Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

Zhiwen Zou,Changqian Chen,Shiguang Ju,Jiming Chen

DOI: https://doi.org/10.1007/978-3-642-12189-0_26

2010-01-01

Abstract:The Spatial Role-Based Access Control (SRBAC) model was discussed in this paper. Firstly, the formal definition of SRBAC Model was given; then the region coverage constraint of spatial object, duration constraint of spatial object, various spatial object separations of duty constraints and spatial object cardinality constraint of role activation were researched; after extending the traditional session, the strategy of eliminating the conflictive session was presented; Finally, the role hierarchy has been discussed under the spatial environment. Combined with practical application, the theory of secure DBMS was optimized and afforded to build the stricter system.

LU Yang,XIAO Jun-mo,LIU Jing

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.30.037

2008-01-01

Abstract:Ontologies,which can provide a shared and common understanding of some domain that can be communicated across people and computers,place the key function in the semantic Web.However,due to lack of essential access control mechanisms,the dissemination of ontologies can result in revealing sensitive information in the ontology documents.This paper proposes a Semantic-associated Role-Based Access Control(S-RBAC) model for the OWL ontology.By extending the traditional RBAC model based on the semantic association of the ontology elements,S-RBAC model not only can provide essential control mechanisms for the direct access to ontologies and their elements,but also can account for the inference disclosure problems induced by the semantic association of the ontology elements.

YE Chunxiao,LUO Juan,ZHOU Jiagen

DOI: https://doi.org/10.3778/j.issn.1002-8331.1106-0276

2013-01-01

Computer Engineering and Applications Journal

Abstract:Role delegation between users is an important security policy that should be supported for RBAC mode. The basic idea of delegation is that some users in a system delegate their roles to other users to carry out some specific functions on behalf of the former. This paper describes the RBAC delegation with ontology. Meanwhile some rules in form of SWRL have been defined for the delegation to reason within mutual exclusive constraint, time constraint, overlap constraint and prerequisite role constraint, so as to ensure the security and self-determination of the delegation system.

Rui XI,Chang-gen PENG

DOI: https://doi.org/10.3969/j.issn.1000-5269.2010.06.020

2010-01-01

Abstract:Traditional access control models could not meet the needs of spatial environment.A spatial constrained attribute and role based access control model(Spatial-ARBAC) has been built.The ontology of our RBAC model represented Web Ontology Language(OWL DL) and the formal definitions of the space constraints are given.In this model,the roles that users can perform are dynamically determined based on their own attribute values and on the attribute values associated with the resources.This model is fine-grained and flexible.

Nuermaimaiti Heilili,Yang Chen,Chen Zhao,Zhenxing Luo,Zuoquan Lin

DOI: https://doi.org/10.1007/11811220_15

2006-01-01

Abstract:Access control is an important issue related to the security on the Semantic Web. Role-Based Access Control (RBAC) is commonly considered as a flexible and efficient model in practice. In this paper, we provide an OWL-based approach for RBAC in the Semantic Web context. First we present an extended model of RBAC with negative authorization, providing detailed analysis of conflicts. Then we use OWL to formalize the extended model. Additionally, we show how to use an OWL-DL reasoner to detect the potential conflicts in the extended model.

Deqing Zou,Ligang He,Hai Jin,Xueguang Chen

DOI: https://doi.org/10.1016/j.jnca.2008.02.015

IF: 7.574

2009-01-01

Journal of Network and Computer Applications

Abstract:Interactions between resources as well as services are one of the fundamental characteristics in the distributed multi-application environments. In such environments, attribute-based access control (ABAC) mechanisms are gaining in popularity while the role-based access control (RBAC) mechanism is widely accepted as a general mechanism for authorization management. This paper proposes a new access control model, CRBAC, which aims to combine the advantages of RBAC and ABAC, and integrates all kinds of constraints into the RBAC model. Unlike other work in this area, which only incorporates one or a few particular attribute constraints into RBAC, this paper analyses and abstracts the generic properties of the attribute constraints imposed on authorization systems. Based on these analyses and generalization, two constraints templates are presented, called authorization mapping constraint template and behaviour constraint template. The former template is able to automate the user-role and role-permission mapping, while the latter is used to restrict the behaviours of the authorization entities. The attribute constraints are classified into these two templates. Moreover, the state mechanism is introduced to build up the constraints among the statuses of the entities, and reflect the outcomes of the authorization control as well. Based on the presented templates and the state mechanism, the execution model is developed. A use case is proposed to show the authorization process of our proposed model. The extensive analyses are conducted to show its multi-grained constraints by comparing with other models.

