Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

Chen Zhao,NuerMaimaiti Heilili,Shengping Liu,Zuoquan Lin

2005-01-01

Abstract:Role-Based Access Control (RBAC) has been recognized as a strategy which reduces the cost and complexity of security administration in large-scale networked applications. A general family of RBAC models called RBAC96 was proposed by Sandhu et al. [1], which formally deflnes the relations among user, role and permission using the notion of set membership. Constraints is an important aspect of RBAC, which impose restrictions on acceptable conflgurations of the difierent components of RBAC. Nevertheless, it was discussed informally in the RBAC96 model. There has been some efiorts to present a logical framework for the access control models. Most of these works are based on flrst-order logic or its extensions. However, excessively rich expressiveness may bring on complex computation and confusion. We present a novel formalization of RBAC using a description logic approach. Compared with flrst-order logic, DLs achieve a better tradeofi between the computational complexity of reasoning and the expressiveness of the language. We choose the DL language ALC to represent core and hierarchical RBAC, and ALCQ that extends ALC by qualifled number restrictions to express RBAC constraints, including separation of duty and role cardinality. Based on our logical framework it is feasible to reason about RBAC and check the consistency of RBAC with constraints via a DL reasoner(e.g. RACER).

Gang Yin,Meng Teng,Huai-min Wang,Yan Jia,Dian-xi Shi

DOI: https://doi.org/10.1007/978-3-540-30566-8_98

2004-01-01

Abstract:In this paper, we distinguish between authorization problems at management level and request level in open decentralized systems, using delegation for flexible and scalable authorization management. The delegation models in existing approaches are limited within one level or only provide basic delegation schemes, and have no effective control over the propagation scope of delegated privileges. We propose REAL, a Role-based Extensible Authorization Language framework for open decentralized systems. REAL covers delegation models at both two levels and provides more flexible and scalable authorization and delegation policies while capable of restricting the propagation scope of delegations. We formally define the semantics of credentials in REAL by presenting a translation algorithm from credentials to Datalog rules (with negation-as-failure). This translation also shows that the semantics can be computed in polynomial time.

Gang Yin,Huaimin Wang,Dian-xi Shi,Yan Jia,Meng Teng

DOI: https://doi.org/10.1145/1046290.1046329

2004-01-01

Abstract:In this paper, we concentrate on the delegation problem in trust management (TM) systems. One key point for delegation models is to find the balance between flexibility and controllability. Delegation models in existing TM systems usually have no effective control over delegated privileges or try to enforce too strict constraint on delegation that raises difficulty in policy definition and computational-model constructing. We propose a role-based constrained delegation Model called RCDM04, which is a constrained extension of current role-based trust management systems. RCDM04 comprises a novel delegation framework for multi-centric authorization and proxy-based authentication, proposing to use trusted scope and delegation depth to control the propagation of delegated privileges. This paper also introduces a rule-based language for specifying and enforcing the policies in the model.

YE Chunxiao,LUO Juan,ZHOU Jiagen

DOI: https://doi.org/10.3778/j.issn.1002-8331.1106-0276

2013-01-01

Computer Engineering and Applications Journal

Abstract:Role delegation between users is an important security policy that should be supported for RBAC mode. The basic idea of delegation is that some users in a system delegate their roles to other users to carry out some specific functions on behalf of the former. This paper describes the RBAC delegation with ontology. Meanwhile some rules in form of SWRL have been defined for the delegation to reason within mutual exclusive constraint, time constraint, overlap constraint and prerequisite role constraint, so as to ensure the security and self-determination of the delegation system.

XU Zhen,LI Lan,FENG Deng-Guo

DOI: https://doi.org/10.1360/jos160970

2005-01-01

Abstract:Delegation is an important security policy that should be supported by RBAC model. The basic idea of delegation is that some active entity in a system delegates authority to another active entity to carry out some functions on behalf of the former. The grantor of the delegated roles should be responsible for the usage of them, so constraints on the usage of the delegated roles are critical components of the whole delegation model. Currently, there’re some models that extend RBAC model to support role delegation. However, their supports for constraints on the usage of delegated roles are very limited. This paper presents the requirements of role-based delegation, including temporary constraints, regular role dependency constraints, partial delegation constraints and propagation constraints. The former two kinds of constraints are modeled with a formal model – CRDM, which provides the foundation for applications in need of the constrained delegation.

Wei SUN,Chang-an WU,Rui-min WANG

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.36.071

2008-01-01

Abstract:Existing user to user role -based delegation models did not solve the problem of delegation conflicts.This paper describes role -based delegation module of RBAC,its properties,constraint rules and supposes a Role -based Constrained Delegation Model (RCDM),its structure and function in the practice,which satisfies the least privilege and separation of duty principles.This paper also presents the delegation constraints specification language RDCL based on RCDM.RCDL is proved equivalent to RFOPL by reduction algorithm and construction algorithm,and the soundness and completeness of RDCL is discussed.Finally,expressions of RCDM are described by RDCL,and the problem of delegation conflicts is solved efficiently.

