Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

Bo Tang,Ravi Sandhu,Qi Li

DOI: https://doi.org/10.1002/cpe.3446

2013-01-01

Abstract:The cloud service model intrinsically caters to multiple tenants, most obviously in public clouds but also in private clouds for large organizations. Currently most cloud service providers (CSPs) isolate user activities and data within a single tenant boundary with no or minimum cross-tenant interaction. It is anticipated that this situation will evolve soon to foster cross-tenant collaboration supported by Authorization as a Service (AaaS). At present there is no widely accepted model for cross-tenant authorization. Recently, Calero et al [12] informally presented a multi-tenancy authorization system (MTAS) which extends the well-known role-based access control (RBAC) model by building trust relations among collaborating tenants. In this paper we formalize this MTAS model and propose extensions for finer-grained cross-tenant trust. We also develop an administration model for MTAS (AMTAS). We demonstrate the utility and practical feasibility of MTAS by means of an example policy specification in XACML. We anticipate researchers will develop additional multi-tenant authorization models before eventual consolidation and unification.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

Jonathan K. Adams,Basheer N. Bristow

DOI: https://doi.org/10.48550/arXiv.cs/0603085

2006-03-22

Cryptography and Security

Abstract:Basic role based access control [RBAC] provides a mechanism for segregating access privileges based upon a user's hierarchical roles within an organization. This model doesn't scale well when there is tight integration of multiple hierarchies. In a case where there is joint-tenancy and a requirement for different levels of disclosure based upon a user's hierarchy, or in our case, organization or company, basic RBAC requires these hierarchies to be effectively merged. Specific roles that effectively represent both the user's organizations and roles must be translated to fit within the merged hierarchy to be used to control access. Essentially, users from multiple organizations are served from a single role base with roles designed to constrain their access as needed. Our work proposes, through parameterized roles and privileges, a means for accurately representing both users' roles within their respective hierarchies for providing access to controlled objects. Using this method will reduce the amount of complexity required in terms of the number of roles and privileges. The resulting set of roles, privileges, and objects will make modeling and visualizing the access role hierarchy significantly simplified. This paper will give some background on role based access control, parameterized roles and privileges, and then focus on how RBAC with parameterized roles and privileges can be leveraged as an access control solution for the problems presented by joint tenancy.

SHEN Qing-ni,YANG Ya-hui,YU Xi,ZHANG Li-zhe,CHEN Zhong

2011-01-01

Abstract:Cloud Storage is a multi-tenancy shared environment,so achieving data separation between different users effectively in the platform has become one of issues most concerned by users.In this paper,we provide business users a flexible access control policy,which is built on top of RBAC(Role-based Access Control),combined with organization label and a variety of security attributes with logical combinations.First of all,it provides strict inter-enterprise data isolation on cloud storage,ensuring that business users could not access data which doesn't belong to their organization.Moreover,it provides proper separation of organization internal data.Business users could customize the policy flexibly according to their own security requirements,isolating data from different sectors or geographical area.Finally,the policy provides a mechanism for corporations to share data on cloud storage by introducing the concept of "virtual organization",and guarantee companies with the same conflict set of interest could not be allowed to share data through traditional Chinese Wall Policy.This paper presents the design and implementation of a prototype based Hadoop distributed file system(HDFS),including security label,security policy,security decision module,enforcement procedure of security decision and user command interface.Then it analyzes the effectiveness and performance of the security mechanisms with experiments.The result shows that the policy meets the security requirement well and loss of system run-time performance is within an acceptable range.

Tianyi Zhu,Weidong Liu,Jiaxing Song

DOI: https://doi.org/10.1109/CIT.2011.36

2011-01-01

Abstract:coRBAC is a specifically optimized RBAC system for cloud computing environment. It inherits the existing RBAC's role model and dRBAC's domain model, optimizes and improves the access control system for services which are hosted on the cloud computing platform. coRBAC greatly improves the certification process and user experience by reducing the unnecessary process of establishing secure connection and setting up multi-level cache, reduces the space complexity and time complexity of access control system.

