S. V. Belim,S. Yu. Belim,N. F. Bogachenko,A. N. Kabanov,S.V. Belim,S.Yu. Belim,N.F. Bogachenko,A.N. Kabanov

DOI: https://doi.org/10.48550/arXiv.1812.08494

2018-12-20

Cryptography and Security

Abstract:The problem of optimal authorization of a user in a system with a role-based access control policy is considered. The main criterion is to minimize the risks of permission leakage. The choice of the role for authorization is based on the analytic hierarchy process. The substantiation of a choice of criteria for formation of a hierarchy of the first level is given. An algorithm for calculating weight coefficients is presented, based on the quantitative characteristics of the role graph and not dependent on subjective expert evaluations. The complexity is estimated and the scalability of the proposed algorithm is discussed.

Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

Lingfeng Bao,David Lo,Xin Xia,Shanping Li

DOI: https://doi.org/10.1109/sate.2016.13

2016-01-01

Abstract:As Android is one of the most popular open source mobile platforms, ensuring security and privacy of Android applications is very important. Android provides a permission mechanism which requires developers to declare sensitive resources their applications need, and users need to agree with this request when they install (for Android API level 22 or lower) or run (for Android API level 23) these applications. Although Android provides very good official documents to explain how to properly use permissions, unfortunately misuses even for the most popular permissions have been reported. Recently, Karim et al. propose an association rule mining based approach to better infer permissions that an API needs. In this work, to improve the effectiveness of the prior work, we propose an approach which is based on collaborative filtering technique, one of popular techniques used to build recommendation systems. Our approach is designed based on the intuition that apps that have similar features - inferred from the APIs that they use - usually share similar permissions. We evaluate the proposed approaches on 936 Android apps from F-Droid, which is a repository of free and open source Android applications. The experimental results show that our proposed approaches achieve significant improvement in terms of the precision, recall, F1-score and MAP of the top-k results over Karim et al.'s approach.

N.F. Bogachenko

DOI: https://doi.org/10.48550/arXiv.1812.09721

2018-12-23

Cryptography and Security

Abstract:The problems which are important for the effective functioning of an access control policy in a large information system (LIS) are selected. The general concept of a local optimization of a role-based access control (RBAC) model is formulated. The optimization criteria are proposed. The algorithms of a local optimization of the RBAC model are defined and justified. The developed algorithms are used in the methods of the solution of the following problems: the assessment of risks of the leakage of permissions in the RBAC policy, the access control in the distributed hierarchical systems, the combining of role-based and mandatory access control models. In the first problem the question of the permissions distribution in the role hierarchy is researched. The analytic hierarchy process (AHP) is applied to creation of the estimates. The method is based on the hierarchical structure of a role set. The offered technique can order the permissions according to the value of the risks of their leakage. In the second problem the algorithm of the distribution of the cryptographic keys in the system with a hierarchical arrangement of the objects is offered. The cryptography protocols for the practical use of this algorithm are defined. The conditions of the implementation of the discretionary and mandatory principles of the access control on the basis of the developed algorithm are formulated.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1109/icsmc.2004.1401072

2004-01-01

Abstract:The idea of role has been widely applied to solving the authority, responsibility, function and interaction, which are associated with member station in organizations. Access control is a key security issue in distributed collaboration systems. After analyzing corresponding security requirements and the present status of security in distributed collaboration system, this paper presents an extensive role-based access control (ERBAC) architecture based on differentiated domain management. In this architecture, security management is classified into inter-domain one and infra-domain one, whilst, it can integrate new security policies. Based on definition of role permission type, the paper introduces a function of permission type change to make ERBAC architecture flexible. In addition, the authors discuss the methods by which the security can be implemented in an agent-based framework. The practices signify that this system can be flexibly applied various existing policy languages and protocols.

王新胜,熊书明,王新宇

DOI: https://doi.org/10.3778/j.issn.1002-8331.2009.36.028

2009-01-01

Computer Engineering and Applications Journal

Abstract:SARBAC/SARBAC-HH models are dominative in implementation of role hierarchy management by analyzing and comparing several typical role-based access control models.Some issues in role and permission assignment management existed in SARBAC/SARBAC-HH models.In view of these issues,an improved model named WARBAC,based on SARBAC/SARBAC-HH models,is put forward.In the model,the administrative policy of role-permission assignment is redefined and redesigned by resorting to the conception of the organization structure of the ARBAC02 model.Analysis results show that WARBAC is simple in role hierarchy management and is reasonable in complicated role-permission assignment management.

Xiyuan Chen,Di Wu.,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICCIAS.2006.295308

2006-01-01

Abstract:To satisfy the requirements of secure interoperation among distributed systems, a security violation detection method for RBAC based interoperation is proposed We carry out the discussion in the scope of Core RBAC and Hierarchy RBAC. To better illustrate the method for RBAC based interoperation, a formal definition of secure interoperation in RBAC systems has been introduced. Security violation of interoperation with role mappings in the distributed systems is analyzed. Based on these discussions, a minimum security violation detection method for RBAC based interoperation according to the feature of RBAC system and the inherent characteristic of interoperation in distributed environment is introduced. The minimum detection method provides good performance reducing complexity by decreasing amount of roles involved in detection.

