JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

Chen Zhao,NuerMaimaiti Heilili,Shengping Liu,Zuoquan Lin

2005-01-01

Abstract:Role-Based Access Control (RBAC) has been recognized as a strategy which reduces the cost and complexity of security administration in large-scale networked applications. A general family of RBAC models called RBAC96 was proposed by Sandhu et al. [1], which formally deflnes the relations among user, role and permission using the notion of set membership. Constraints is an important aspect of RBAC, which impose restrictions on acceptable conflgurations of the difierent components of RBAC. Nevertheless, it was discussed informally in the RBAC96 model. There has been some efiorts to present a logical framework for the access control models. Most of these works are based on flrst-order logic or its extensions. However, excessively rich expressiveness may bring on complex computation and confusion. We present a novel formalization of RBAC using a description logic approach. Compared with flrst-order logic, DLs achieve a better tradeofi between the computational complexity of reasoning and the expressiveness of the language. We choose the DL language ALC to represent core and hierarchical RBAC, and ALCQ that extends ALC by qualifled number restrictions to express RBAC constraints, including separation of duty and role cardinality. Based on our logical framework it is feasible to reason about RBAC and check the consistency of RBAC with constraints via a DL reasoner(e.g. RACER).

Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

Chen Zhao,Nuermaimaiti Heilili,Shengping Liu,Zuoquan Lin

DOI: https://doi.org/10.1007/11560647_25

2005-01-01

Abstract:Role-based access control (RBAC) is recognized as an excellent model for access control in large-scale networked applications. Formalization of RBAC in a logical approach makes it feasible to reason about a specified policy and verify its correctness. We propose a formalization of RBAC by the description logic language $\mathcal{ALCQ}$. We also show that the RBAC constraints can be captured by $\mathcal{ALCQ}$. Furthermore, we demonstrate how to make access control decision, perform the RBAC functions as well as check the consistency of RBAC via the description logic reasoner RACER.

Qingguo Xie

2006-01-01

Abstract:An Ontology-based approach to define the authorization policies of an RB-RBAC model wasproposed ,by which one can effectively define complex attribute expressions,quasi-order relation definition among attribute values and role hierarchies among roles in the OWL style policies.Comparison between attribute expressions without identical syntax structures is permitted to gain an insight into the relationships of all kinds of authorization rules.We can make authorization decision and perform seniority levels reasoning via an OWL reasoner.Moreover,conflicts among related authorization rules can be detected by consistency check.

Xiyuan Chen,Di Wu.,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICCIAS.2006.295308

2006-01-01

Abstract:To satisfy the requirements of secure interoperation among distributed systems, a security violation detection method for RBAC based interoperation is proposed We carry out the discussion in the scope of Core RBAC and Hierarchy RBAC. To better illustrate the method for RBAC based interoperation, a formal definition of secure interoperation in RBAC systems has been introduced. Security violation of interoperation with role mappings in the distributed systems is analyzed. Based on these discussions, a minimum security violation detection method for RBAC based interoperation according to the feature of RBAC system and the inherent characteristic of interoperation in distributed environment is introduced. The minimum detection method provides good performance reducing complexity by decreasing amount of roles involved in detection.

Wu Di,Jian Lin,Yabo Dong,Miaoliang Zhu

DOI: https://doi.org/10.1109/PDCAT.2005.247

2005-01-01

Abstract:Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. One of important aspects in RBAC is constraints that constrain what components in RBAC are allowed to do. There are lots of research have been achieved to specify constraints for secure system developers. However more work is need urgently to met requirements for interoperability of machine and people understandable constraints specification in open and distributed environment. In this paper we propose another approach to specify constraints using Semantic Web technologies. The Web Ontology Language (OWL) specification of basic RBAC components and constraints are described in detail.

