Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

Zhang Xiantao,Li Qi,Qing Sihan,Zhang Huanguo,Zhang Liqiang

DOI: https://doi.org/10.1109/ISCIT.2007.4392214

2007-01-01

Abstract:Role-based Access Control (RBAC) become an important techniques to secure e-commerce systems during recent years. However, RBAC management issue is still an unresolved problem. Moreover, with the development of IT technologies in many departments, there emerge many group communications which require dynamic user-role assignments. In these scenarios it is infeasible for few security officers to administrate the assignment for local variant applications. In this paper, we propose a novel RBAC model for decentralized and distributed systems. We also present an administration model of our PBAC model to address the management issues in traditional RBAC systems. As one of the main contributions, this paper proposes a decentralized administration model by introducing a component of group assignment to implement a novel user authorization mechanism and a new user-role assignment (UA) approach which provides a two-level administration for user and role management through the concept of group. Our model can be applied for the current group communication applications with dynamic assignments where typically local administrators take charge of the dynamic assignments. In this way, many administrative tasks for different applications can spread over many different local administrators, and a fine-grained administration model of RBAC based on the local administration policies is realized. As a proof-of-concept we implemented a prototype in Xen virtualization environment based on our proposed model to secure real distributed applications.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Li Qi,Xu Mingwei,Zhang Xinwen

DOI: https://doi.org/10.1109/ICDCS.Workshops.2008.26

2008-01-01

Abstract:Role-based Access Control (RBAC) has been widely deployed in many distributed systems in recent years. However, in many large-scale enterprise environments, it is difficult to manage RBAC because of the huge number of users and roles, and complex interrelationships between them. Moreover, with the development of information and communication technologies, many temporal and ad hoc collaborations between groups and departments are emerging, which require dynamic user-role and permission-role assignments. In thesescenarios it is infeasible, if not impossible, for few security officers to administrate the assignment for various applications. In this paper, we propose a novel RBAC model for decentralized and distributed systems. As one of the main contributions, we also propose a decentralizedadministration model to address the management issues in traditional RBAC systems, Our model can be used for group-based applications with dynamic assignments where typically local (group-level) administrators take charge of the dynamic assignments. In this way, many administrativetasks for different applications can spread over many different local administrators, and a fine-grained administration model of RBAC based on the local administration policies is realized. As a proof-of-conceptsystem, we implemented a secure Spread prototype based on our proposed model to show the feasibility in the real applications.

Wu Di,Jian Lin,Yabo Dong,Miaoliang Zhu

DOI: https://doi.org/10.1109/PDCAT.2005.247

2005-01-01

Abstract:Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. One of important aspects in RBAC is constraints that constrain what components in RBAC are allowed to do. There are lots of research have been achieved to specify constraints for secure system developers. However more work is need urgently to met requirements for interoperability of machine and people understandable constraints specification in open and distributed environment. In this paper we propose another approach to specify constraints using Semantic Web technologies. The Web Ontology Language (OWL) specification of basic RBAC components and constraints are described in detail.

Yahui Lu,Li Zhang,Yinbo Liu,Jiaguang Sun

DOI: https://doi.org/10.1109/cscwd.2006.253050

2006-01-01

Abstract:Role-based access control (RBAC) models have been successfully implemented in various information systems in recent years. However, the traditional centralized authorization and administration mechanisms in RBAC have several drawbacks in collaborative environments. In this paper, we propose a distributed Domain Administration of RBAC Model, DARBAC, in which the authorization and administration privileges are distributed to multiple administrative domains. Each administrative role is assigned to an administrative domain and can only execute administrative operations within its domain. By introducing the concept of administrative domain and administrative role hierarchy, the DARBAC model can flexibly meet the access control requirements in collaborative environments. We also describe how to implement the model in the PLM product and how to apply the model in a distributed enterprise environment to support cooperative work.

Sejong Oh,Ravi Sandhu

DOI: https://doi.org/10.1145/507711.507737

2002-01-01

Abstract:Role-based access control (RBAC) is recognized as an excellent model for access control in an enterprise environment. In large enterprises, effective RBAC administration is a major issue. ARBAC97 is a well-known solution for decentralized RBAC administration. ARBAC97 authorizes administrative roles by means of role ranges' and prerequisite conditions'. Although attractive and elegant in their own right, we will see that these mechanisms have significant shortcomings.We propose an improved role administration model named ARBAC02 to overcome the weaknesses of ARBAC97. ARBAC02 adopts the organization unit for new user and permission pools independent of role or role hierarchy. It uses a refined prerequisite condition. In addition, we present a bottom-up approach to permission-role administration in contrast to the top-down approach of ARBAC97.

