Li Ma,Shilong Ma,Yuefei Sui

DOI: https://doi.org/10.1109/FGCN.2007.8

2007-01-01

Abstract:Traditional RBAC model describes a static access control policy. As the development of network application, such as Web services, access control faces many new challenges, one of which is that access control policies need to protect not only static resources but also dynamic ones that are encapsulated in a service. In order to capture the flexibility of application, we specify a fine-grained control on individual users by introducing user attributes which are associated to user's role and permission. We take the service as an action that changes some of user's attributes so as to adjust users' permission at run. In order to represent and reason on the access control automatically, we use the description logics combined with prepositional dynamic logic as a logic framework to construct a knowledge base for the access control and action rules, and semantically explain how a user's permission can be changed at runtime.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

Chen Zhao,NuerMaimaiti Heilili,Shengping Liu,Zuoquan Lin

2005-01-01

Abstract:Role-Based Access Control (RBAC) has been recognized as a strategy which reduces the cost and complexity of security administration in large-scale networked applications. A general family of RBAC models called RBAC96 was proposed by Sandhu et al. [1], which formally deflnes the relations among user, role and permission using the notion of set membership. Constraints is an important aspect of RBAC, which impose restrictions on acceptable conflgurations of the difierent components of RBAC. Nevertheless, it was discussed informally in the RBAC96 model. There has been some efiorts to present a logical framework for the access control models. Most of these works are based on flrst-order logic or its extensions. However, excessively rich expressiveness may bring on complex computation and confusion. We present a novel formalization of RBAC using a description logic approach. Compared with flrst-order logic, DLs achieve a better tradeofi between the computational complexity of reasoning and the expressiveness of the language. We choose the DL language ALC to represent core and hierarchical RBAC, and ALCQ that extends ALC by qualifled number restrictions to express RBAC constraints, including separation of duty and role cardinality. Based on our logical framework it is feasible to reason about RBAC and check the consistency of RBAC with constraints via a DL reasoner(e.g. RACER).

Li MA,Shi-long MA,Yue-fei SUI,Sheng-wei YI

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.03.006

2010-01-01

Computer Science

Abstract:Role-Based Access Control (RBAC)controls the user's access to resources by indirectly using roles, which simplifies the security management greatly. Although the research of RBAC model is a mature area, the lack of formalization of RBAC results in uncertainty and confusion about the concepts and meaning of RBAC. Description Logic (DL) is a kind of object-based knowledge representation formalism, and also a decidable fragment of first-order predicate logic, with well-defined semantics and powerful representation capability. To give a formal description of RBAC, this paper took RBAC96 as a reference model and proposed a new formalized method to RBAC with description logic, called DL_(RBAC), which gives formal definitions to the concepts and relations of RBAC This paper also proved that the formal representation is faithful to RBAC model Based on the formalized model, we can further Study RBAC.

Li Ma,Shilong Ma,Yuefei Sui

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.03.006

2010-01-01

Abstract:A new description logic-based representation for role-based accesss control(RBAC) model was proposed.RBAC sets and relations were translated as concepts and roles in the description logic respectively.To express RBAC role default inheritance and constraint conditions,symbols that represented role composition and inclusion were introduced to the basic description logic language,such that some RBAC default inheritance properties,such as role hierarchy(RH) transitivity,user-role assignment(UA) inheritance and permission-role assignment(PA) inheritance,and some RBAC constraints,such as static and dynamic separation of duty relations,can be represented formally.By integrating default inheritance with constraints in one formal system,the new inheritance relations that violate the access control strategy can be limited with the help of description logic reasoning mechanisms.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

Wu Di,Jian Lin,Yabo Dong,Miaoliang Zhu

DOI: https://doi.org/10.1109/PDCAT.2005.247

2005-01-01

Abstract:Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. One of important aspects in RBAC is constraints that constrain what components in RBAC are allowed to do. There are lots of research have been achieved to specify constraints for secure system developers. However more work is need urgently to met requirements for interoperability of machine and people understandable constraints specification in open and distributed environment. In this paper we propose another approach to specify constraints using Semantic Web technologies. The Web Ontology Language (OWL) specification of basic RBAC components and constraints are described in detail.