ZHANG Shuai,SUN Jian-ling,XU Bin,HUANG Chao

DOI: https://doi.org/10.3785/j.issn.1008-973X.2012.11.015

2012-01-01

Abstract:A dynamic multiple domains access control model base on role based access control(RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises.The process structures were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services.Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations.Based on this model,a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services.Simulation experiments showed the effectiveness of key part of the role mining algorithm.

Qi Li,Xinwen Zhang,Mingwei Xu,Jianping Wu

DOI: https://doi.org/10.1016/j.cose.2008.12.004

IF: 5.105

2009-01-01

Computers & Security

Abstract:Role-Based Access Control (RBAC) has become a popular technique for security purposes with increasing accessibility of information and data, especially in large-scale enterprise environments. However, authorization management in dynamic and ad-hoc collaborations between different groups or domains in these environments is still an unresolved problem. Traditional RBAC models cannot solve this problem because they cannot support security policy composition from different groups, and lack efficient administrative models for dynamic collaborations. In this paper, we propose a group-based RBAC model (GB-RBAC) for secure collaborations which is based on RBAC96 and extended with group concept to capture dynamic users and permissions. We propose a decentralized security administrative model for GB-RBAC to address the management issues of RBAC in collaborations. As a unique property, our model supports two levels of authorization management: global or system level management by system administrators and local or group level management by group administrators. In this way, our model implements the principles of management autonomy and separation of duty (SoD) in security administrations. We apply our model for authorization management in collaborations by introducing the concept of virtual group. A virtual group is built for a collaboration between multi-groups, where all members build trust relation within the group and are authorized to join and perform operations for the collaborative work. Compared with existing work, our model supports dynamic and ad-hoc collaborations in large-scale systems with the properties of controllable, decentralized, and fine-grained security management.

Xu Jing,Zhengnan Liu,Shuqin Li,Bin Qiao,Gexu Tan

DOI: https://doi.org/10.1007/s13198-015-0411-1

2015-12-22

International Journal of System Assurance Engineering and Management

Abstract:In traditional role-based access control (RBAC) model, the permission is bound with identity statically, without being dynamically adjusted by user behavior. Cloud users distribute widely and constitute complex and have legitimate identity whose behavior may be incredible, but any attack is achieved through malicious behavior. The cloud-user behavior assessment based dynamic access control model was proposed by introducing user behavior risk value, user trust degree and other factors into RBAC. First, the times of threat behavior was introduced into the information security risk equation to improve the accuracy of user behavior risk value. Then, both the times of threat behavior and the uneven interval of risk threshold were introduced the trust model based on behavior risk evolution to improve the accuracy of user trust degree. Finally, the dynamic authorization was achieved by mapping trust level and permissions. By the simulation experiment in a small campus cloud system, it can be shown that the change of user behavior risk value and user trust degree is more rational under different times and frequencies of threat behavior, and dynamic authorization is flexible by mapping the risk level and the user permissions.

Ran Yang,Chuang Lin,Yixin Jiang,Xiaowen Chu

DOI: https://doi.org/10.1109/icc.2011.5963329

2011-01-01

Communications

Abstract:The rapid development of applications running on global information infrastructure poses the problem of securing information sharing among domain collaborations. Existing access control models are defective in dynamic authorization based on user's trustworthiness and do not take full advantages of the infrastructure in implementing access control system. In this work, we propose a trust and role based access control model and the corresponding framework in infrastructure-centric environment. With the extension to RBAC model, trust level requirements, which dictate that the roles in the privilege context must be activated by the trustworthy user, can be specified. The comprehensive trust model, which calculates the user's trust level in multiple trust contexts based on behavior histories, is proposed. Moreover, by taking advantages of the infrastructure services, our scheme is flexible and scalable in that system administrators are free to choose custom scoring functions while the infrastructure trust evaluation services are relieved of the heavy burdens of history record maintenance and trust level update.

