Rui Zhang,Fausto Giunchiglia,Bruno Crispo,Lingyang Song

DOI: https://doi.org/10.1007/s11277-009-9782-4

IF: 2.017

2009-01-01

Wireless Personal Communications

Abstract:Context-aware computing is an important aspect of the pervasive computing environment and its various dynamic context information brings new challenges to access control systems. In this paper a new access control model, relation based access control (RelBAC), is provided for context-aware environment with a domain specific Description Logic to formalize the model. The novelty of RelBAC is that permissions are formalized as binary relations between subjects and objects which could evolve with the dynamic contexts. The expressive power of RelBAC is illustrated in a case study of a project meeting event.

Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

Wu Di,Jian Lin,Yabo Dong,Miaoliang Zhu

DOI: https://doi.org/10.1109/PDCAT.2005.247

2005-01-01

Abstract:Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. One of important aspects in RBAC is constraints that constrain what components in RBAC are allowed to do. There are lots of research have been achieved to specify constraints for secure system developers. However more work is need urgently to met requirements for interoperability of machine and people understandable constraints specification in open and distributed environment. In this paper we propose another approach to specify constraints using Semantic Web technologies. The Web Ontology Language (OWL) specification of basic RBAC components and constraints are described in detail.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

shaomin zhang,hongbian yang,baoyi wang

DOI: https://doi.org/10.1007/978-3-642-27287-5_94

2012-01-01

Abstract:For the problems of attribute elements maintenance difficulty and heterogeneous attribute of multi-domain in ABAC model, we propose the method of using ontology to maintain access control elements and distributed attribute management, which describe the logical relationships among attributes with OWL and introduce attribute mapping technology in access control decision-making. It can reduce the complexity of attribute management and raise the security of the cross-domain access. It makes up the defects in original ABAC model, and has a good reference to research the cross-domain access control.

Malik Imran-Daud

DOI: https://doi.org/10.48550/arXiv.1612.09527

2016-12-30

Cryptography and Security

Abstract:Thanks to the advent of the Internet, it is now possible to easily share vast amounts of electronic information and computer resources (which include hardware, computer services, etc.) in open distributed environments. These environments serve as a common platform for heterogeneous users (e.g., corporate, individuals etc.) by hosting customized user applications and systems, providing ubiquitous access to the shared resources and requiring less administrative efforts; as a result, they enable users and companies to increase their productivity. Unfortunately, sharing of resources in open environments has significantly increased the privacy threats to the users. Indeed, shared electronic data may be exploited by third parties, such as Data Brokers, which may aggregate, infer and redistribute (sensitive) personal features, thus potentially impairing the privacy of the individuals. A way to palliate this problem consists on controlling the access of users over the potentially sensitive resources. Specifically, access control management regulates the access to the shared resources according to the credentials of the users, the type of resource and the privacy preferences of the resource/data owners. The efficient management of access control is crucial in large and dynamic environments. Moreover, in order to propose a feasible and scalable solution, we need to get rid of manual management of rules/constraints (in which most available solutions rely) that constitutes a serious burden for the users and the administrators. Finally, access control management should be intuitive for the end users, who usually lack technical expertise, and they may find access control mechanism more difficult to understand and rigid to apply due to its complex configuration settings.

BAO Zhigang,HU Yanjun,GU Xinjian

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.01.059

2006-01-01

Abstract:Firstly making reference to role based access control(RBAC)model,this paper proposes the basic idea about access control.Then it introduces database design of two realizing methods about access control and two methods’ realization in program,it also presents visual effect.Finally it analyzes and compares one to another in detail from two aspects of applicability and reusability.

Chen Zhao,NuerMaimaiti Heilili,Shengping Liu,Zuoquan Lin

2005-01-01

Abstract:Role-Based Access Control (RBAC) has been recognized as a strategy which reduces the cost and complexity of security administration in large-scale networked applications. A general family of RBAC models called RBAC96 was proposed by Sandhu et al. [1], which formally deflnes the relations among user, role and permission using the notion of set membership. Constraints is an important aspect of RBAC, which impose restrictions on acceptable conflgurations of the difierent components of RBAC. Nevertheless, it was discussed informally in the RBAC96 model. There has been some efiorts to present a logical framework for the access control models. Most of these works are based on flrst-order logic or its extensions. However, excessively rich expressiveness may bring on complex computation and confusion. We present a novel formalization of RBAC using a description logic approach. Compared with flrst-order logic, DLs achieve a better tradeofi between the computational complexity of reasoning and the expressiveness of the language. We choose the DL language ALC to represent core and hierarchical RBAC, and ALCQ that extends ALC by qualifled number restrictions to express RBAC constraints, including separation of duty and role cardinality. Based on our logical framework it is feasible to reason about RBAC and check the consistency of RBAC with constraints via a DL reasoner(e.g. RACER).

