Chen Zhao,NuerMaimaiti Heilili,Shengping Liu,Zuoquan Lin

2005-01-01

Abstract:Role-Based Access Control (RBAC) has been recognized as a strategy which reduces the cost and complexity of security administration in large-scale networked applications. A general family of RBAC models called RBAC96 was proposed by Sandhu et al. [1], which formally deflnes the relations among user, role and permission using the notion of set membership. Constraints is an important aspect of RBAC, which impose restrictions on acceptable conflgurations of the difierent components of RBAC. Nevertheless, it was discussed informally in the RBAC96 model. There has been some efiorts to present a logical framework for the access control models. Most of these works are based on flrst-order logic or its extensions. However, excessively rich expressiveness may bring on complex computation and confusion. We present a novel formalization of RBAC using a description logic approach. Compared with flrst-order logic, DLs achieve a better tradeofi between the computational complexity of reasoning and the expressiveness of the language. We choose the DL language ALC to represent core and hierarchical RBAC, and ALCQ that extends ALC by qualifled number restrictions to express RBAC constraints, including separation of duty and role cardinality. Based on our logical framework it is feasible to reason about RBAC and check the consistency of RBAC with constraints via a DL reasoner(e.g. RACER).

Li MA,Shi-long MA,Yue-fei SUI,Sheng-wei YI

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.03.006

2010-01-01

Computer Science

Abstract:Role-Based Access Control (RBAC)controls the user's access to resources by indirectly using roles, which simplifies the security management greatly. Although the research of RBAC model is a mature area, the lack of formalization of RBAC results in uncertainty and confusion about the concepts and meaning of RBAC. Description Logic (DL) is a kind of object-based knowledge representation formalism, and also a decidable fragment of first-order predicate logic, with well-defined semantics and powerful representation capability. To give a formal description of RBAC, this paper took RBAC96 as a reference model and proposed a new formalized method to RBAC with description logic, called DL_(RBAC), which gives formal definitions to the concepts and relations of RBAC This paper also proved that the formal representation is faithful to RBAC model Based on the formalized model, we can further Study RBAC.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Li Ma,Shilong Ma,Yuefei Sui

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.03.006

2010-01-01

Abstract:A new description logic-based representation for role-based accesss control(RBAC) model was proposed.RBAC sets and relations were translated as concepts and roles in the description logic respectively.To express RBAC role default inheritance and constraint conditions,symbols that represented role composition and inclusion were introduced to the basic description logic language,such that some RBAC default inheritance properties,such as role hierarchy(RH) transitivity,user-role assignment(UA) inheritance and permission-role assignment(PA) inheritance,and some RBAC constraints,such as static and dynamic separation of duty relations,can be represented formally.By integrating default inheritance with constraints in one formal system,the new inheritance relations that violate the access control strategy can be limited with the help of description logic reasoning mechanisms.

Wei Zhang,Zuoquan Lin

DOI: https://doi.org/10.1007/978-3-642-39787-5_19

2013-01-01

Abstract:Role-Based Access Control (RBAC) is recognized as the predominant model for access control nowadays. However, the ANSI RBAC model provides no mechanism for various rules and policies. To address this issue, a formal logical foundation of RBAC is urgently needed. In this paper, we present an ASPbased nonmonotonic approach to formalize ANIS RBAC model. The proposed formalization provides a proper expression for RBAC components, and an efficient reasoning mechanism for authorization decisions. We show that the formalism can capture RBAC models well and accomplish specific nonmonotonic reasoning tasks flexibly.

Nizamuddin Channa,Shanping Li

DOI: https://doi.org/10.1007/11730262_10

2006-01-01

Abstract:The Expressive Language ALCNHR+(D) provides conjunction, full negation, quantifiers, number restrictions, role hierarchies, transitively closed roles and concrete domains. In addition to the operators known from ALCNHR+, a restricted existential predicate restriction operator for concrete domains is supported. In order to capture the semantic of complicated knowledge reasoning model, the expressive language ALCNHR+K(D) is introduced. It cannot only be able to represent knowledge about concrete domain and constraints, but also rules in some sense of closed world semantic model hypothesis. The paper investigates an extension to description logic based knowledge reasoning by means o f decomposing and rewriting complicated hybrid concepts into partitions. We present an approach that automatically decomposes the whole knowledge base into description logic compatible and constraints solver. Our arguments are two-fold. First, complex description logics with powerful representation ability lack effectively reasoning ability and second, how to reason with the combination of inferences from distributed heterogeneous reasoner.