Chun-hua GU,Bao-liang XIAO

DOI: https://doi.org/10.3969/j.issn.1006-3080.2007.01.022

2007-01-01

Abstract:In order to overcome shortages of the processing method of RBAC96 model′s private permission,an improved model is put forward from a point of implementation view.The private permission in this model can be retained through public heredity mode and the public permission′s inheritance(hierarchy) can be controlled easily through role′s permission transformation.It solves the problem of complicated role cardinality caused from role heredity.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

SU Jun,XUE Shun-li,LI Zun-chao

DOI: https://doi.org/10.3969/j.issn.1674-649x.2006.02.015

2006-01-01

Abstract:The permission's management of roles hierarchies is discussed based on RBAC,.Designed model of permission hierarchies on relation between subset and superset,which provide the possible to implement management based on hierarchies in enterprises.Roles hierarchies are a security mechanism based on RBAC0,enterprises can using it to create mapping of roles and users's accounting quickly and implement classifications managed within enterprises.The relation of roles hierarchies based on RBAC that can be used to create mapping of roles and users and groups in enterprises.The relations make permissions separate step by step,thus a perfect purpose is acquired.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ISBIM.2008.132

2009-01-01

Abstract:In large enterprise software systems, users often need to delegate their authority to others. Permission base delegation model (PBDM) based on RBAC96 currently is the most attractive model to fulfill the delegation requirement since it supports partly delegation and multiple steps delegation. However in PBDM there is no explicit specification of the separation of duty (SOD) constraint, which is one of the most important constraints and is essential to the security of the system. In this paper, we analyze the SOD constraint in PBDM delegation model and give the formal definition for the constraint. We prove that the constraint violation will not happen at the stage of the delegation role definition whereas it can only happen at the stage of role assignment. We then propose a protective mechanism to prevent the illegal role delegation utilizing the prerequisite conditions which are a set of Boolean expressions. We also give the algorithm to check the prerequisite conditions to help the security administrator guarantee the safe role delegation.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si,Di Wu

DOI: https://doi.org/10.1109/icsm.2009.5306288

2009-01-01

Abstract:Little is known about how to preprocess the noise in legacy access control data when migrating to the Role-based Access Control model. This paper presents an experience report on the noise preprocess method of the legacy access control data of several financial systems. The main goal of this project is to improve the quality of the roles obtained via role mining.

Muhammad Umar Aftab,Zhiguang Qin,Negalign Wake Hundera,Oluwasanmi Ariyo,Zakria,Ngo Tung Son,Tran Van Dinh

DOI: https://doi.org/10.3390/sym11050669

2019-01-01

Symmetry

Abstract:A major development in the field of access control is the dominant role-based access control (RBAC) scheme. The fascination of RBAC lies in its enhanced security along with the concept of roles. In addition, attribute-based access control (ABAC) is added to the access control models, which is famous for its dynamic behavior. Separation of duty (SOD) is used for enforcing least privilege concept in RBAC and ABAC. Moreover, SOD is a powerful tool that is used to protect an organization from internal security attacks and threats. Different problems have been found in the implementation of SOD at the role level. This paper discusses that the implementation of SOD on the level of roles is not a good option. Therefore, this paper proposes a hybrid access control model to implement SOD on the basis of permissions. The first part of the proposed model is based on the addition of attributes with dynamic characteristics in the RBAC model, whereas the second part of the model implements the permission-based SOD in dynamic RBAC model. Moreover, in comparison with previous models, performance and feature analysis are performed to show the strength of dynamic RBAC model. This model improves the performance of the RBAC model in terms of time, dynamicity, and automatic permissions and roles assignment. At the same time, this model also reduces the administrator’s load and provides a flexible, dynamic, and secure access control model.

袁平鹏,陈刚,董金祥

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.04.006

2004-01-01

Abstract:An access control paradigm composed of basic model and role model is proposed for collaborative applications. Basic model specifies the relationship among privileges and the way of ranking privileges. It relates privilege with operations on the objects, so the model appears more straightforward. Moreover, if Brokers' implementation permits, the model can support any grained access control. Role model re-defines the role concept of RBAC96, divides the permissions of role into public permissions, protect permissions and private permissions. It allows user to define roles more flexibly, prevents private permissions of roles from being inherited and reduces the definition of ancillary roles.