Hong Sun,Xueqin Zhang,Chunhua Gu

DOI: https://doi.org/10.14257/ijgdc.2014.7.3.01

2014-01-01

International Journal of Grid and Distributed Computing

Abstract:With the development of cloud computing, and as the basis of data services, security problems of cloud storage are growing more attention. Based on distributed storage, multidomain and multi-tenant characteristics, combined with access control technologies, this paper sets up the Role-based Access Control using Ontology and domians in Cloud Storage (DOnto_RBAC), which could provide a concise and effective strategy for service providers (isps). According to the characteristics of access control in cloud storage, based on the standards (called CDMI), this paper adds Domains and Time constraints of roles into RBAC. With ontology technologies and the OWL language, this paper establishes ontology model including entities' descriptions and strategies to realize reasoning of multi-domain access control permissions. We realized our system through Python and established Restful APIs. Experiments in campus-level cloud storage called Swift showed that, using requests with Restful format commands, DOnto_RBAC was proved to be effective to manage distributed and multi-domain data in cloud storage.

Jason Crampton,James Sellwood

DOI: https://doi.org/10.48550/arXiv.1505.07945

2015-09-19

Abstract:Recent work on relationship-based access control has begun to show how it can be applied to general computing systems, as opposed to simply being employed for social networking applications. The use of relationships to determine authorization policies enables more powerful policies to be defined than those based solely on the commonly used concept of role membership. The relationships, paths and principal matching (RPPM) model described here is a formal access control model using relationships and a two-stage request evaluation process. We make use of path conditions, which are similar to regular expressions, to define policies. We then employ non-deterministic finite automata to determine which policies are applicable to a request. The power and robustness of the RPPM model allows us to include contextual information in the authorization process (through the inclusion of logical entities) and allows us to support desirable policy foundations such as separation of duty and Chinese Wall. Additionally, the RPPM model naturally supports a caching mechanism which has significant impact on request evaluation performance.

Cryptography and Security

袁平鹏,陈刚,董金祥

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.04.006

2004-01-01

Abstract:An access control paradigm composed of basic model and role model is proposed for collaborative applications. Basic model specifies the relationship among privileges and the way of ranking privileges. It relates privilege with operations on the objects, so the model appears more straightforward. Moreover, if Brokers' implementation permits, the model can support any grained access control. Role model re-defines the role concept of RBAC96, divides the permissions of role into public permissions, protect permissions and private permissions. It allows user to define roles more flexibly, prevents private permissions of roles from being inherited and reduces the definition of ancillary roles.

Pranav Subramaniam,Sanjay Krishnan

2024-08-06

Abstract:In every enterprise database, administrators must define an access control policy that specifies which users have access to which assets. Access control straddles two worlds: policy (organization-level principles that define who should have access) and process (database-level primitives that actually implement the policy). Assessing and enforcing process compliance with a policy is a manual and ad-hoc task. This paper introduces a new paradigm for access control called Intent-Based Access Control for Databases (IBAC-DB). In IBAC-DB, access control policies are expressed more precisely using a novel format, the natural language access control matrix (NLACM). Database access control primitives are synthesized automatically from these NLACMs. These primitives can be used to generate new DB configurations and/or evaluate existing ones. This paper presents a reference architecture for an IBAC-DB interface, an initial implementation for PostgreSQL (which we call LLM4AC), and initial benchmarks that evaluate the accuracy and scope of such a system. We further describe how to extend LLM4AC to handle other types of database deployment requirements, including temporal constraints and role hierarchies. We propose RHieSys, a requirement-specific method of extending LLM4AC, and DePLOI, a generalized method of extending LLM4AC. We find that our chosen implementation, LLM4AC, vastly outperforms other baselines, achieving high accuracies and F1 scores on our initial Dr. Spider benchmark. On all systems, we find overall high performance on expanded benchmarks, which include state-of-the-art NL2SQL data requiring external knowledge, and real-world role hierarchies from the Amazon Access dataset.