Cheng Zang,Zhongdong Huang,Ke Chen,Jinxiang Dong

DOI: https://doi.org/10.1007/978-3-540-72863-4_64

2007-01-01

Abstract:Dynamic policy enables the system to adjust the policies according to the changing circumstance, and makes the system more flexible and adaptive. We have proposed a dynamic model and the idea is to dynamically change the policy according to a pair of states rather than one state, which provides more information for the policy decision making, thus makes policy more accurate. The dynamic policy architecture based on this model is built in this paper, and we describe the components and steps of detecting a change, deciding the pair of current and previous states and picking up the policy according to the change.

Qi Xie,Dayou Liu,Haibo Yu

DOI: https://doi.org/10.1007/11795131_88

2006-01-01

Abstract:Rule-Based RBAC (RB-RBAC) provides the mechanism to dynamically assign users to roles based on authorization rules defined by security policy. In RB-RBAC, seniority levels of rules are also introduced to express domination relationship among rules. Hence, relations among attribute expressions may be quite complex and security officers may perform incorrect or unintended assignments if they are not aware of such relations behind authorization rules. We proposed a formalization of RB-RBAC by description logic. A seniority relation determination method is developed based on description logic reasoning services. This method can find out seniority relations efficiently even for rules without identical syntax structures

Chen Zhao,Nuermaimaiti Heilili,Shengping Liu,Zuoquan Lin

DOI: https://doi.org/10.1007/11560647_25

2005-01-01

Abstract:Role-based access control (RBAC) is recognized as an excellent model for access control in large-scale networked applications. Formalization of RBAC in a logical approach makes it feasible to reason about a specified policy and verify its correctness. We propose a formalization of RBAC by the description logic language $\mathcal{ALCQ}$. We also show that the RBAC constraints can be captured by $\mathcal{ALCQ}$. Furthermore, we demonstrate how to make access control decision, perform the RBAC functions as well as check the consistency of RBAC via the description logic reasoner RACER.

liangyu li,yuanning liu,xiaodong zhu,biao huang,youwei wang

DOI: https://doi.org/10.2991/meita-15.2015.185

2015-01-01

Abstract:The traditional Role-Based Access Control(RBAC) model([1]) is widely used in enterprises, but it's control granularity is too single and it's permissions configuration is too complex. This paper introduces the concepts of coarse-granularity and fine-granularity([2]), and puts forward a RBAC model that supports authorization with the combination of static and dynamic. In this paper, we first show the overall structure of the model, then divide the model into two parts of permissions configuration and permissions control to describe. In each part, we introduce the related basic elements and design the algorithms. Finally, this paper shows the application based on this model. And tests shows that the model is a good solution to these problems and has good feasibility and effectiveness.

Han Jian-min,Li Xi-yu,Yu Hui-qun,Tong Jun

DOI: https://doi.org/10.1109/grc.2008.4664701

2009-01-01

Abstract:RBAC(Role-Based Access Control) has been widely investigated and adopted for its simplicity and effectiveness. However there still exist some defects in it, including: (1) traditional RBAC does not consider time and context factors. (2) traditional RBAC only defines a simple logical relationship among roles and permissions, which makes it incompetent to solve authorization problem for large-scale dynamic systems. To remedy these defects, the paper introduces granular computing to RBAC and proposes G-P-BA C modeL G-RBAC granulates permissions and roles, and introduces time and context factors to them. The paper also defines elements' logical relationship in G-RBAC based on granular logic and realizes authorization decision-making by granular logic reasoning. The application examples show that G-RBAC can enhance flexibility of authorization, and realize fine grained access control effectively for large scale enterprise information system.

