Chen Zhao,NuerMaimaiti Heilili,Shengping Liu,Zuoquan Lin

2005-01-01

Abstract:Role-Based Access Control (RBAC) has been recognized as a strategy which reduces the cost and complexity of security administration in large-scale networked applications. A general family of RBAC models called RBAC96 was proposed by Sandhu et al. [1], which formally deflnes the relations among user, role and permission using the notion of set membership. Constraints is an important aspect of RBAC, which impose restrictions on acceptable conflgurations of the difierent components of RBAC. Nevertheless, it was discussed informally in the RBAC96 model. There has been some efiorts to present a logical framework for the access control models. Most of these works are based on flrst-order logic or its extensions. However, excessively rich expressiveness may bring on complex computation and confusion. We present a novel formalization of RBAC using a description logic approach. Compared with flrst-order logic, DLs achieve a better tradeofi between the computational complexity of reasoning and the expressiveness of the language. We choose the DL language ALC to represent core and hierarchical RBAC, and ALCQ that extends ALC by qualifled number restrictions to express RBAC constraints, including separation of duty and role cardinality. Based on our logical framework it is feasible to reason about RBAC and check the consistency of RBAC with constraints via a DL reasoner(e.g. RACER).

Chen Zhao,Nuermaimaiti Heilili,Shengping Liu,Zuoquan Lin

DOI: https://doi.org/10.1007/11560647_25

2005-01-01

Abstract:Role-based access control (RBAC) is recognized as an excellent model for access control in large-scale networked applications. Formalization of RBAC in a logical approach makes it feasible to reason about a specified policy and verify its correctness. We propose a formalization of RBAC by the description logic language $\mathcal{ALCQ}$. We also show that the RBAC constraints can be captured by $\mathcal{ALCQ}$. Furthermore, we demonstrate how to make access control decision, perform the RBAC functions as well as check the consistency of RBAC via the description logic reasoner RACER.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

Wu Di,Jian Lin,Yabo Dong,Miaoliang Zhu

DOI: https://doi.org/10.1109/PDCAT.2005.247

2005-01-01

Abstract:Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. One of important aspects in RBAC is constraints that constrain what components in RBAC are allowed to do. There are lots of research have been achieved to specify constraints for secure system developers. However more work is need urgently to met requirements for interoperability of machine and people understandable constraints specification in open and distributed environment. In this paper we propose another approach to specify constraints using Semantic Web technologies. The Web Ontology Language (OWL) specification of basic RBAC components and constraints are described in detail.

Nizamuddin Channa,Shanping Li

DOI: https://doi.org/10.1007/11730262_10

2006-01-01

Abstract:The Expressive Language ALCNHR+(D) provides conjunction, full negation, quantifiers, number restrictions, role hierarchies, transitively closed roles and concrete domains. In addition to the operators known from ALCNHR+, a restricted existential predicate restriction operator for concrete domains is supported. In order to capture the semantic of complicated knowledge reasoning model, the expressive language ALCNHR+K(D) is introduced. It cannot only be able to represent knowledge about concrete domain and constraints, but also rules in some sense of closed world semantic model hypothesis. The paper investigates an extension to description logic based knowledge reasoning by means o f decomposing and rewriting complicated hybrid concepts into partitions. We present an approach that automatically decomposes the whole knowledge base into description logic compatible and constraints solver. Our arguments are two-fold. First, complex description logics with powerful representation ability lack effectively reasoning ability and second, how to reason with the combination of inferences from distributed heterogeneous reasoner.

Wei Zhang,Zuoquan Lin

DOI: https://doi.org/10.1007/978-3-642-39787-5_19

2013-01-01

Abstract:Role-Based Access Control (RBAC) is recognized as the predominant model for access control nowadays. However, the ANSI RBAC model provides no mechanism for various rules and policies. To address this issue, a formal logical foundation of RBAC is urgently needed. In this paper, we present an ASPbased nonmonotonic approach to formalize ANIS RBAC model. The proposed formalization provides a proper expression for RBAC components, and an efficient reasoning mechanism for authorization decisions. We show that the formalism can capture RBAC models well and accomplish specific nonmonotonic reasoning tasks flexibly.