Qi Li,Xinwen Zhang,Sihan Qing,Mingwei Xu

DOI: https://doi.org/10.1109/colcom.2006.361887

2006-01-01

Abstract:With the increasing accessibility of information and data, role-based access control (RBAC) has become a popular technique for security and privacy purposes. However, trusted collaboration between different groups in large corporate Intranets is still an unresolved problem. The challenge is how to extend existing access control model for efficient security management and administration to allow trusted collaboration between different groups. In this paper, we propose a group-based RBAC model (GB-RBAC) for this purpose. In particular, virtual group is proposed in our model to allow secure information and resource sharing in multi-group collaboration environments. All the members of a virtual group build trust relation between themselves and are authorized to join the collaborative work. The scheme and strategies provided in this paper meet the requirements of security, autonomy, and privacy for collaborations. As a result, our scheme provides an easy way to employ RBAC policies to secure ad-hoc collaboration

Quratulain Alam,Saif U. R. Malik,Adnan Akhunzada,Kim-Kwang Raymond Choo,Saher Tabbasum,Masoom Alam

DOI: https://doi.org/10.1109/tifs.2016.2646639

IF: 7.231

2017-06-01

IEEE Transactions on Information Forensics and Security

Abstract:Sharing of resources on the cloud can be achieved on a large scale, since it is cost effective and location independent. Despite the hype surrounding cloud computing, organizations are still reluctant to deploy their businesses in the cloud computing environment due to concerns in secure resource sharing. In this paper, we propose a cloud resource mediation service offered by cloud service providers, which plays the role of trusted third party among its different tenants. This paper formally specifies the resource sharing mechanism between two different tenants in the presence of our proposed cloud resource mediation service. The correctness of permission activation and delegation mechanism among different tenants using four distinct algorithms (activation, delegation, forward revocation, and backward revocation) is also demonstrated using formal verification. The performance analysis suggests that the sharing of resources can be performed securely and efficiently across different tenants of the cloud.

袁平鹏,陈刚,董金祥

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.04.006

2004-01-01

Abstract:An access control paradigm composed of basic model and role model is proposed for collaborative applications. Basic model specifies the relationship among privileges and the way of ranking privileges. It relates privilege with operations on the objects, so the model appears more straightforward. Moreover, if Brokers' implementation permits, the model can support any grained access control. Role model re-defines the role concept of RBAC96, divides the permissions of role into public permissions, protect permissions and private permissions. It allows user to define roles more flexibly, prevents private permissions of roles from being inherited and reduces the definition of ancillary roles.

Kaiping Xue,Yingjie Xue,Jianan Hong,Wei Li,Hao Yue,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2016.2647222

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Data access control is a challenging issue in public cloud storage systems. Ciphertext-policy attribute-based encryption (CP-ABE) has been adopted as a promising technique to provide flexible, fine-grained, and secure data access control for cloud storage with honest-but-curious cloud servers. However, in the existing CP-ABE schemes, the single attribute authority must execute the time-consuming user legitimacy verification and secret key distribution, and hence, it results in a single-point performance bottleneck when a CP-ABE scheme is adopted in a large-scale cloud storage system. Users may be stuck in the waiting queue for a long period to obtain their secret keys, thereby resulting in low efficiency of the system. Although multiauthority access control schemes have been proposed, these schemes still cannot overcome the drawbacks of single-point bottleneck and low efficiency, due to the fact that each of the authorities still independently manages a disjoint attribute set. In this paper, we propose a novel heterogeneous framework to remove the problem of single-point performance bottleneck and provide a more efficient access control scheme with an auditing mechanism. Our framework employs multiple attribute authorities to share the load of user legitimacy verification. Meanwhile, in our scheme, a central authority is introduced to generate secret keys for legitimacy verified users. Unlike other multi-authority access control schemes, each of the authorities in our scheme manages the whole attribute set individually. To enhance security, we also propose an auditing mechanism to detect which attribute authority has incorrectly or maliciously performed the legitimacy verification procedure. Analysis shows that our system not only guarantees the security requirements but also makes great performance improvement on key generation.