LI Bo,HUANG Dong-jun

DOI: https://doi.org/10.3969/j.issn.1006-8937-B.2006.04.001

2006-01-01

Abstract:The paper analyzes and compares several primary ways to distribute privileges during the current design process of access system such as Discretionary Access Control(DAC), Mandatory Access Control (MAC) and Role-Based Access Control (RBAC), points out their respective characteristics and limitations of their applicability. By taking the new characteristics of modern enterprise management into consideration and combining with the existing access control model, the authors discuss the access control technology of the multi-users information system, present and realize the security control model based on role level, department level and user level in the application. Practical application makes clear that it enhances the security and maintainability of information system.

LONG Jun,ZENG Xiao-sa,ZHANG Zu-ping

2010-01-01

Abstract:As the traditional role-based access control(RBAC) models have shortcomings when applied in lager-scale en-terprise applications,an improved RBAC model based on autonomy domain(AD -RBAC) is proposed.This model intro-duces‘autonomy domain’to describe the organization structure;divides groups into administrative group and common group,which enhances the expression capability of the group;adopts organization structure domain description model to construct group hierarchy and group types.All these contribute to the simple and intuitive realization of multi-level user authorization management.In the expert information service grid,AD -RBAC is used to achieve authorized service and da-ta access of grid nodes based on virtual domain,which proves the feasibility and effectiveness of this model.

ZHANG Shuai,SUN Jian-ling,XU Bin,HUANG Chao

DOI: https://doi.org/10.3785/j.issn.1008-973X.2012.11.015

2012-01-01

Abstract:A dynamic multiple domains access control model base on role based access control(RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises.The process structures were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services.Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations.Based on this model,a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services.Simulation experiments showed the effectiveness of key part of the role mining algorithm.

ZHU Yi-qun,LI Jian-hua,ZHANG Quan-hai

DOI: https://doi.org/10.3321/j.issn:1006-2467.2007.05.026

2007-01-01

Abstract:This paper reviews the existing research work of the security technology and access control for web services, and then presents a dynamic hierarchical role-based access control model for web services. In this paper, by introducing the notion of authorization group and mechanism of hierarchical access control, the model dynamically manages privileges and protects the parameters themselves. The model improves the flexibility and independence and expansion of access control for web services, and dynamically manages privileges, and provides a more perfect security mechanism for web services, and also effectively enhances the security for web services applications.

QIU Jiong,MA Chen-hua,Yin Jian-wei,Dong Jin-xiang

DOI: https://doi.org/10.1109/CIT.2005.161

2005-01-01

Abstract:RBACAM, a role-based administrative model of RBAC, is proposed in this paper. It simplifies the description of role hierarchies with the definition of role identity code and role derivative information pair group. The concept of role administration domain and role enhanced administration domain is introduced to realize decentralized administration of RBAC. Each role has responsibility far role administration in its own administration domain and enhanced administration domain. A series of conflict checking rules to maintain consistency and the administration of authorization constraints are provided in the model. Administrative algorithms of role hierarchies, user-rote assignments, permission-role assignments and authorization constraints are also described- RBAC AM can be applied in the context of the RBAC96 model without introducing additional entities and relations. The main advantage of RBAC AM is its simplicity, completeness and practicability.

Yi-qun Zhu,Jian-hua Li,Quan-hai Zhang

DOI: https://doi.org/10.5220/0002100404710474

2006-01-01

Abstract:A key challenge in Web services security is the design of effective access control schemes that can adequately satisfy Web services security requirements. Despite the recent advances in Web based access control, there remain issues that impede the development of effective access control models for Web services environments. One of them is the lacks of dynamic role management and attributes access control for Web services. In this paper, we present a dynamic attribute-based role-based access control model (DARBAC) to address the issues. The proposed approach introduces authorization group, which is used to dynamically manages roles and privileges, and attribute based access control mechanism which is used to protect the services and services parameters. We outline the configuration mechanism needed to apply our model to the Web services environments.

叶锡君,许勇,吴国新

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.01.064

2002-01-01

Abstract:Role-based access control(RBAC), which will reduce the complexity and cost of authorization managements, provides the role that is consistent with the structure in a corporation. RBAC for the Web(RBAC/Web) is the best scheme to enforce authorization policy on large Intranet. After introducing resource access policies through the RBAC for Web server, this paper provides how to set up the RBAC/Web model and gives an approach implementation in a Web reverse proxy.