Alessandro Artale,Bruno Crispo,Fausto Giunchiglia,Fatih Turkmen,Rui Zhang

DOI: https://doi.org/10.1109/nss.2010.76

2010-01-01

Abstract:Relation Based Access Control (RelBAC) is an access control model that places permissions as first class concepts. Under this model, we discuss in this paper how to formalize typical access control policies with Description Logics. Important security properties, i.e., Separation of Duties (SoD) and Chinese Wall are studied and formally represented in RelBAC. To meet the needs of automated tools for administrators, we show that RelBAC can formalize and answer queries about access control requests and administrative checks resorting to the reasoning services of the underlying Description Logic.

Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

Li Ma,Shilong Ma,Jianghua Lv,Yuefei Sui

DOI: https://doi.org/10.1109/ICCIT.2009.29

2009-01-01

Abstract:Applications in the open and dynamic environment become more intelligent and complicated. To secure these applications is a big challenge. RBAC model, as a de facto standard in access control field, is widely used in many applications. But the lack of dynamic and formal method to describe RBAC makes the model can’t completely adapt to the open and dynamic environment. To solve this problem, we introduce a three level RBAC model which unifies the administrative components, the administrative actions and the regular RBAC components, and also proposes a dynamic description logic, called DDLRBAC, to formalize the three level model. Based on the formal description of RBAC with DDLRBAC, an executable action decision algorithm to guarantee the dynamic consistency of systems is also presented.

Nizamuddin Channa,Shanping Li,Xiangjun Fu

DOI: https://doi.org/10.1145/1089551.1089674

2005-01-01

Abstract:In order to capture the full fledge semantic of complicated product data model, the expressive language ALCNHR+K(D) is introduced. It cannot only be able to represent knowledge about concrete domain and constraints, but also rules in some sense of closed world semantic model hypothesis. Also the paper investigates an extension to description logic (DL) based knowledge reasoning by means of decomposing and rewriting complicated hybrid concepts into partitions. We present an approach that automatically decomposes the whole knowledge base into description logic compatible one and constraints solver one. Our arguments are two-fold. First, complex DLs with powerful representation ability lack effective reasoning ability. Second, we are concerned with how to reason effectively with the combination of inferences from distributed heterogeneous reasoner.

Alessandro Artale,Bruno Crispo,Fausto Giunchiglia,Rui Zhang

2009-01-01

Abstract:Relation Based Access Control (RelBAC ) is an access con- trol model designed for the new scenarios of access control on Web 2.0. Under this model, we discuss in this paper how to formalize typical access control policies with Description Logics. Important security properties, i.e., Separation of Duties (SoD) and Chinese Wall constraints are studied and formally represented in RelBAC with the expressive DLALCQIBO. To meet the needs of automated tools for administrators, RelBAC can formalize and answer queries about access control requests and admin- istrative checks resorting to the reasoning services of the underlying De- scription Logic.

Yong TAO,Chengliang WANG

DOI: https://doi.org/10.3778/j.issn.1002-8331.1211-0023

2014-01-01

Abstract:Treating attribute as authorization constraints, an extended model of RBAC with attributes is proposed. An OWL-based policy representation method of attributive-based RBAC model is presented, in which complex attribute expressions, partial ordering relations between attribute values, role hierarchies, and constraints can be explicitly defined. Access control decisions, dominance relations between attribute expressions, and consistency of policy information can be drawn via an OWL reasoner. A study case is presented to show the feasibility of the method.

