Alessandro Artale,Bruno Crispo,Fausto Giunchiglia,Fatih Turkmen,Rui Zhang

DOI: https://doi.org/10.1109/nss.2010.76

2010-01-01

Abstract:Relation Based Access Control (RelBAC) is an access control model that places permissions as first class concepts. Under this model, we discuss in this paper how to formalize typical access control policies with Description Logics. Important security properties, i.e., Separation of Duties (SoD) and Chinese Wall are studied and formally represented in RelBAC. To meet the needs of automated tools for administrators, we show that RelBAC can formalize and answer queries about access control requests and administrative checks resorting to the reasoning services of the underlying Description Logic.

Alessandro Artale,Bruno Crispo,Fausto Giunchiglia,Rui Zhang

2009-01-01

Abstract:Relation Based Access Control (RelBAC ) is an access con- trol model designed for the new scenarios of access control on Web 2.0. Under this model, we discuss in this paper how to formalize typical access control policies with Description Logics. Important security properties, i.e., Separation of Duties (SoD) and Chinese Wall constraints are studied and formally represented in RelBAC with the expressive DLALCQIBO. To meet the needs of automated tools for administrators, RelBAC can formalize and answer queries about access control requests and admin- istrative checks resorting to the reasoning services of the underlying De- scription Logic.

fausto giunchiglia,rui zhang,bruno crispo,alessandro artale

2010-01-01

Abstract:The Web 2.0, GRID applications and more recently semantic desktop applications are bringing the Web to a situation where more and more data and metadata are shared and made available to large user groups. Things are further complicated by the highly unpredictable and autonomous dynamics of data, users, permissions and access control rules. For this novel scenario, a new access control model, Relation-Based Access Control (RelBAC) is proposed which allows subjects, objects and permissions to be defined independently. The key property which makes this possible is that permissions are modeled as relations between subjects and objects. RelBAC is formalized using the Description Logic ALCQIBO, which allows to perform policy management, e.g., Separation of Duties via automated reasoning.

Rui Zhang,Bruno Crispo,Fausto Giunchiglia

2008-01-01

Abstract:Relation-Based Access Control (RelBAC) is an access con- trol model for the Web scenarios, which represents permis- sions as relations between users and objects. By exploiting the formalization of RelBAC model in Description Logics (DL), sophisticated access control policies can be directly encoded as DL formulas. This facilitates the administra- tion with design time reasoning on hierarchies, memberships, propagations, separation of duties, etc. and helps with run time reasoning to make access control decisions. All these reasoning can be performed through state of the art, o-the- shelf DL reasoners.

Fausto Giunchiglia,Bruno Crispo,Rui Zhang

DOI: https://doi.org/10.1109/icsc.2011.23

2011-01-01

Abstract:The paper presents Relation Based Access Control RelBAC, a model and a logic for access control which models communities, possibly nested, and resources, possibly organized inside complex file systems, as lightweight ontologies, and permissions as relations between subjects and objects. RelBAC allows us to represent expressive access control rules beyond the current state of the art, and to deal with the strong dynamics of subjects, objects and permissions which arise in Web 2.0 applications (e.g. social networks). Finally, as shown in the paper, using RelBAC, it becomes possible to reason about access control policies and, in particular to compute candidate permissions by matching subject ontologies (representing their interests) with resource ontologies (describing their characteristics).

R Zhang

DOI: https://doi.org/10.1109/skg.2008.76

2010-01-01

Abstract:The Web 2.0, GRID applications and, more recently, semantic desktop applications are bringing the Web to a situation where more and more data and metadata are shared and made available to large user groups. In this context, metadata may be tags or complex graph structures such as file system or web directories, or (lightweight) ontologies. In turn, users can themselves be tagged by certain properties, and can be organized in complex directory structures, very much in the same way as data. Things are further complicated by the highly unpredictable and autonomous dynamics of data, users, permissions and access control rules. In this paper we propose a new access control model and a logic, called RelBAC (for Relation Based Access Control) which allows us to deal with this novel scenario. The key idea, which differentiates RelBAC from the state of the art, e.g., Role Based Access Control (RBAC), is that permissions are modeled as relations between users and data, while access control rules are their instantiations on specific sets of users and objects. As such, access control rules are assigned an arity which allows a fine tuning of which users can access which data, and can evolve independently, according to the desires of the policy manager(s). Furthermore, the formalization of the RelBAC model as an Entity-Relationship (ER) model allows for its direct translation into Description Logics (DL). In turn, this allows us to reason, possibly at run time, about access control policies.