XU Zhen,LI Lan,FENG Deng-Guo

DOI: https://doi.org/10.1360/jos160970

2005-01-01

Abstract:Delegation is an important security policy that should be supported by RBAC model. The basic idea of delegation is that some active entity in a system delegates authority to another active entity to carry out some functions on behalf of the former. The grantor of the delegated roles should be responsible for the usage of them, so constraints on the usage of the delegated roles are critical components of the whole delegation model. Currently, there’re some models that extend RBAC model to support role delegation. However, their supports for constraints on the usage of delegated roles are very limited. This paper presents the requirements of role-based delegation, including temporary constraints, regular role dependency constraints, partial delegation constraints and propagation constraints. The former two kinds of constraints are modeled with a formal model – CRDM, which provides the foundation for applications in need of the constrained delegation.

Linhua Zhou,Huajun Chen,Chunying Zhou,Zhang Yu

2008-01-01

Abstract:Recently, there has been a growing need for integrating legacy relational databases with semantic web ontologies, however, experience in building such applications has re- vealed a gap between semantic web languages and relational data model. We present a formal mapping system to bridge the gap and study the problem of reasoning and query answer- ing using view underlying the mapping system. Particularly, we consider a special mapping called "constraint mapping" between database integrity constraints and OWL axioms. We then propose an approach to incorporating these OWL ax- ioms and description logic reasoning into query rewriting us- ing views to enable the algorithm to answer more types of queries. The approach has been used to develop a pilot data integration application for neuroscience community.

许春根,严悍,刘凤玉

DOI: https://doi.org/10.3969/j.issn.1002-137X.2003.07.032

2003-01-01

Computer Science

Abstract:The access control is very important for the information management of modern enterprises . This paperproposes a framework of well-defined constraint specifications for developers to build application-level access controlbased on users' roles. They ensure that each role is configured with consistent privileges, each actor is authorized toproper roles and then each actor can activate and play his authorized roles without interest conflicts. These formalconstraint specifications are described by the first-order predicate logic, and also some properties are proved. Themodel provides relatively independent, consistent and inferable constraint specifications for developers to design ac-cess control of large and complex enterprise systems.

shaomin zhang,hongbian yang,baoyi wang

DOI: https://doi.org/10.1007/978-3-642-27287-5_94

2012-01-01

Abstract:For the problems of attribute elements maintenance difficulty and heterogeneous attribute of multi-domain in ABAC model, we propose the method of using ontology to maintain access control elements and distributed attribute management, which describe the logical relationships among attributes with OWL and introduce attribute mapping technology in access control decision-making. It can reduce the complexity of attribute management and raise the security of the cross-domain access. It makes up the defects in original ABAC model, and has a good reference to research the cross-domain access control.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ISBIM.2008.132

2009-01-01

Abstract:In large enterprise software systems, users often need to delegate their authority to others. Permission base delegation model (PBDM) based on RBAC96 currently is the most attractive model to fulfill the delegation requirement since it supports partly delegation and multiple steps delegation. However in PBDM there is no explicit specification of the separation of duty (SOD) constraint, which is one of the most important constraints and is essential to the security of the system. In this paper, we analyze the SOD constraint in PBDM delegation model and give the formal definition for the constraint. We prove that the constraint violation will not happen at the stage of the delegation role definition whereas it can only happen at the stage of role assignment. We then propose a protective mechanism to prevent the illegal role delegation utilizing the prerequisite conditions which are a set of Boolean expressions. We also give the algorithm to check the prerequisite conditions to help the security administrator guarantee the safe role delegation.