Wei Zhang,Zuoquan Lin

DOI: https://doi.org/10.1007/978-3-642-39787-5_19

2013-01-01

Abstract:Role-Based Access Control (RBAC) is recognized as the predominant model for access control nowadays. However, the ANSI RBAC model provides no mechanism for various rules and policies. To address this issue, a formal logical foundation of RBAC is urgently needed. In this paper, we present an ASPbased nonmonotonic approach to formalize ANIS RBAC model. The proposed formalization provides a proper expression for RBAC components, and an efficient reasoning mechanism for authorization decisions. We show that the formalism can capture RBAC models well and accomplish specific nonmonotonic reasoning tasks flexibly.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.1109/mobhoc.2009.5336922

2009-01-01

Abstract:Collaboration enables domains to share resources effectively; however it introduces several security and privacy challenges. To guarantee the secure interoperation in complex distributed environment, a RBAC based secure interoperation model was proposed. Based on the inherent characteristic of the RBAC system, a directed acyclic graph based detection method of security violation was investigated. We also classified the conflicts according to the feature of each four parts of NITS RBAC model: conflicts resulting from unrelated roles, conflicts that arise from related roles and conflicts due to separation of duty. The targeted detection method for different types of conflicts was illustrated systematically. Therefore corresponding detection method can be applied to different types of conflicts according to the actual application environment. Furthermore, we analyzed the algorithmic complexity of the method and demonstrated the application of the directed acyclic graph based detection method with case studies in realistic scenarios.

Han Jian-min,Li Xi-yu,Yu Hui-qun,Tong Jun

DOI: https://doi.org/10.1109/grc.2008.4664701

2009-01-01

Abstract:RBAC(Role-Based Access Control) has been widely investigated and adopted for its simplicity and effectiveness. However there still exist some defects in it, including: (1) traditional RBAC does not consider time and context factors. (2) traditional RBAC only defines a simple logical relationship among roles and permissions, which makes it incompetent to solve authorization problem for large-scale dynamic systems. To remedy these defects, the paper introduces granular computing to RBAC and proposes G-P-BA C modeL G-RBAC granulates permissions and roles, and introduces time and context factors to them. The paper also defines elements' logical relationship in G-RBAC based on granular logic and realizes authorization decision-making by granular logic reasoning. The application examples show that G-RBAC can enhance flexibility of authorization, and realize fine grained access control effectively for large scale enterprise information system.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ICNDS.2009.94

2009-01-01

Abstract:Access control is always essential for safe and security access to the system resource. Role based access control (RBAC) model is widely used in large enterprise software systems. The quality of the RBAC policy design especially role definition has great impact on the system security policy implementation. In this paper we propose a novel role engineering methods with security KAOS (SKAOS), which guide the engineering process via keeping decomposing the functional requirement objective and combining the system security requirement. SKAOS not only simplifies the system userpsilas involvement in the role engineering process via supplying with the objective decomposition but also reduces the complexity of the operation analysis. After building the objective decomposition and activity analysis diagrams, the role definition can be delivered. We illustrate the effectiveness of our method via analyzing a real world requirement problem.

周晓军,蒋兴浩,孙锬锋

DOI: https://doi.org/10.3969/j.issn.1009-8054.2010.04.041

2010-01-01

Abstract:After analyzing the RB-RBAC model, this paper proposes the concept of dynamic role-permission assignment, thus to reduce the complexity in assigning permissions to roles. Multi-decision is also used to improve the RB-RBAC model and increase the flexibility of the authorization rules. Essential elements and their mutual relations are given, and the access control process is also described.

Zhenxing Luo,Jing Chen,Zuoquan Lin

DOI: https://doi.org/10.1109/lcn.2008.4664239

2008-01-01

Abstract:Role based access control (RBAC) has emerged as a leading access control model to other traditional access control models. However, the traditional RBAC models can not capture fine-grained authorization with mono-type inheritance. In this paper, we discuss the hybrid inheritance based on our extended RBAC model, which is very desirable for capturing the fine-grained access control permissions. When the hybrid inheritances coexist in a role hierarchy, inferring such indirect relations between a pair of roles can became very complex. In particular, we study how the new inheritance relations between roles that are indirectly related can be easily derived through the inference rules, which provides a basis for formally analyzing the hybrid inheritances.

OUYANG Rong-bin,WANG Qian-yi,LI Li,LIU Yun-feng

DOI: https://doi.org/10.16411/j.cnki.issn1006-7736.2010.02.030

2010-01-01

Abstract:To decrease complexity and unsafety of configuring SQL rules for users in data permissions management,implementation policy for data permissions in role-based access control(RBAC) models was defined and data permissions model based on attribute rules was presented.This model was extended based on RBAC,and its rules for roles according to attributes were configured,which can implement data permissions management for both structural and non-structural data by JAVA reflection.