Li MA,Shi-long MA,Yue-fei SUI,Sheng-wei YI

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.03.006

2010-01-01

Computer Science

Abstract:Role-Based Access Control (RBAC)controls the user's access to resources by indirectly using roles, which simplifies the security management greatly. Although the research of RBAC model is a mature area, the lack of formalization of RBAC results in uncertainty and confusion about the concepts and meaning of RBAC. Description Logic (DL) is a kind of object-based knowledge representation formalism, and also a decidable fragment of first-order predicate logic, with well-defined semantics and powerful representation capability. To give a formal description of RBAC, this paper took RBAC96 as a reference model and proposed a new formalized method to RBAC with description logic, called DL_(RBAC), which gives formal definitions to the concepts and relations of RBAC This paper also proved that the formal representation is faithful to RBAC model Based on the formalized model, we can further Study RBAC.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ISBIM.2008.132

2009-01-01

Abstract:In large enterprise software systems, users often need to delegate their authority to others. Permission base delegation model (PBDM) based on RBAC96 currently is the most attractive model to fulfill the delegation requirement since it supports partly delegation and multiple steps delegation. However in PBDM there is no explicit specification of the separation of duty (SOD) constraint, which is one of the most important constraints and is essential to the security of the system. In this paper, we analyze the SOD constraint in PBDM delegation model and give the formal definition for the constraint. We prove that the constraint violation will not happen at the stage of the delegation role definition whereas it can only happen at the stage of role assignment. We then propose a protective mechanism to prevent the illegal role delegation utilizing the prerequisite conditions which are a set of Boolean expressions. We also give the algorithm to check the prerequisite conditions to help the security administrator guarantee the safe role delegation.

Chunhua GU,Xueqin ZHANG,Guoxin SONG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.12.063

2006-01-01

Abstract:The paper puts forward a delegation logic based access control model (DLBAC). It translates the credentials, RBAC elements and access policies into unified delegation logic rules. An access unit (AU) wraps an AC system. The standard interface of AU is also defined. Then, the external access control is transformed into internal access control. This AC model can protect the assets and share the resource in collaborative environment.

HUANG Xiaoming,JIANG Xinghao,LI Lan

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.05.042

2007-01-01

Abstract:Role-based delegation model(RDM) is a hotspot for RBAC research. In this paper￡?several typical role-based delegation models are analyzed,a series of disadvantages are pointed out,and we present an enhanced role-based delegation model(ERDM) and analyze many characteristics and revocation policy.

张润莲,武小年,董小社

DOI: https://doi.org/10.3724/sp.j.1087.2008.01365

2008-01-01

Journal of Computer Applications

Abstract:Concerning the authority in distributed environment for collaboration,a dynamic authorization scheme was presented based on delegation and RBAC model.The scheme supports partial role delegation,by expanding element sets of RBAC model,enlarging static authorization operations,and allowing the delegator to create temporary delegation roles and assign others(the delegatee) to the particular roles.The scheme was implemented by three-level frameworks,and the operating process about how to authorize dynamically in delegation model was described.The application shows that the scheme can adapt to distributed and dynamic environment,and follow the least privilege principle.

Li Ma,Shilong Ma,Yuefei Sui

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.03.006

2010-01-01

Abstract:A new description logic-based representation for role-based accesss control(RBAC) model was proposed.RBAC sets and relations were translated as concepts and roles in the description logic respectively.To express RBAC role default inheritance and constraint conditions,symbols that represented role composition and inclusion were introduced to the basic description logic language,such that some RBAC default inheritance properties,such as role hierarchy(RH) transitivity,user-role assignment(UA) inheritance and permission-role assignment(PA) inheritance,and some RBAC constraints,such as static and dynamic separation of duty relations,can be represented formally.By integrating default inheritance with constraints in one formal system,the new inheritance relations that violate the access control strategy can be limited with the help of description logic reasoning mechanisms.

GUI Jin-song,CHEN Zhi-gang,LIU An-feng,DENG Xiao-heng

2009-01-01

Abstract:In distributed environments, delegation relationships across multiple security domains are ubiquitous. To satisfy various restricted delegation requirements of actual applications, on the basis of the existing works, a Hierarchical Role-based Restricted Delegation Model (HRRDM) was proposed. The role tree was defined to solve the partial delegation problem, and the delegation spread tree and the role delegation chain were defined to solve the multi-step delegation problem and the problem of multi-step delegation dependency respectively. The delegation certification was proposed to support requirements of temporary delegation, associated role delegation, partial delegation, multi-step delegation in actual applications, and the dynamic characteristic of delegation role granting or revocation was effectively supported. Finally, the extensive execution model of HRRDM was formalized and proved, and the simulation analyzing of the execution model was given to validate its availability.

