Consequently, the system realizes the authorization and access control and ensures the security of the shared data in the back Web servers.

袁平鹏,陈刚,董金祥

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.04.006

2004-01-01

Abstract:An access control paradigm composed of basic model and role model is proposed for collaborative applications. Basic model specifies the relationship among privileges and the way of ranking privileges. It relates privilege with operations on the objects, so the model appears more straightforward. Moreover, if Brokers' implementation permits, the model can support any grained access control. Role model re-defines the role concept of RBAC96, divides the permissions of role into public permissions, protect permissions and private permissions. It allows user to define roles more flexibly, prevents private permissions of roles from being inherited and reduces the definition of ancillary roles.

Muhammad Umar Aftab,Zhiguang Qin,Negalign Wake Hundera,Oluwasanmi Ariyo,Zakria,Ngo Tung Son,Tran Van Dinh

DOI: https://doi.org/10.3390/sym11050669

2019-01-01

Symmetry

Abstract:A major development in the field of access control is the dominant role-based access control (RBAC) scheme. The fascination of RBAC lies in its enhanced security along with the concept of roles. In addition, attribute-based access control (ABAC) is added to the access control models, which is famous for its dynamic behavior. Separation of duty (SOD) is used for enforcing least privilege concept in RBAC and ABAC. Moreover, SOD is a powerful tool that is used to protect an organization from internal security attacks and threats. Different problems have been found in the implementation of SOD at the role level. This paper discusses that the implementation of SOD on the level of roles is not a good option. Therefore, this paper proposes a hybrid access control model to implement SOD on the basis of permissions. The first part of the proposed model is based on the addition of attributes with dynamic characteristics in the RBAC model, whereas the second part of the model implements the permission-based SOD in dynamic RBAC model. Moreover, in comparison with previous models, performance and feature analysis are performed to show the strength of dynamic RBAC model. This model improves the performance of the RBAC model in terms of time, dynamicity, and automatic permissions and roles assignment. At the same time, this model also reduces the administrator’s load and provides a flexible, dynamic, and secure access control model.

Olena Usykova

DOI: https://doi.org/10.31319/2709-2879.2023iss1(6).283000pp86-91

2023-06-27

ECONOMIC BULLETIN OF THE DNIPROVSK STATE TECHNICAL UNIVERSITY

Abstract:The article examines the managerial perceptions of and the attitudes toward financial risks in small and medium-sized enterprises. The process of assessing the financial risk in small and medium-sized enterprises can be completed by various means and through implementation of different methods. However, a common issue for all approaches remains the lack of quantitative information that can ensure a reliable risk assessment. The purpose of the article is to provide practical recommendations with regard to the use of hierarchy analysis method in the decision-making system of an enterprise. The paper proposes to employ a risk assessment methodology based on an analytic hierarchy process which allows obtaining a set of optimal options. The effectiveness of the model has made it popular in many instances that may require defining multiple criteria for the decision-making process, which includes risk assessment and management on the basis of quantitative and qualitative criteria. Nonetheless, the primary drawback of the mentioned method lies in the complexity of calculations for making decisions with multiple alternatives. Data was collected through the use of a questionnaire adapted from previous studies. The questionnaire was divided into two parts. The first part collected socio-demographic information from the respondents, whereas the second part covered the owner’s/manager's risk perception in respect of a list of six financial risks based on two risk characteristics: consequences and probability. The paper incorporates the developed hierarchical structure of the task of making a choice with regard to the impact of the types of financial risks of the enterprise: low or no profit, low or no cash flow, revenue deficit, financing issues, problems with customer payments, increase in bank fees. The values of the consistency ration for both criteria were under (<0.10). Accordingly, the current of analytical hierarchical process analysis has reached an acceptable level of expert judgment. As a conclusion, the calculated weights of the risk components demonstrated that the magnitude (51.5 %) was considered by the executives/managers of enterprises as the most important risk assessment criterion, while the probability (45.5 %) was the second in importance. In the course of the analysis the financial risks were ranked. It was determined that the top three position in the ranking were taken by the following types of financial risks: increase in bank fees – 18,7 %; increase in problems with customer payments – 18 %; low or no cash flow – 16.8 %.

Weili Han,Qun Ni,Hong Chen

DOI: https://doi.org/10.1109/POLICY.2009.26

2009-01-01

Abstract:Work:flow systems often use delegation to enhance the flexibility, of authorization. However using delegation also weakens security because users may have difficulties understand and design correct delegation policies. hi this paper we propose the Measurable Risk Adaptive Role-based Delegation (MRARD) framework to address this problem. MRARD employs measurable risk for SSOs (System Security Officers) to provide a complementary protection mechanism in role-based delegation supporting workflow systems. In MRARD, when another enterprise user wants to use a delegated role to execute a task, a fuzzy logic based inference processor will infer the risk_level. Based on simple risk adaptive decision policies, a decision module will determine whether the access should be granted under a certain risk mitigation action.

Sejong Oh,Ravi Sandhu

DOI: https://doi.org/10.1145/507711.507737

2002-01-01

Abstract:Role-based access control (RBAC) is recognized as an excellent model for access control in an enterprise environment. In large enterprises, effective RBAC administration is a major issue. ARBAC97 is a well-known solution for decentralized RBAC administration. ARBAC97 authorizes administrative roles by means of role ranges&#x27; and prerequisite conditions&#x27;. Although attractive and elegant in their own right, we will see that these mechanisms have significant shortcomings.We propose an improved role administration model named ARBAC02 to overcome the weaknesses of ARBAC97. ARBAC02 adopts the organization unit for new user and permission pools independent of role or role hierarchy. It uses a refined prerequisite condition. In addition, we present a bottom-up approach to permission-role administration in contrast to the top-down approach of ARBAC97.

Muhammad Umar Aftab,Zhiguang Qin,Syed Falahuddin Quadri, Zakria,Arslan Javed,Xuyun Nie

DOI: https://doi.org/10.1145/3316615.3316667

2019-01-01

Abstract:RBAC and ABAC are well-known access control models due to their least privileges and dynamic behavior respectively. They also have some drawbacks like RBAC is unable to provide dynamic behavior and flexibility as well as ABAC is unable to provide tight security and ease of management of permissions as the RBAC can do. In this paper, a hybrid access control model is proposed and developed that combines the strengths of both models. The proposed model implements the concept of roles between a user and the user's attributes as well as between the object and object attributes, in the ABAC system. The proposed model decreases the load of the administrator, provides least of privileges concept in ABAC due to the addition of roles. Authors also implemented the proposed model and discussed with respect to a case study.