单徐梅,虞慧群

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.04.053

2010-01-01

Abstract:To satisfy dynamic authorization of WorkFlow Management System(WFMS) ,this paper proposes a Role-Based Access Control(RBAC) model that supports authorization constraint. In this model,authorization constraint model for WFMS is specified by Datalog logical language and an authorization algorithm is implemented using Datalog's decision,making mechanisms. WFMS's dynamic constrained authorization problem is solved with the method.

TIAN Li-qin,JI Tie-guo,LIN Chuang,YIANG Yiang

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.19.004

2008-01-01

Abstract:The paper establishes a user behaviour trust and Role-Based Access Control(RBAC) model,which introduces the attribute concept and adds the user behaviour trust degree set on the basis of RBAC model.The detailed description and the authorization flow are given in the article.At last the model is analyzed from the dynamic performance and trust mechanism and role numbers and work performance.The new access control achieves the dynamic authorization by the dynamic assignment of role attributes and achieves the connection identity trust with behavior trust by setting the trust degree as an obligatory attribute,which changes the static authorization only based the identity of existing access control models.The model can reduce the role number by setting the attributes for the role,which can lighten the role management burden caused by the large number roles and improve the performance at the same time.

Li Qi,Xu Mingwei,Zhang Xinwen

DOI: https://doi.org/10.1109/ICDCS.Workshops.2008.26

2008-01-01

Abstract:Role-based Access Control (RBAC) has been widely deployed in many distributed systems in recent years. However, in many large-scale enterprise environments, it is difficult to manage RBAC because of the huge number of users and roles, and complex interrelationships between them. Moreover, with the development of information and communication technologies, many temporal and ad hoc collaborations between groups and departments are emerging, which require dynamic user-role and permission-role assignments. In thesescenarios it is infeasible, if not impossible, for few security officers to administrate the assignment for various applications. In this paper, we propose a novel RBAC model for decentralized and distributed systems. As one of the main contributions, we also propose a decentralizedadministration model to address the management issues in traditional RBAC systems, Our model can be used for group-based applications with dynamic assignments where typically local (group-level) administrators take charge of the dynamic assignments. In this way, many administrativetasks for different applications can spread over many different local administrators, and a fine-grained administration model of RBAC based on the local administration policies is realized. As a proof-of-conceptsystem, we implemented a secure Spread prototype based on our proposed model to show the feasibility in the real applications.

Chaoyi Pang,David P. Hansen,Anthony J. Maeder

DOI: https://doi.org/10.1145/1229285.1229306

2007-01-01

Abstract:ABSTRACTIn this paper, we study the maintenance of role-based access control (RBAC) models in database environments using transitive closure relations. In particular, the algorithms that express and remove redundancy from a component, a RBAC state, and from conflict constraints. The transitive closure relations on a RBAC state specify the reachability among user groups, roles and from user groups to roles. These relations can assist the process of authorization and make some queries easier to answer. Paper [17] shows that the transitive closure relations on a RBAC model can be used to manage and maintain the model's dynamic changes in a simple and efficient way. In this paper, we firstly show that the transitive closure relations are natural byproducts when formulating RBAC components. We then adapt the conventional RBAC model to accord the inherent reachability of a RBAC model. We show that the use of transitive closure relations as the auxiliary relations for the maintenance of a RBAC state alleviates the process of query evaluation, removing redundancy and the description of hierarchies. Thirdly, in the presence of conflict constraints, we explain how conflicts can be expressed, checked and evaluated under the existence of TC relations, in addition to the removal of conflicts redundancy and finding inferred conflicts. Lastly, we briefly discuss the first-order maintenance operations.All the algorithms for the maintenance are first-order algorithms with simple structures and can be implemented in SQL.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ISBIM.2008.132

2009-01-01

Abstract:In large enterprise software systems, users often need to delegate their authority to others. Permission base delegation model (PBDM) based on RBAC96 currently is the most attractive model to fulfill the delegation requirement since it supports partly delegation and multiple steps delegation. However in PBDM there is no explicit specification of the separation of duty (SOD) constraint, which is one of the most important constraints and is essential to the security of the system. In this paper, we analyze the SOD constraint in PBDM delegation model and give the formal definition for the constraint. We prove that the constraint violation will not happen at the stage of the delegation role definition whereas it can only happen at the stage of role assignment. We then propose a protective mechanism to prevent the illegal role delegation utilizing the prerequisite conditions which are a set of Boolean expressions. We also give the algorithm to check the prerequisite conditions to help the security administrator guarantee the safe role delegation.