Zhang Xiantao,Li Qi,Qing Sihan,Zhang Huanguo,Zhang Liqiang

DOI: https://doi.org/10.1109/ISCIT.2007.4392214

2007-01-01

Abstract:Role-based Access Control (RBAC) become an important techniques to secure e-commerce systems during recent years. However, RBAC management issue is still an unresolved problem. Moreover, with the development of IT technologies in many departments, there emerge many group communications which require dynamic user-role assignments. In these scenarios it is infeasible for few security officers to administrate the assignment for local variant applications. In this paper, we propose a novel RBAC model for decentralized and distributed systems. We also present an administration model of our PBAC model to address the management issues in traditional RBAC systems. As one of the main contributions, this paper proposes a decentralized administration model by introducing a component of group assignment to implement a novel user authorization mechanism and a new user-role assignment (UA) approach which provides a two-level administration for user and role management through the concept of group. Our model can be applied for the current group communication applications with dynamic assignments where typically local administrators take charge of the dynamic assignments. In this way, many administrative tasks for different applications can spread over many different local administrators, and a fine-grained administration model of RBAC based on the local administration policies is realized. As a proof-of-concept we implemented a prototype in Xen virtualization environment based on our proposed model to secure real distributed applications.

王刚,宋执环

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.09.044

2002-01-01

Abstract:In this paper, the construction of role-based access control is discussed. Aiming at the complexity of the subjects, combined with the particularity of actions and objects in document management, considering the restriction of subject and the state of object, some improvement is made in the original RBAC and a new team-role-based document access control which is named TRBDAC model is presented. ;

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

Mamoon Rashid,Er. Rishma Chawla

DOI: https://doi.org/10.48550/arXiv.1312.0114

2013-11-30

Abstract:Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management and ability to model organizational structure and their capability to reduce administrative expenses. In this paper, we highlight the drawbacks of latest developed RBAC models in terms of access control and authorization and later provide a more viable extended-RBAC model, which enhances and extends its powers to make any system more secure by adding valuable constraints. Later the Blobs are stored on cloud server which is then accessed by the end users via this Extended RBAC model.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

Mang Su,Anmin Fu,Yan Yu,Guozhen Shi

DOI: https://doi.org/10.1109/trustcom.2016.0299

2016-01-01

Abstract:More and more people prefer to obtain information from cloud. Different users tend to access different resources they interested at anytime across different networks by a variety of equipments. As same as the traditional management of file, the lifecycle theory is still suitable the electronic data in cloud computing. Firstly, we analyze the motivation of access control in cloud, and summarize the security requirements for the data management in the whole lifecycle. Second, we propose a resource-centric dynamic adaptive access control model (RCDA), which is extended from the action-based access control (ABAC). RCDA is able to describe other access control models through the way of customization. Furthermore, we give the scheme for implementation of RCDA. Finally, we make the comparisons between the RCDA and other existing models, and the results indicate that RCDA is able to satisfy the security requirements for the whole lifecycle of data by adaptively adjusting the access control policies.

Ok-Chol Ri,Yong-Jin Kim,You-Jin Jong

DOI: https://doi.org/10.48550/arXiv.2203.00351

2022-03-04

Abstract:In recent years, cloud computing has been developing rapidly and is widely used in various fields such as commerce and scientific research. However, security issues, including access control, are a very important problem in popularizing cloud computing and this has influenced its wide application of cloud computing. As one of the solutions to these problems, we have proposed a blockchain-based role-based access control model with the separation of duties constraints in a cloud environment. In the model, we used Hyperledger Fabric as a blockchain platform for storing the access control policies and provided several functions for effective role management. In addition, we presented an access control scheme for cloud storage data by combining the proposed model and the verification mechanism for the user's ownership of a role and analyzed the security properties of the scheme. Finally, we deployed Hyperledger Fabric test network, implemented an online test system that performs access control using the proposed scheme in the Ali cloud environment, and evaluated the model performance in this scenario.

Cryptography and Security