Kai Ouyang,Hengqing Wang,Lijun Dong,Jingli Zhou

DOI: https://doi.org/10.13245/j.hust.2008.10.020

2008-01-01

Abstract:MD-RBAC (multi-dimensional role based access control) model was presented after GTRBAC (generalized temporal role based access control) model and the CT-RBAC (conditional temporal role based access control) models were analyzed, which is designed to have the capability to capture multi concurrent context parameters in RBAC. In MD-RBAC, the notions of the constraint dimension and the constraint space were introcuced: one type of constraints which represents one type security factor is one constraint dimension, and the constraint space is composed of all types of constraints. Based on the above notions, one reliable constraint framework is provided for the RBAC model, by which the RBAC model can be easily applicable for sophisticated environments and the flexibility and variety of the constraint control mechanism is improved. Furthermore, we enrich the predicate state semantics in MD-RBAC and analyze the conflict event and the conflict constraint for the multi-dimensional constraint semantics.

皮建勇,刘心松

DOI: https://doi.org/10.3969/j.issn.1009-3087.2005.01.027

2005-01-01

Abstract:In order to express the complicated and dynamic access control authorization relations in the real world,a novel model—TD-RBAC(Task-based Dynamic RBAC) was proposed.The concurrent transaction logic was described by the extended predicate task model and the dynamic constraint relations among the subtasks was found out by analyzing the concurrent executive net of subtasks.The dynamic role constraint relations based on the traditional RBAC was extended. The analysis of the performance evaluating showed that the TD-RBAC has favorable access control efficiency under the distributed parallel computing.

ZHANG Shuai,SUN Jian-ling,XU Bin,HUANG Chao

DOI: https://doi.org/10.3785/j.issn.1008-973X.2012.11.015

2012-01-01

Abstract:A dynamic multiple domains access control model base on role based access control(RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises.The process structures were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services.Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations.Based on this model,a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services.Simulation experiments showed the effectiveness of key part of the role mining algorithm.

Chunhua GU,Xueqin ZHANG,Guoxin SONG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.12.063

2006-01-01

Abstract:The paper puts forward a delegation logic based access control model (DLBAC). It translates the credentials, RBAC elements and access policies into unified delegation logic rules. An access unit (AU) wraps an AC system. The standard interface of AU is also defined. Then, the external access control is transformed into internal access control. This AC model can protect the assets and share the resource in collaborative environment.

Chaoyi Pang,David P. Hansen,Anthony J. Maeder

DOI: https://doi.org/10.1145/1229285.1229306

2007-01-01

Abstract:ABSTRACTIn this paper, we study the maintenance of role-based access control (RBAC) models in database environments using transitive closure relations. In particular, the algorithms that express and remove redundancy from a component, a RBAC state, and from conflict constraints. The transitive closure relations on a RBAC state specify the reachability among user groups, roles and from user groups to roles. These relations can assist the process of authorization and make some queries easier to answer. Paper [17] shows that the transitive closure relations on a RBAC model can be used to manage and maintain the model's dynamic changes in a simple and efficient way. In this paper, we firstly show that the transitive closure relations are natural byproducts when formulating RBAC components. We then adapt the conventional RBAC model to accord the inherent reachability of a RBAC model. We show that the use of transitive closure relations as the auxiliary relations for the maintenance of a RBAC state alleviates the process of query evaluation, removing redundancy and the description of hierarchies. Thirdly, in the presence of conflict constraints, we explain how conflicts can be expressed, checked and evaluated under the existence of TC relations, in addition to the removal of conflicts redundancy and finding inferred conflicts. Lastly, we briefly discuss the first-order maintenance operations.All the algorithms for the maintenance are first-order algorithms with simple structures and can be implemented in SQL.

Ting Cai,Qingbin Nie,kai Ouyang,Jingli Zhou

DOI: https://doi.org/10.3969/j.issn.1001-3695.2016.03.055

2016-01-01

Abstract:In view of these shortcomings in describing permission inheritance relationships and simulating the complex organi-zations with the traditional role-based access control (RBAC)model,this paper proposed a role-extended-based RBAC model (MR-RBAC).In this model,it introduced mini-roles between roles and permissions and formally defined the model’s basic sets and relevant functions.Meanwhile,it also deep researched the types of roles’permissions and the relationships of roles in the extended model,and addressed the concept of mini-roles and a generation algorithm of roles.Analysis shows that MR-RBAC model improves roles’hierarchy structure and permission inheritance,which introduces such advantages of fine-grained authorization,scalability,expandability and security.Finally,a test for model’s performance indicates that the impact on time performance of prototype system is not seriously after classifying the mini-roles.

