Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Wu Di,Jian Lin,Yabo Dong,Miaoliang Zhu

DOI: https://doi.org/10.1109/PDCAT.2005.247

2005-01-01

Abstract:Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. One of important aspects in RBAC is constraints that constrain what components in RBAC are allowed to do. There are lots of research have been achieved to specify constraints for secure system developers. However more work is need urgently to met requirements for interoperability of machine and people understandable constraints specification in open and distributed environment. In this paper we propose another approach to specify constraints using Semantic Web technologies. The Web Ontology Language (OWL) specification of basic RBAC components and constraints are described in detail.

ZHANG Shuai,SUN Jian-ling,XU Bin,HUANG Chao

DOI: https://doi.org/10.3785/j.issn.1008-973X.2012.11.015

2012-01-01

Abstract:A dynamic multiple domains access control model base on role based access control(RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises.The process structures were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services.Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations.Based on this model,a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services.Simulation experiments showed the effectiveness of key part of the role mining algorithm.

Wei Zhang,Zuoquan Lin

DOI: https://doi.org/10.1007/978-3-642-39787-5_19

2013-01-01

Abstract:Role-Based Access Control (RBAC) is recognized as the predominant model for access control nowadays. However, the ANSI RBAC model provides no mechanism for various rules and policies. To address this issue, a formal logical foundation of RBAC is urgently needed. In this paper, we present an ASPbased nonmonotonic approach to formalize ANIS RBAC model. The proposed formalization provides a proper expression for RBAC components, and an efficient reasoning mechanism for authorization decisions. We show that the formalism can capture RBAC models well and accomplish specific nonmonotonic reasoning tasks flexibly.

Xiyuan Chen,Di Wu.,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICCIAS.2006.295308

2006-01-01

Abstract:To satisfy the requirements of secure interoperation among distributed systems, a security violation detection method for RBAC based interoperation is proposed We carry out the discussion in the scope of Core RBAC and Hierarchy RBAC. To better illustrate the method for RBAC based interoperation, a formal definition of secure interoperation in RBAC systems has been introduced. Security violation of interoperation with role mappings in the distributed systems is analyzed. Based on these discussions, a minimum security violation detection method for RBAC based interoperation according to the feature of RBAC system and the inherent characteristic of interoperation in distributed environment is introduced. The minimum detection method provides good performance reducing complexity by decreasing amount of roles involved in detection.

Zhiwen Zou,Changqian Chen,Shiguang Ju,Jiming Chen

DOI: https://doi.org/10.1007/978-3-642-12189-0_26

2010-01-01

Abstract:The Spatial Role-Based Access Control (SRBAC) model was discussed in this paper. Firstly, the formal definition of SRBAC Model was given; then the region coverage constraint of spatial object, duration constraint of spatial object, various spatial object separations of duty constraints and spatial object cardinality constraint of role activation were researched; after extending the traditional session, the strategy of eliminating the conflictive session was presented; Finally, the role hierarchy has been discussed under the spatial environment. Combined with practical application, the theory of secure DBMS was optimized and afforded to build the stricter system.

周鑫,潘理

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.05.049

2012-01-01

Abstract:For RBAC-based multi-domain systems, a reliable static role mapping mechanism that integrates multidomain policies without any constraint conflict is presented. By introduction of the equivalent permission concept, the goal of policy integration is defined, and the hybrid hierarchy is supported in this integration mechanism. The principle of non-rising permission and the role mapping attributes are proposed in order to achieve fine granulation and secure global policies. Due to the low algorithm complexity, this algorithm could be easily applied in practical scenarios.

Yahui Lu,Li Zhang,Yinbo Liu,Jiaguang Sun

DOI: https://doi.org/10.1109/cscwd.2006.253050

2006-01-01

Abstract:Role-based access control (RBAC) models have been successfully implemented in various information systems in recent years. However, the traditional centralized authorization and administration mechanisms in RBAC have several drawbacks in collaborative environments. In this paper, we propose a distributed Domain Administration of RBAC Model, DARBAC, in which the authorization and administration privileges are distributed to multiple administrative domains. Each administrative role is assigned to an administrative domain and can only execute administrative operations within its domain. By introducing the concept of administrative domain and administrative role hierarchy, the DARBAC model can flexibly meet the access control requirements in collaborative environments. We also describe how to implement the model in the PLM product and how to apply the model in a distributed enterprise environment to support cooperative work.

Jun Zheng,Yu-an Tan,Qikun Zhang,Xin Sun,Yichun Chen

DOI: https://doi.org/10.1007/978-3-642-23226-8_69

2011-01-01

Abstract:Targeted at problems of role distribution aberration, role switching inheritance aberration, etc, existing within inter-domain role switching in interoperable role-based access control(IRBAC) modal, this article has proposed inter-domain interface role and inter-operation manager role, the inter-domain interface role includes internal role and external role, the inter-operation manager role handles the management of inheritance between internal role and external role, and this solution can effectively avoid drawbacks existing within inter-domain role switching. This article has also proposed an improved multi-domain authorization management modal, which can effectively solve the problem of cross-domain authorization and authentication of IRBAC modal under multi-domain environment and thus guarantee the security of cross-domain access.

Wei Zhang,Zuoquan Lin

DOI: https://doi.org/10.1109/skg.2012.5

2012-01-01

Abstract:The ANSI RBAC standard provides no mechanism for access policies. This paper employs answer set programming (ASP) as the policy language and presents a new logic-based RBAC formalization framework. The powerful expression ability of ASP ensures the representation of various policies, while high-efficient answer set solvers help our framework suit for reasoning in industrial level applications. We show that properties of the proposed framework support flexible policies well. Furthermore, systems based on the proposed framework are proved to be safe and available.