Rui Zhang,Alessandro Artale,Fausto Giunchiglia,Bruno Crispo

2009-01-01

Abstract:Relation Based Access Control (RelBAC) is an access control model designed for the new scenarios of access control onWeb 2.0. Under this model, we discuss in this paper how to formalize with Description Logics the typical authorization problems of access control together with the enforcement of an important security property: Separation of Duties (SoD) and some high level security policies about the composition of those subjects on which to separate the duties.

Junbiao Wang,Jianxin Zhang,Jianjun Jiang,Shichao Zhang

DOI: https://doi.org/10.3969/j.issn.1000-2758.2008.04.005

2008-01-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:Aim. Existing access control models are, in our opinion, not sufficiently effective. We now propose a novel access control model based on RBAC (Role-Based Access Control), which, we believe, is sufficiently effective. In the full paper, we explain our model in some detail. In this abstract, we just add some pertinent remarks to listing the two topics of explanation. The first topic is: the analysis of RBAC-based access control model. In the first topic, with the help of Fig.1 in the full paper, we explain in some detail how the FICS (Flexible Information Coding System) controls access. The second topic is: the implementation of our novel and effective RBAC-based access control model. Its three subtopics are: the concepts of traditional RBAC model that we utilize (subtopic 2.1), the restrictions we impose on accessing our novel and effective model (subtopic 2.2), and the access assignment strategy of FICS (subtopic 2.3). A large Chinese aircraft manufacturing enterprise has made use of our novel and effective RBAC-based access control model and has gradually widened and continues to widen the scope of its application. How the large enterprise utilizes our novel and effective model are briefly described in Fig.4 and Table 1 in the full paper.

Chungen Xu,Han YAN,Fengyu LIU

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.08.004

2001-01-01

Abstract:The control to access resources in organization has become increasingly important,and Role Based Access control (RBAC)technology is rapidly developing along with the internet. In RBAC,The Role is a important concept,and must be properly constructed to reflect organizational access control policy and needs. In this paper we represent a RBAC model with this well-known modeling language UML to reduce a gap between security models and system developments. We specify the RBAC model with three views:static view,functional view,and dynamic view. Several frameworks for the development of role-based systems have been introduced. However , there are a few works specifying RBAC in a way which system developers can easily understand and refer to develop role-based systems.

皮建勇,刘心松

DOI: https://doi.org/10.3969/j.issn.1009-3087.2005.01.027

2005-01-01

Abstract:In order to express the complicated and dynamic access control authorization relations in the real world,a novel model—TD-RBAC(Task-based Dynamic RBAC) was proposed.The concurrent transaction logic was described by the extended predicate task model and the dynamic constraint relations among the subtasks was found out by analyzing the concurrent executive net of subtasks.The dynamic role constraint relations based on the traditional RBAC was extended. The analysis of the performance evaluating showed that the TD-RBAC has favorable access control efficiency under the distributed parallel computing.

Ding Xiaoming,Kuang Li

DOI: https://doi.org/10.3969/j.issn.1000-386X.2011.06.033

2011-01-01

Abstract:For the inadequacies of classic RBAC model such as the cumbersome operation in complex application systems and the difficulty to map organisation structures,we propose a constrained RBAC model supporting role bidirectional inheritance,BI-RBAC.The model extends the classic RBAC model,adds virtual role and its hierarchy to support the role bidirectional inheritance,and define the concept of resource operation.While giving the formal definition of the model,the access control algorithm is designed as well.The model has been applied to the self-developed large-scale Jtang Middleware platform,and can well support the Hundsun stock exchange system and other large application systems.

ZHANG Shuai,SUN Jian-ling,XU Bin,HUANG Chao

DOI: https://doi.org/10.3785/j.issn.1008-973X.2012.11.015

2012-01-01

Abstract:A dynamic multiple domains access control model base on role based access control(RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises.The process structures were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services.Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations.Based on this model,a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services.Simulation experiments showed the effectiveness of key part of the role mining algorithm.