Ian Molloy,Ninghui Li,Jorge Lobo,Yuan Qi,Luke Dickens

2010-01-01

Abstract:There has been increasing interest in automatic techniques for generating roles for role-based access control, a process known as role mining. Most role mining approaches assume the input data is clean, and attempt to optimize the RBAC state. We examine role mining with noisy input data and suggest dividing the problem into two steps: noise removal and candidate role generation. We introduce an approach to use (non-binary) rank reduced matrix factorization to identify noise and experimentally show that it is effective at identifying noise in access control data. User- and permission-attributes can further be used to improve accuracy. Next, we show that our two-step approach is able to find candidate roles that are close to the roles mined from noise-less data. This method performs better than the approach of mining noisy data directly and offering the administrator increased control in the noise removal and candidate role generation phases. We note that our approach is applicable outside role engineering and may be used to identify errors or predict missing values in any access control matrix.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ebiss.2009.5138002

2009-01-01

Abstract:Access control becomes more and more essential for safe and security access to the system resources. Role based access control policy widely used in industry enterprise systems nowadays is a statement which specifies the rules about how to setup the process for granting or denying authorizations. It is extremely important to make sure that there is no inconsistency of an access control policy, since otherwise it may conceal the security danger or even break down the entire access control system. In this paper, we analyze the inconsistencies of role based access control policy, and give the formal definition for the inconsistency. We then propose an inconsistency checking algorithm to detect the inconsistencies of a role based access control policy.

Sejong Oh,Ravi Sandhu

DOI: https://doi.org/10.1145/507711.507737

2002-01-01

Abstract:Role-based access control (RBAC) is recognized as an excellent model for access control in an enterprise environment. In large enterprises, effective RBAC administration is a major issue. ARBAC97 is a well-known solution for decentralized RBAC administration. ARBAC97 authorizes administrative roles by means of role ranges' and prerequisite conditions'. Although attractive and elegant in their own right, we will see that these mechanisms have significant shortcomings.We propose an improved role administration model named ARBAC02 to overcome the weaknesses of ARBAC97. ARBAC02 adopts the organization unit for new user and permission pools independent of role or role hierarchy. It uses a refined prerequisite condition. In addition, we present a bottom-up approach to permission-role administration in contrast to the top-down approach of ARBAC97.

Dipankar Dasgupta,Arunava Roy,Debasis Ghosh

DOI: https://doi.org/10.1016/j.ins.2017.09.039

IF: 8.1

2018-01-01

Information Sciences

Abstract:Exfiltration of sensitive data and intellectual property theft have increased to a significant level affecting both government agencies as well as small to large businesses. One of the major reasons of data breaches is malicious insiders who have the access rights, knowledge of data values and technical know-how of escalating their privileges in launching such insider attacks. Traditional access control policies (to shared data and computing resources) were evolved around the trust on legitimate users’ access rights (read, write and execute) based on their jobs and role hierarchy in an organization. However, such access privileges are increasingly being misused by hostile, oblivious, rouge and pseudo-insiders. This work introduces a multi-user permission strategy and formulates a methodology for shared-trustworthy access (to classified data and services) by considering organizational structure. Accordingly, based on the sensitivity of the information being requested by a user, approvers are selected dynamically to reflect the work environment such as mobility, use of the device, access policy, etc. For this purpose, the proposed methodology first generates an access control graph, based on inter-relationship among employees and their roles in an organization. Next, it generates a set of permission grantees who are allowed to approve the access request of a user at a given time. The proposed multi-user permission strategy is evaluated with two empirical datasets and reported results demonstrated its ability in selecting non-repetitive approvers for a user access under different organizational and environmental constraints.

computer science, information systems

TIAN Li-qin,JI Tie-guo,LIN Chuang,YIANG Yiang

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.19.004

2008-01-01

Abstract:The paper establishes a user behaviour trust and Role-Based Access Control(RBAC) model,which introduces the attribute concept and adds the user behaviour trust degree set on the basis of RBAC model.The detailed description and the authorization flow are given in the article.At last the model is analyzed from the dynamic performance and trust mechanism and role numbers and work performance.The new access control achieves the dynamic authorization by the dynamic assignment of role attributes and achieves the connection identity trust with behavior trust by setting the trust degree as an obligatory attribute,which changes the static authorization only based the identity of existing access control models.The model can reduce the role number by setting the attributes for the role,which can lighten the role management burden caused by the large number roles and improve the performance at the same time.

Muhammad Umar Aftab,Zhiguang Qin,Syed Falahuddin Quadri, Zakria,Arslan Javed,Xuyun Nie

DOI: https://doi.org/10.1145/3316615.3316667

2019-01-01

Abstract:RBAC and ABAC are well-known access control models due to their least privileges and dynamic behavior respectively. They also have some drawbacks like RBAC is unable to provide dynamic behavior and flexibility as well as ABAC is unable to provide tight security and ease of management of permissions as the RBAC can do. In this paper, a hybrid access control model is proposed and developed that combines the strengths of both models. The proposed model implements the concept of roles between a user and the user's attributes as well as between the object and object attributes, in the ABAC system. The proposed model decreases the load of the administrator, provides least of privileges concept in ABAC due to the addition of roles. Authors also implemented the proposed model and discussed with respect to a case study.