Chen Zhao,Nuermaimaiti Heilili,Shengping Liu,Zuoquan Lin

DOI: https://doi.org/10.1007/11560647_25

2005-01-01

Abstract:Role-based access control (RBAC) is recognized as an excellent model for access control in large-scale networked applications. Formalization of RBAC in a logical approach makes it feasible to reason about a specified policy and verify its correctness. We propose a formalization of RBAC by the description logic language $\mathcal{ALCQ}$. We also show that the RBAC constraints can be captured by $\mathcal{ALCQ}$. Furthermore, we demonstrate how to make access control decision, perform the RBAC functions as well as check the consistency of RBAC via the description logic reasoner RACER.

Li Ma,Shilong Ma,Jianghua Lv,Yuefei Sui

DOI: https://doi.org/10.1109/ICCIT.2009.29

2009-01-01

Abstract:Applications in the open and dynamic environment become more intelligent and complicated. To secure these applications is a big challenge. RBAC model, as a de facto standard in access control field, is widely used in many applications. But the lack of dynamic and formal method to describe RBAC makes the model can’t completely adapt to the open and dynamic environment. To solve this problem, we introduce a three level RBAC model which unifies the administrative components, the administrative actions and the regular RBAC components, and also proposes a dynamic description logic, called DDLRBAC, to formalize the three level model. Based on the formal description of RBAC with DDLRBAC, an executable action decision algorithm to guarantee the dynamic consistency of systems is also presented.

Yanzhang Wang

2012-01-01

Computer Integrated Manufacturing Systems

Abstract:Aiming at the delegation problem in information system,by starting with the existing problems of Role-based Network Model(RNM)in delegation process,the role-based network was improved from three aspects:the inheritance relationship between roles;the agreement between two sides in delegation process;the fine-grained dynamic control in delegation process;and Role-based Network Dynamic Delegation Model(RNDDM)was proposed further.This model not only inherited all the advantages of RNM,but also provided fine-grained dynamic control and the approach for two sides to reach agreement in delegation process.The good physical and space-time properties of RNDDM made delegation process simple and controllable.Based on elaborating the basic idea,the component and the formal model of RNM,the specific realization process of delegation's setting and revocation in different circumstance was given by examples.

Gang Yin,Huai-min Wang,Tao Liu,Ming-feng Chen,Dian-xi Shi

DOI: https://doi.org/10.1007/11573937_20

2005-01-01

Abstract:Trust management uses delegation to enable decentralized authorization across administrative domains. Delegation passes one’s authority over resources to trusted entities and thus enables more flexible and scalable authorization. However, unrestricted delegation may result in privilege proliferation and breach the privacy of information systems. The delegation models of existing trust management systems do not provide effective control on delegation propagation, and the correctness of constraint enforcement mechanisms is not formally analyzed, which may lead to privilege proliferation. In this paper, we propose a role-based constrained delegation model (RCDM), which restricts the propagation scope of delegation trees by a novel delegation constraint mechanism named spacial constraint. This paper also introduces a rule-based language to specify the policies and the deduction algorithm for constrained delegation defined in RCDM. The soundness and completeness properties of the deduction algorithm ensure the safety and availability of our delegation model.

SUN Wei,WANG Lei,LU Jun

DOI: https://doi.org/10.3969/j.issn.1009-3044.2011.20.004

2011-01-01

Abstract:Aiming at the problem that the existing delegation models based on RBAC did not support group delegatiom,this paper proposed a role-based flexible group delegation model.Delegation relation,delegation authorization,revocation and the process of delegation were presented.The model presents a flexible mechanism of delegation,and accomplishs the unified delegation from some user to group users in the distributed collaboration of work.

Yunqing Fu,Chunxiao Ye,Ning Li,Juan Lei

DOI: https://doi.org/10.1049/cp:20061563

2006-01-01

Abstract:In existing information systems, a delegation means a user who can assign his/her permissions to someone. In these information systems, however, the delegation security depends entirely on delegations and system administrators, for delegation constraint in delegation is only a prerequisite role. This paper proposes an Attribute-Based Delegation Model (ABDM) with an extended delegation condition consisting of both delegation attribute expression (DAE) and delegation prerequisite role (CR). In ABDM, a delegator can restrict the delegatee candidates more strictly, thus relieves delegator and system administrator of security management workload in delegation. To implement ABDM in a web or distributed environment, XML is employed to represent all kinds of data used in delegation, such as user, permission, role, delegation attribute expression, prerequisite role and other delegation constraints. An implementation architecture of ABDM is also given in this paper.