Hong Xiang,Xiaofeng Xia,Haibo Hu,Sheng Wang,Jun Sang,Chunxiao Ye

DOI: https://doi.org/10.5755/j01.itc.45.3.13187

IF: 0.813

2016-01-01

Information Technology And Control

Abstract:The requirement to develop an organization makes collaboration with other organizations necessary, so the organizations can share resources to perform common tasks. Different organizational domains use different access control models to protect their resources from unauthorized access. Organizational collaboration is an important goal for distributed computing paradigms, but policy inconsistencies between domains will cause problems in a collaboration model that add to the problems involved in constructing the collaboration model itself. These problems provide the two challenges that motivate the research presented here: (1) the construction of a collaboration model across multiple domains protected by different access control models; and (2) ensuring that the access control policy used by a participating domain contains no inconsistencies. We also present our new approach to solving the inter-domain role mapping (IDRM) problem, i.e., to determine the minimal role set that covers requested permissions from a collaborating domain. We also analyse our algorithms, present the results of our tests, and compare our results with the results of existing approaches. DOI: http://dx.doi.org/10.5755/j01.itc.45.3.13187

LONG Jun,ZENG Xiao-sa,ZHANG Zu-ping

2010-01-01

Abstract:As the traditional role-based access control(RBAC) models have shortcomings when applied in lager-scale en-terprise applications,an improved RBAC model based on autonomy domain(AD -RBAC) is proposed.This model intro-duces‘autonomy domain’to describe the organization structure;divides groups into administrative group and common group,which enhances the expression capability of the group;adopts organization structure domain description model to construct group hierarchy and group types.All these contribute to the simple and intuitive realization of multi-level user authorization management.In the expert information service grid,AD -RBAC is used to achieve authorized service and da-ta access of grid nodes based on virtual domain,which proves the feasibility and effectiveness of this model.

Chao Huang,Jianling Sun,Xinyu Wang,Di Wu

DOI: https://doi.org/10.1587/transinf.e93.d.1070

2010-01-01

IEICE Transactions on Information and Systems

Abstract:In this paper, we propose an inconsistency resolution method based on a new concept, insecure backtracking role,napping. By analyzing the role graph, we prove that the root cause of security inconsistency in distributed interoperation is the existence of insecure backtracking role mapping. We propose a novel and efficient algorithm to detect the inconsistency via finding all of the insecure backtracking role mappings. Our detection algorithm will not only report the existence of inconsistency, but also generate the inconsistency information for the resolution. We reduce the inconsistency resolution problem to the known Minimum-Cut problem, and based on the results generated by our detection algorithm we propose an inconsistency resolution algorithm which could guarantee the security of distributed interoperation. We demonstrate the effectiveness of our approach through simulated tests and a case study.

Q Li,JP Shi,SH Qing

DOI: https://doi.org/10.1109/icebe.2005.23

2005-01-01

Abstract:Role-based access control (RBAC) model has been widely deployed for Web security. In some large-enterprise-wide situations, however, this model is difficult to manage due to huge amount of users, roles and interrelationships. As a result, the applications of this model are greatly limited. To address this problem, we present in this paper a decentralized RBAC model (DRBAC) by proposing a new concept of groups and by introducing non-trivial modifications to the user-role assignment of the existing models

Chaoyi Pang,Xiuzhen Zhang,Yanchun Zhang,Kotagiri Ramamohanarao

2008-01-01

Abstract:Role-based access control (RBAC) has attracted considerable research interest. However, the computational issues of RBAC models are yet to be thoroughly studied. In this paper, we study the problem of efficient maintenance of large RBAC models in a database-based multi-domain Web service environment. We propose first-order (SQL) algorithms to maintain the reachability of access roles under dynamic changes. The main advantages of our algorithms are: the support of various operations required for managing access roles with fractional information of roles; the maintenance of an update through operating a bounded number of join operations despite of the data size. To the best of our knowledge, our algorithms are the first attempt to maintain RBAC models using a first-order language.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ICNDS.2009.94

2009-01-01

Abstract:Access control is always essential for safe and security access to the system resource. Role based access control (RBAC) model is widely used in large enterprise software systems. The quality of the RBAC policy design especially role definition has great impact on the system security policy implementation. In this paper we propose a novel role engineering methods with security KAOS (SKAOS), which guide the engineering process via keeping decomposing the functional requirement objective and combining the system security requirement. SKAOS not only simplifies the system userpsilas involvement in the role engineering process via supplying with the objective decomposition but also reduces the complexity of the operation analysis. After building the objective decomposition and activity analysis diagrams, the role definition can be delivered. We illustrate the effectiveness of our method via analyzing a real world requirement problem.

Zhensong Liao,Hai Jin,Chisong Li

DOI: https://doi.org/10.3321/j.issn:1671-4512.2006.02.021

2006-01-01

Abstract:Role-based access control (RBAC) introduced the concept of role to the access control, helping authorized users to access web resources, and reducing the system s burden to store huge individual information. On the basis of analyzing RBAC model, an attributed certificate (AC)-based RBAC model in the distributed environment was put forward in accordance with the characteristics of RBAC system and the superiority of SPKI/SDSI certificate. It defined the AC structure and described the workflow, and concluded the features of the presented model. The analysis showed that the model was characterized by compact credential structure, supporting anonymous access and single login on.