Fausto Giunchiglia,Rui Zhang,Bruno Crispo

2009-01-01

Abstract:In this paper we present RelBAC(for Relation Based Access Control), a model and a logic for access control which models communities, possibly nested, and resources, possibly organized inside complex file systems, as lightweight ontologies, and permissions as relations between subjects and objects. RelBACallows us to represent expressive access control rules beyond the current state of the art, and to deal with the strong dynamics of subjects, objects and permissions which arise in Web 2.0 applications (e.g. social networks). Finally, as shown in the paper, using RelBAC, it becomes possible to reason about access control policies and, in particular to compute candidate permissions by matching subject ontologies (representing their interests) with resource ontologies (describing their characteristics).

Rui Zhang,Fausto Giunchiglia,Bruno Crispo,Lingyang Song

DOI: https://doi.org/10.1007/s11277-009-9782-4

IF: 2.017

2009-01-01

Wireless Personal Communications

Abstract:Context-aware computing is an important aspect of the pervasive computing environment and its various dynamic context information brings new challenges to access control systems. In this paper a new access control model, relation based access control (RelBAC), is provided for context-aware environment with a domain specific Description Logic to formalize the model. The novelty of RelBAC is that permissions are formalized as binary relations between subjects and objects which could evolve with the dynamic contexts. The expressive power of RelBAC is illustrated in a case study of a project meeting event.

Chen Zhao,NuerMaimaiti Heilili,Shengping Liu,Zuoquan Lin

2005-01-01

Abstract:Role-Based Access Control (RBAC) has been recognized as a strategy which reduces the cost and complexity of security administration in large-scale networked applications. A general family of RBAC models called RBAC96 was proposed by Sandhu et al. [1], which formally deflnes the relations among user, role and permission using the notion of set membership. Constraints is an important aspect of RBAC, which impose restrictions on acceptable conflgurations of the difierent components of RBAC. Nevertheless, it was discussed informally in the RBAC96 model. There has been some efiorts to present a logical framework for the access control models. Most of these works are based on flrst-order logic or its extensions. However, excessively rich expressiveness may bring on complex computation and confusion. We present a novel formalization of RBAC using a description logic approach. Compared with flrst-order logic, DLs achieve a better tradeofi between the computational complexity of reasoning and the expressiveness of the language. We choose the DL language ALC to represent core and hierarchical RBAC, and ALCQ that extends ALC by qualifled number restrictions to express RBAC constraints, including separation of duty and role cardinality. Based on our logical framework it is feasible to reason about RBAC and check the consistency of RBAC with constraints via a DL reasoner(e.g. RACER).

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Li Ma,Shilong Ma,Yuefei Sui

DOI: https://doi.org/10.1109/FGCN.2007.8

2007-01-01

Abstract:Traditional RBAC model describes a static access control policy. As the development of network application, such as Web services, access control faces many new challenges, one of which is that access control policies need to protect not only static resources but also dynamic ones that are encapsulated in a service. In order to capture the flexibility of application, we specify a fine-grained control on individual users by introducing user attributes which are associated to user's role and permission. We take the service as an action that changes some of user's attributes so as to adjust users' permission at run. In order to represent and reason on the access control automatically, we use the description logics combined with prepositional dynamic logic as a logic framework to construct a knowledge base for the access control and action rules, and semantically explain how a user's permission can be changed at runtime.

Li MA,Shi-long MA,Yue-fei SUI,Sheng-wei YI

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.03.006

2010-01-01

Computer Science

Abstract:Role-Based Access Control (RBAC)controls the user's access to resources by indirectly using roles, which simplifies the security management greatly. Although the research of RBAC model is a mature area, the lack of formalization of RBAC results in uncertainty and confusion about the concepts and meaning of RBAC. Description Logic (DL) is a kind of object-based knowledge representation formalism, and also a decidable fragment of first-order predicate logic, with well-defined semantics and powerful representation capability. To give a formal description of RBAC, this paper took RBAC96 as a reference model and proposed a new formalized method to RBAC with description logic, called DL_(RBAC), which gives formal definitions to the concepts and relations of RBAC This paper also proved that the formal representation is faithful to RBAC model Based on the formalized model, we can further Study RBAC.