Li Ma,Shilong Ma,Yuefei Sui

DOI: https://doi.org/10.1109/FGCN.2007.8

2007-01-01

Abstract:Traditional RBAC model describes a static access control policy. As the development of network application, such as Web services, access control faces many new challenges, one of which is that access control policies need to protect not only static resources but also dynamic ones that are encapsulated in a service. In order to capture the flexibility of application, we specify a fine-grained control on individual users by introducing user attributes which are associated to user's role and permission. We take the service as an action that changes some of user's attributes so as to adjust users' permission at run. In order to represent and reason on the access control automatically, we use the description logics combined with prepositional dynamic logic as a logic framework to construct a knowledge base for the access control and action rules, and semantically explain how a user's permission can be changed at runtime.

Rui Zhang,Bruno Crispo,Fausto Giunchiglia

2008-01-01

Abstract:Relation-Based Access Control (RelBAC) is an access con- trol model for the Web scenarios, which represents permis- sions as relations between users and objects. By exploiting the formalization of RelBAC model in Description Logics (DL), sophisticated access control policies can be directly encoded as DL formulas. This facilitates the administra- tion with design time reasoning on hierarchies, memberships, propagations, separation of duties, etc. and helps with run time reasoning to make access control decisions. All these reasoning can be performed through state of the art, o-the- shelf DL reasoners.

Qi Xie,Dayou Liu,Haibo Yu

DOI: https://doi.org/10.1007/11795131_88

2006-01-01

Abstract:Rule-Based RBAC (RB-RBAC) provides the mechanism to dynamically assign users to roles based on authorization rules defined by security policy. In RB-RBAC, seniority levels of rules are also introduced to express domination relationship among rules. Hence, relations among attribute expressions may be quite complex and security officers may perform incorrect or unintended assignments if they are not aware of such relations behind authorization rules. We proposed a formalization of RB-RBAC by description logic. A seniority relation determination method is developed based on description logic reasoning services. This method can find out seniority relations efficiently even for rules without identical syntax structures

Rui Zhang,Alessandro Artale,Fausto Giunchiglia,Bruno Crispo

2009-01-01

Abstract:Relation Based Access Control (RelBAC) is an access control model designed for the new scenarios of access control onWeb 2.0. Under this model, we discuss in this paper how to formalize with Description Logics the typical authorization problems of access control together with the enforcement of an important security property: Separation of Duties (SoD) and some high level security policies about the composition of those subjects on which to separate the duties.

Wei Zhang,Zuoquan Lin

DOI: https://doi.org/10.1109/skg.2012.5

2012-01-01

Abstract:The ANSI RBAC standard provides no mechanism for access policies. This paper employs answer set programming (ASP) as the policy language and presents a new logic-based RBAC formalization framework. The powerful expression ability of ASP ensures the representation of various policies, while high-efficient answer set solvers help our framework suit for reasoning in industrial level applications. We show that properties of the proposed framework support flexible policies well. Furthermore, systems based on the proposed framework are proved to be safe and available.

Qingguo Xie

2006-01-01

Abstract:An Ontology-based approach to define the authorization policies of an RB-RBAC model wasproposed ,by which one can effectively define complex attribute expressions,quasi-order relation definition among attribute values and role hierarchies among roles in the OWL style policies.Comparison between attribute expressions without identical syntax structures is permitted to gain an insight into the relationships of all kinds of authorization rules.We can make authorization decision and perform seniority levels reasoning via an OWL reasoner.Moreover,conflicts among related authorization rules can be detected by consistency check.

Gang Yin,Dianxi Shi,Min Guo,Huaimin Wang

DOI: https://doi.org/10.1109/ncm.2009.274

2009-01-01

Abstract:With the appearance and growing application of open systems such as Internet, delegation is a primary mechanism to enforce access control in such systems. This paper distinguishes two kinds of delegation: authority delegation (AUD) and access delegation (ACD), and proposes a first-order logic system SRDL to capture the features of the two kinds of delegation models. SRDL properly describes AUD and ACD respectively by using domain-roles and delegating-roles. SRDL provides a flexible approach to control the depth and width of delegation, which is absent in many delegation models such as SRC logic and RT.