XU Zhen,LI Lan,FENG Deng-Guo

DOI: https://doi.org/10.1360/jos160970

2005-01-01

Abstract:Delegation is an important security policy that should be supported by RBAC model. The basic idea of delegation is that some active entity in a system delegates authority to another active entity to carry out some functions on behalf of the former. The grantor of the delegated roles should be responsible for the usage of them, so constraints on the usage of the delegated roles are critical components of the whole delegation model. Currently, there’re some models that extend RBAC model to support role delegation. However, their supports for constraints on the usage of delegated roles are very limited. This paper presents the requirements of role-based delegation, including temporary constraints, regular role dependency constraints, partial delegation constraints and propagation constraints. The former two kinds of constraints are modeled with a formal model – CRDM, which provides the foundation for applications in need of the constrained delegation.

Zhenxing Luo,Jing Chen,Zuoquan Lin

DOI: https://doi.org/10.1109/lcn.2008.4664239

2008-01-01

Abstract:Role based access control (RBAC) has emerged as a leading access control model to other traditional access control models. However, the traditional RBAC models can not capture fine-grained authorization with mono-type inheritance. In this paper, we discuss the hybrid inheritance based on our extended RBAC model, which is very desirable for capturing the fine-grained access control permissions. When the hybrid inheritances coexist in a role hierarchy, inferring such indirect relations between a pair of roles can became very complex. In particular, we study how the new inheritance relations between roles that are indirectly related can be easily derived through the inference rules, which provides a basis for formally analyzing the hybrid inheritances.

Han Jian-min,Li Xi-yu,Yu Hui-qun,Tong Jun

DOI: https://doi.org/10.1109/grc.2008.4664701

2009-01-01

Abstract:RBAC(Role-Based Access Control) has been widely investigated and adopted for its simplicity and effectiveness. However there still exist some defects in it, including: (1) traditional RBAC does not consider time and context factors. (2) traditional RBAC only defines a simple logical relationship among roles and permissions, which makes it incompetent to solve authorization problem for large-scale dynamic systems. To remedy these defects, the paper introduces granular computing to RBAC and proposes G-P-BA C modeL G-RBAC granulates permissions and roles, and introduces time and context factors to them. The paper also defines elements' logical relationship in G-RBAC based on granular logic and realizes authorization decision-making by granular logic reasoning. The application examples show that G-RBAC can enhance flexibility of authorization, and realize fine grained access control effectively for large scale enterprise information system.

Qingguo Xie

2006-01-01

Abstract:An Ontology-based approach to define the authorization policies of an RB-RBAC model wasproposed ,by which one can effectively define complex attribute expressions,quasi-order relation definition among attribute values and role hierarchies among roles in the OWL style policies.Comparison between attribute expressions without identical syntax structures is permitted to gain an insight into the relationships of all kinds of authorization rules.We can make authorization decision and perform seniority levels reasoning via an OWL reasoner.Moreover,conflicts among related authorization rules can be detected by consistency check.

TIAN Li-qin,JI Tie-guo,LIN Chuang,YIANG Yiang

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.19.004

2008-01-01

Abstract:The paper establishes a user behaviour trust and Role-Based Access Control(RBAC) model,which introduces the attribute concept and adds the user behaviour trust degree set on the basis of RBAC model.The detailed description and the authorization flow are given in the article.At last the model is analyzed from the dynamic performance and trust mechanism and role numbers and work performance.The new access control achieves the dynamic authorization by the dynamic assignment of role attributes and achieves the connection identity trust with behavior trust by setting the trust degree as an obligatory attribute,which changes the static authorization only based the identity of existing access control models.The model can reduce the role number by setting the attributes for the role,which can lighten the role management burden caused by the large number roles and improve the performance at the same time.