BAO Zhigang,HU Yanjun,GU Xinjian

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.01.059

2006-01-01

Abstract:Firstly making reference to role based access control(RBAC)model,this paper proposes the basic idea about access control.Then it introduces database design of two realizing methods about access control and two methods’ realization in program,it also presents visual effect.Finally it analyzes and compares one to another in detail from two aspects of applicability and reusability.

Qi Li,Xinwen Zhang,Mingwei Xu,Jianping Wu

DOI: https://doi.org/10.1016/j.cose.2008.12.004

IF: 5.105

2009-01-01

Computers & Security

Abstract:Role-Based Access Control (RBAC) has become a popular technique for security purposes with increasing accessibility of information and data, especially in large-scale enterprise environments. However, authorization management in dynamic and ad-hoc collaborations between different groups or domains in these environments is still an unresolved problem. Traditional RBAC models cannot solve this problem because they cannot support security policy composition from different groups, and lack efficient administrative models for dynamic collaborations. In this paper, we propose a group-based RBAC model (GB-RBAC) for secure collaborations which is based on RBAC96 and extended with group concept to capture dynamic users and permissions. We propose a decentralized security administrative model for GB-RBAC to address the management issues of RBAC in collaborations. As a unique property, our model supports two levels of authorization management: global or system level management by system administrators and local or group level management by group administrators. In this way, our model implements the principles of management autonomy and separation of duty (SoD) in security administrations. We apply our model for authorization management in collaborations by introducing the concept of virtual group. A virtual group is built for a collaboration between multi-groups, where all members build trust relation within the group and are authorized to join and perform operations for the collaborative work. Compared with existing work, our model supports dynamic and ad-hoc collaborations in large-scale systems with the properties of controllable, decentralized, and fine-grained security management.

Yi Ren,Zhiting Xiao,Sipei Guo

DOI: https://doi.org/10.1109/isecs.2008.163

2008-01-01

Abstract:Role based access control (RBAC) has been widely adopted as a policy neutral access control model by many IT corporations. RBAC96, which is the most famous family of RBAC models, provides a common frame reference for related research and development. Many properties proposed in the family, e.g. limited inheritance, mutually exclusive roles, cardinality, and interaction, have been separately discussed in the previous work. In this paper, an extended RBAC model implementing those properties is proposed to provide an approach for implementing RBAC3. The extended RBAC model is based on deputy mechanism and is called deputy-based access control (DBAC). Since the private role hierarchy and constraint can be uniformly handled in DBAC, a flexible and powerful access control system can be implemented.

Qi Li,Xinwen Zhang,Sihan Qing,Mingwei Xu

DOI: https://doi.org/10.1109/colcom.2006.361887

2006-01-01

Abstract:With the increasing accessibility of information and data, role-based access control (RBAC) has become a popular technique for security and privacy purposes. However, trusted collaboration between different groups in large corporate Intranets is still an unresolved problem. The challenge is how to extend existing access control model for efficient security management and administration to allow trusted collaboration between different groups. In this paper, we propose a group-based RBAC model (GB-RBAC) for this purpose. In particular, virtual group is proposed in our model to allow secure information and resource sharing in multi-group collaboration environments. All the members of a virtual group build trust relation between themselves and are authorized to join the collaborative work. The scheme and strategies provided in this paper meet the requirements of security, autonomy, and privacy for collaborations. As a result, our scheme provides an easy way to employ RBAC policies to secure ad-hoc collaboration

Wenan TAN -,Yicheng XU -,Ting ZHANG -,Xiang WEN -,Linshan Cui -,Chuanqun JIANG -

DOI: https://doi.org/10.4156/jdcta.vol5.issue7.16

2011-01-01

International Journal of Digital Content Technology and its Applications

Abstract:Currently, the security issues of Web services are hot area in information system (IS). This research mainly discusses the key technologies of information access control focusing on following works: After analyzing the dynamic characteristic of application nature for Web services, a Dynamic Role-Based Access Control using Context and Trust model (abbreviated as CT-DRBAC) for Web services is proposed. During Web services, both the subject of invoking request and object of providing service resources are dynamic nature. So, access policies are needed to consider the dynamic nature. The proposed model has been developed and the authorization framework is discussed detail. In order to implement the dynamic trust management mechanism, a dynamic user role authorization algorithm which considers the user lifecycle contexts in the open systems is proposed and designed to meet the dynamic characteristic of subject and object effectively, and achieve intelligent and scientific user role assignments. The proposed access control module can be used in intelligent information systems to grant dynamically roles to users according to the current context.