Chungen Xu,Sheng Gong

DOI: https://doi.org/10.5539/cis.v2n2p68

2009-01-01

Abstract:Role-based access control(RBAC) is a promising technology for managing and enforcing security in large-scale enterprise-wide system, and we were motivated by the need to manage and enforce the strong access control technology of RBAC in large-scale Web environments.Majority of traditional access control models were passive data-protections, which were not suitable for large and complex multi-user interactive applications.In this paper, we develop a general model to control users' behaviors based on their roles actively, and proposes a framework of well-defined Formal Description for developers to build application-level access control based on users' roles.It ensure that each role is configured with consistent privileges, each actor is authorized to proper roles and then each actor can activate and play his authorized roles without interest conflicts.These formal specifications are consistent and inferable, complete and simplified, abundant and scalable for diversified multi-user applications.

Wan-Jun Yu,Da-You Liu,Li Jiang

DOI: https://doi.org/10.1007/978-1-4020-3953-9_42

2006-01-01

Abstract:Although there are some approaches to formally describe the authorization constraints, such as role-based access control models, they are not adequate to model such WFMSs’ constraints. To address this issue, this paper analyzes the existing methods and proposes a workflow authorization constraints model which including an authorization specification language named RWAL (role-based workflow authorization language) used to specify both static and dynamic authorization constraints. Its basic elements, syntax and semantics are discussed. It is the expanded version of Bertino’s and more intuitionistic. The expression power of the language is better than the Bertino’s in that it can not only represent both static authorization constraints and dynamic authorization constraints but also can capture the historical information of authorizations.

YU Wan-jun,LIU Da-you,LIU Quan,LI Jia-fei

DOI: https://doi.org/10.3969/j.issn.1006-5911.2005.09.021

2005-01-01

Abstract:The existing approaches of authorization constraints cannot describe the separation of duties well in the workflow management systems under which with the data movement from one task to next, and the change of task executors and users' access control at any moment. To solve this problem, a model of workflow authorization constraints was proposed. The role level function, the task partial relationship and the conflicting tasks in the context of workflow application were defined in the model. Based on the model, a language named role-task-based Workflow Authorization Language (WAL) was put forward to specify the workflow authorization constraints. The requests on the separation of duties in the workflow system could be correctly described by WAL. Static and authorized historical information could also be expressed. Meanwhile, the size of rules set obtained was relatively smaller. Finally the feasibility of the consistency validation in the time and the space was verified.

Yi Ren,Zhiting Xiao,Sipei Guo

DOI: https://doi.org/10.1109/isecs.2008.163

2008-01-01

Abstract:Role based access control (RBAC) has been widely adopted as a policy neutral access control model by many IT corporations. RBAC96, which is the most famous family of RBAC models, provides a common frame reference for related research and development. Many properties proposed in the family, e.g. limited inheritance, mutually exclusive roles, cardinality, and interaction, have been separately discussed in the previous work. In this paper, an extended RBAC model implementing those properties is proposed to provide an approach for implementing RBAC3. The extended RBAC model is based on deputy mechanism and is called deputy-based access control (DBAC). Since the private role hierarchy and constraint can be uniformly handled in DBAC, a flexible and powerful access control system can be implemented.

单徐梅,虞慧群

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.04.053

2010-01-01

Abstract:To satisfy dynamic authorization of WorkFlow Management System(WFMS) ,this paper proposes a Role-Based Access Control(RBAC) model that supports authorization constraint. In this model,authorization constraint model for WFMS is specified by Datalog logical language and an authorization algorithm is implemented using Datalog's decision,making mechanisms. WFMS's dynamic constrained authorization problem is solved with the method.

Han Yan,Chun-Gen Xu,Gong-Xuan Zhang,Feng-Yu Liu

DOI: https://doi.org/10.1145/346057.346074

2000-01-01

Abstract:Constraint specifications for access control organize a set of constraints to control human-computer interaction for users to perform their duties securely and efficiently. Constraint specifications are imperative for the access control and security management of large and complex multi-user interactive applications. Existing specifications of Role-based Access Control are incomplete and complicated. This paper proposes a framework of well-defined constraint specifications for developers to build application-level access control based on users' roles. They ensure that each role is configured with consistent privileges, each actor is authorized to proper roles and then each actor can activate and play his authorized roles without interest conflicts. These formal specifications are consistent and inferable, complete and simplified, abundant and scalable for diversified multi-user applications.