Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ICNDS.2009.94

2009-01-01

Abstract:Access control is always essential for safe and security access to the system resource. Role based access control (RBAC) model is widely used in large enterprise software systems. The quality of the RBAC policy design especially role definition has great impact on the system security policy implementation. In this paper we propose a novel role engineering methods with security KAOS (SKAOS), which guide the engineering process via keeping decomposing the functional requirement objective and combining the system security requirement. SKAOS not only simplifies the system userpsilas involvement in the role engineering process via supplying with the objective decomposition but also reduces the complexity of the operation analysis. After building the objective decomposition and activity analysis diagrams, the role definition can be delivered. We illustrate the effectiveness of our method via analyzing a real world requirement problem.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

林涛,应晶

DOI: https://doi.org/10.3969/j.issn.1002-137X.2000.10.006

2000-01-01

Computer Science

Abstract:Beginning with recent issues in requirement engineering,this paper proposes a development framework for scenario-based goal modeling(SBGMF),which integrates with scenario management to goal modeling successfully, and supports elaboration, analysis, validation and corporation, and stimulates the mechanism of requirement tracing and component reusing. The paper addresses the structure and functions of the framework SBGMF.

Wu Di,Jian Lin,Yabo Dong,Miaoliang Zhu

DOI: https://doi.org/10.1109/PDCAT.2005.247

2005-01-01

Abstract:Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. One of important aspects in RBAC is constraints that constrain what components in RBAC are allowed to do. There are lots of research have been achieved to specify constraints for secure system developers. However more work is need urgently to met requirements for interoperability of machine and people understandable constraints specification in open and distributed environment. In this paper we propose another approach to specify constraints using Semantic Web technologies. The Web Ontology Language (OWL) specification of basic RBAC components and constraints are described in detail.

Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

Dana Zhang,Kotagiri Ramamohanarao,Steven Versteeg,Rui Zhang

DOI: https://doi.org/10.1145/1852666.1852694

2010-01-01

Abstract:Role Engineering for Role Based Access Control (RBAC) has emerged as a challenging area of research, both in industry and academia. The problem originates from the practical need to create a set of roles that accurately reflects the internal functionalities of an enterprise. Existing approaches that have used data mining techniques for this problem often generate too many candidate roles and do not consider the effect of a given combination of roles on the overall configuration. Identification of an ideal RBAC solution is only possible with a clear and concise evaluation of the RBAC configuration goals. To address this issue, we discuss use of the graph model for the Role Engineering problem and show how effective this approach is in the search for a role engineering solution. We evaluate and formalise the problem of identifying the minimum number of descriptive roles for RBAC using a graph model and propose how its variations can be represented. Finally, we introduce novel strategies using the proposed models for future innovation and perform experimentation on both real and synthetically generated data.

Dana Zhang,Kotagiri Ramamohanarao,Rui Zhang,Steven Versteeg

2014-01-01

Abstract:Role engineering is the process of defining a set of roles that offer administrative benefit for Role Based Access Control (RBAC), which ensures data privacy. It is a business critical task that is required by enterprises wishing to migrate to RBAC. However, existing methods of role generation have not analysed what constitutes a beneficial role and as a result, often produce inadequate solutions in a time consuming manner. To address the urgent issue of identifying high quality RBAC structures in real enterprise environments, we present a cost based analysis of the problem for both flat and hierarchical RBAC structures. Specifically we propose two cost models to evaluate the administration cost of roles and provide a k - partite graph approach to role engineering. Existing role cost evaulations are approximations that overestimate the benefit of a role. Our method and cost models can provide exact role cost and show when existing role cost evaluations can be used as a lower bound to improve efficiency without effecting quality of results. In the first work to address role engineering using large scale real data sets, we propose RoleAnnealing, a fast solution space search algorithm with incremental computation and guided search space heuristics. Our experimental results on both real and synthetic data sets demonstrate that high quality RBAC configurations that maintain data privacy are identified efficiently by RoleAnnealing. Comparison with an existing approach shows RoleAnnealing is significantly faster and produces RBAC configurations with lower cost.