Li Ma,Shilong Ma,Yuefei Sui

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.03.006

2010-01-01

Abstract:A new description logic-based representation for role-based accesss control(RBAC) model was proposed.RBAC sets and relations were translated as concepts and roles in the description logic respectively.To express RBAC role default inheritance and constraint conditions,symbols that represented role composition and inclusion were introduced to the basic description logic language,such that some RBAC default inheritance properties,such as role hierarchy(RH) transitivity,user-role assignment(UA) inheritance and permission-role assignment(PA) inheritance,and some RBAC constraints,such as static and dynamic separation of duty relations,can be represented formally.By integrating default inheritance with constraints in one formal system,the new inheritance relations that violate the access control strategy can be limited with the help of description logic reasoning mechanisms.

Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

Wu Di,Jian Lin,Yabo Dong,Miaoliang Zhu

DOI: https://doi.org/10.1109/PDCAT.2005.247

2005-01-01

Abstract:Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. One of important aspects in RBAC is constraints that constrain what components in RBAC are allowed to do. There are lots of research have been achieved to specify constraints for secure system developers. However more work is need urgently to met requirements for interoperability of machine and people understandable constraints specification in open and distributed environment. In this paper we propose another approach to specify constraints using Semantic Web technologies. The Web Ontology Language (OWL) specification of basic RBAC components and constraints are described in detail.

Qi Xie,Dayou Liu,Haibo Yu

DOI: https://doi.org/10.1007/11795131_88

2006-01-01

Abstract:Rule-Based RBAC (RB-RBAC) provides the mechanism to dynamically assign users to roles based on authorization rules defined by security policy. In RB-RBAC, seniority levels of rules are also introduced to express domination relationship among rules. Hence, relations among attribute expressions may be quite complex and security officers may perform incorrect or unintended assignments if they are not aware of such relations behind authorization rules. We proposed a formalization of RB-RBAC by description logic. A seniority relation determination method is developed based on description logic reasoning services. This method can find out seniority relations efficiently even for rules without identical syntax structures

Li Ma,Shilong Ma,Jianghua Lv,Yuefei Sui

DOI: https://doi.org/10.1109/ICCIT.2009.29

2009-01-01

Abstract:Applications in the open and dynamic environment become more intelligent and complicated. To secure these applications is a big challenge. RBAC model, as a de facto standard in access control field, is widely used in many applications. But the lack of dynamic and formal method to describe RBAC makes the model can’t completely adapt to the open and dynamic environment. To solve this problem, we introduce a three level RBAC model which unifies the administrative components, the administrative actions and the regular RBAC components, and also proposes a dynamic description logic, called DDLRBAC, to formalize the three level model. Based on the formal description of RBAC with DDLRBAC, an executable action decision algorithm to guarantee the dynamic consistency of systems is also presented.

Zhiwen Zou,Changqian Chen,Shiguang Ju,Jiming Chen

DOI: https://doi.org/10.1007/978-3-642-12189-0_26

2010-01-01

Abstract:The Spatial Role-Based Access Control (SRBAC) model was discussed in this paper. Firstly, the formal definition of SRBAC Model was given; then the region coverage constraint of spatial object, duration constraint of spatial object, various spatial object separations of duty constraints and spatial object cardinality constraint of role activation were researched; after extending the traditional session, the strategy of eliminating the conflictive session was presented; Finally, the role hierarchy has been discussed under the spatial environment. Combined with practical application, the theory of secure DBMS was optimized and afforded to build the stricter system.

Chen Zhao,Nuermaimaiti Heilili,Shengping Liu,Zuoquan Lin

DOI: https://doi.org/10.1007/11560647_25

2005-01-01

Abstract:Role-based access control (RBAC) is recognized as an excellent model for access control in large-scale networked applications. Formalization of RBAC in a logical approach makes it feasible to reason about a specified policy and verify its correctness. We propose a formalization of RBAC by the description logic language $\mathcal{ALCQ}$. We also show that the RBAC constraints can be captured by $\mathcal{ALCQ}$. Furthermore, we demonstrate how to make access control decision, perform the RBAC functions as well as check the consistency of RBAC via the description logic reasoner RACER.