Databases,Cryptography and Security

Nuermaimaiti Heilili,Yang Chen,Chen Zhao,Zhenxing Luo,Zuoquan Lin

DOI: https://doi.org/10.1007/11811220_15

2006-01-01

Abstract:Access control is an important issue related to the security on the Semantic Web. Role-Based Access Control (RBAC) is commonly considered as a flexible and efficient model in practice. In this paper, we provide an OWL-based approach for RBAC in the Semantic Web context. First we present an extended model of RBAC with negative authorization, providing detailed analysis of conflicts. Then we use OWL to formalize the extended model. Additionally, we show how to use an OWL-DL reasoner to detect the potential conflicts in the extended model.

Gang Liu,Lu Fang,Quan Wang,Xiaoqian Qi,Juan Cui,Jiayu Liu

DOI: https://doi.org/10.1007/978-3-030-15093-8_4

2018-01-01

Abstract:In information systems where there are a large number of different resources and the resource attributes change frequently, the security, reliability and dynamics of access permissions should be guaranteed. The changing raises security concerns related to authorization, and access control, but existing access control models are difficult to meet practical requirements. In this paper, a resource and attribute based access control model named RA-BAC was proposed. The model bases on attribute-based access control (ABAC) and links access control policy with resource, and redefines the access control rules. Besides, we compare RA-BAC and ABAC from the perspective of theory and simulation experiment respectively to show the advantage of RA-BAC model. We give a detailed analysis combining with instances to show the practicability of the RA-BAC model. RA-BAC solves the problems of policy conflict and policy library expansion in the ABAC model when there are too many resources and the attributes of resources are changed frequently in the system. Using RA-BAC model in system can makes permission query efficient and reduce workload of the system administrator of managing the policy library.

Qingguo Xie

2006-01-01

Abstract:An Ontology-based approach to define the authorization policies of an RB-RBAC model wasproposed ,by which one can effectively define complex attribute expressions,quasi-order relation definition among attribute values and role hierarchies among roles in the OWL style policies.Comparison between attribute expressions without identical syntax structures is permitted to gain an insight into the relationships of all kinds of authorization rules.We can make authorization decision and perform seniority levels reasoning via an OWL reasoner.Moreover,conflicts among related authorization rules can be detected by consistency check.

Yingjie Wang,Zhihong Zhou,Jianhua Li

DOI: https://doi.org/10.1007/978-3-642-54924-3_106

2014-01-01

Abstract:Now, organizations are required to comply with existing privacy protection regulations on data collection, use, and disclosure. Privacy preservation in a data-sharing computing environment is becoming a challenging problem. The core part of privacy protection is purposes for and circumstances under which the data can be accessed. It must be ensured that data can only be used for its intended purposes, so the access purpose should be compliant with the intended purposes. In this paper, the role-based access control (RBAC) model is extended to incorporate the notion of purpose. Relationships between purposes are defined. It is investigated that how different components in the RBAC model are related to purpose and how the purpose information can be used to determine whether a subject has access to a given object. The model can suit for applications consisting of static and dynamic objects, where both access purpose and intended purpose are needed for consideration before granting access.

Chen Zhao,Nuermaimaiti Heilili,Shengping Liu,Zuoquan Lin

DOI: https://doi.org/10.1007/11560647_25

2005-01-01

Abstract:Role-based access control (RBAC) is recognized as an excellent model for access control in large-scale networked applications. Formalization of RBAC in a logical approach makes it feasible to reason about a specified policy and verify its correctness. We propose a formalization of RBAC by the description logic language $\mathcal{ALCQ}$. We also show that the RBAC constraints can be captured by $\mathcal{ALCQ}$. Furthermore, we demonstrate how to make access control decision, perform the RBAC functions as well as check the consistency of RBAC via the description logic reasoner RACER.

Q Li,JP Shi,SH Qing

DOI: https://doi.org/10.1109/icebe.2005.23

2005-01-01

Abstract:Role-based access control (RBAC) model has been widely deployed for Web security. In some large-enterprise-wide situations, however, this model is difficult to manage due to huge amount of users, roles and interrelationships. As a result, the applications of this model are greatly limited. To address this problem, we present in this paper a decentralized RBAC model (DRBAC) by proposing a new concept of groups and by introducing non-trivial modifications to the user-role assignment of the existing models