Alessandro Colantonio,Roberto Di Pietro,Alberto Ocello

DOI: https://doi.org/10.1145/1363686.1364198

2008-01-01

Abstract:In recent years role-based access control (RBAC) has been spreading within organizations. However, companies still have considerable difficulty migrating to this model, due to the complexity involved in identifying a set of roles fitting the real needs of the company. All the various role engineering methods proposed thus far lack a metric for measuring the "quality" of candidate roles produced. This paper proposes a new approach guided by a cost-based metric, where "cost" represents the effort to administer the resulting RBAC. Further, we propose REAM (Role-Based Association-rule Mining), an algorithm leveraging the cost metric to find candidate role-sets with the lowest possible administration cost. For a specific parameter set, RBAM behaves as already existing role mining algorithms and is, worst case, NP-complete. Yet, we will provide several examples showing the sensibility of assumptions made by the algorithm. Further, application of the algorithm to real data will highlight the improvements over current solutions. Finally, we comment on the direction of future research.

ZHANG Shuai,SUN Jian-ling,XU Bin,HUANG Chao

DOI: https://doi.org/10.3785/j.issn.1008-973X.2012.11.015

2012-01-01

Abstract:A dynamic multiple domains access control model base on role based access control(RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises.The process structures were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services.Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations.Based on this model,a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services.Simulation experiments showed the effectiveness of key part of the role mining algorithm.

Jia-Kuan Ma,Lei Shi,Ya-Sha Wang,Hong Mei

DOI: https://doi.org/10.1007/978-3-642-01680-6_13

2009-01-01

Abstract:A frequently emerging situation in process improvement is adding new concerns into existing processes. Implementing these concerns calls for changes over a series of tasks, roles, work products and tools, which usually crosscut different modules of existing process models. Lacking systematic modeling of these crosscutting concerns may raise difficulties in understanding, managing, and reusing their implementations. Aiming at such problems, in this paper we propose leveraging Process Aspect to handle these crosscutting concerns. Modeling and weaving process aspects into SPEM2.0-based processes are presented. Finally, an example is provided as a case study.

YuNing Pu,Qiang Liu

DOI: https://doi.org/10.1109/csie.2009.604

2009-01-01

Abstract:It has proved that the success of large-scale software systems depends on how accurate the huge amount of requirements is elicited and analyzed by software engineers. Large-scale software systems usually involve many participants with different needs. To handle the situation, people devise viewpoint-oriented requirement approaches, which regard every participant as a viewpoint and elicit every participantpsilas requirement respectively. Nevertheless, the crosscutting nature of requirements is not addressed by these approaches, but this can be managed using aspect-oriented concepts. Using the requirement data structure of a requirement management tool - RequisitePro for reference, this paper redesigns the structure of viewpoint in vision, and integrates aspects with the approach to deal with requirement conflicts.

Ze-Lin Liu,Zhinan Zhang,Yong Chen

DOI: https://doi.org/10.1177/1063293x12440895

2012-01-01

Abstract:In engineering design, capturing customers' requirements exactly and transforming them into design specifications are vital to designing a quality product. However, the expressions of customer requirements are normally imprecise and ambiguous due to their linguistic origins. There is still a lack of a systematic approach for elaborating these requirements and transforming them from informal to formal. Therefore, this article provides a scenario-based, systematic approach for requirements management in engineering design. The requirements management process is conceptualized as a three-phase model, and scenarios are integrated into this model for elaborating and formally representing the requirements. A case study of a soy milk maker design is also provided to demonstrate the proposed approach.

Wei Zhang,Zuoquan Lin

DOI: https://doi.org/10.4028/www.scientific.net/amr.706-708.1843

2013-01-01

Advanced Materials Research

Abstract:Although the ANSI RBAC model has achieved great success in the enterprise, it provides no mechanism for the urgent interoperation needs between distributed domains. This paper presents an ASP based approach to extend traditional RBAC model for inter-domain cooperation. We first translate the RBAC models with the IDRM problem into answer set programs, and then compute the solutions via an answer set solver. Finally, we discuss the safety and availability of our approach and ensure the models conflict-free. It is concluded that our approach supports the collaborating environments well with flexible and efficient reasoning abilities.

Dana Zhang,Kotagiri Ramamohanarao,Steven Versteeg,Rui Zhang

DOI: https://doi.org/10.1109/acsac.2009.11

2009-01-01

Abstract:Role based access control (RBAC) is a powerful security administration concept that can simplify permission assignment management. Migration to and maintenance of RBAC requires role engineering, the identification of a set of roles that offer administrative benefit. However, establishing that RBAC is desirable in a given enterprise is lacking in current role engineering processes. To help identify the practical need for RBAC, we propose RoleVAT, a Role engineering tool for the Visual Assessment of user and permission Tendencies. User and permission clusters can be visually identified as potential user groups or roles. The benefit and impact of this visual analysis in enterprise environments is discussed and demonstrated through testing on real life as well as synthetic datasets. Our experimental results show the effectiveness of RoleVAT as well as interesting user and role tendencies in real enterprise environments.

Chaoyi Pang,Xiuzhen Zhang,Yanchun Zhang,Kotagiri Ramamohanarao

2008-01-01

Abstract:Role-based access control (RBAC) has attracted considerable research interest. However, the computational issues of RBAC models are yet to be thoroughly studied. In this paper, we study the problem of efficient maintenance of large RBAC models in a database-based multi-domain Web service environment. We propose first-order (SQL) algorithms to maintain the reachability of access roles under dynamic changes. The main advantages of our algorithms are: the support of various operations required for managing access roles with fractional information of roles; the maintenance of an update through operating a bounded number of join operations despite of the data size. To the best of our knowledge, our algorithms are the first attempt to maintain RBAC models using a first-order language.

Li Qi,Xu Mingwei,Zhang Xinwen

DOI: https://doi.org/10.1109/ICDCS.Workshops.2008.26

2008-01-01

Abstract:Role-based Access Control (RBAC) has been widely deployed in many distributed systems in recent years. However, in many large-scale enterprise environments, it is difficult to manage RBAC because of the huge number of users and roles, and complex interrelationships between them. Moreover, with the development of information and communication technologies, many temporal and ad hoc collaborations between groups and departments are emerging, which require dynamic user-role and permission-role assignments. In thesescenarios it is infeasible, if not impossible, for few security officers to administrate the assignment for various applications. In this paper, we propose a novel RBAC model for decentralized and distributed systems. As one of the main contributions, we also propose a decentralizedadministration model to address the management issues in traditional RBAC systems, Our model can be used for group-based applications with dynamic assignments where typically local (group-level) administrators take charge of the dynamic assignments. In this way, many administrativetasks for different applications can spread over many different local administrators, and a fine-grained administration model of RBAC based on the local administration policies is realized. As a proof-of-conceptsystem, we implemented a secure Spread prototype based on our proposed model to show the feasibility in the real applications.

张伟,刘峰,赵海燕,梅宏

DOI: https://doi.org/10.1145/1640206.1640228

2009-01-01

Abstract:Stakeholders play critical roles in requirements elicitation, since they are the source of requirements, and the quality of elicited requirements is significantly influenced by the degree of stakeholders' participation and collaboration in elicitation. However, requirements elicitation is often obstructed due to the diversity in stakeholders' background and interests, especially in the different perspectives on the envisioned systems, the insufficient communication and common-understanding among them, and the different abilities to express requirements.

Yanhong A. Liu,Chen Wang,Michael Gorbovitski,Tom Rothamel,Yongxi Cheng,Yingchao Zhao,Jing Zhang

DOI: https://doi.org/10.1145/1111542.1111562

2006-01-01

Abstract:ABSTRACTThis paper describes a transformational method applied to the core component of role-based access control (RBAC), to derive efficient implementations from a specification based on the ANSI standard for RBAC. The method is based on the idea of incrementally maintaining the result of expensive set operations, where a new method is described and used for systematically deriving incrementalization rules. We calculate precise complexities for three variants of efficient implementations as well as for a straightforward implementation based on the specification. We describe successful prototypes and experiments for the efficient implementations and for automatically generating efficient implementations from straightforward implementations.

Xinxiu Wen,Huiqun Yu

DOI: https://doi.org/10.1109/WCSE.2010.32

2010-01-01

Abstract:Aspect-oriented modeling techniques have been proposed as solutions to separate core and crosscut concerns in the early phases of software development. However, it is not easy to weave different models and verify the correctness of woven model. This paper introduces an aspect-oriented analyzing, modeling and verifying approach to solve the above questions based on use cases and state charts. The water pump example shows the model is effective.