Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Rui Zhang,Fausto Giunchiglia,Bruno Crispo,Lingyang Song

DOI: https://doi.org/10.1007/s11277-009-9782-4

IF: 2.017

2009-01-01

Wireless Personal Communications

Abstract:Context-aware computing is an important aspect of the pervasive computing environment and its various dynamic context information brings new challenges to access control systems. In this paper a new access control model, relation based access control (RelBAC), is provided for context-aware environment with a domain specific Description Logic to formalize the model. The novelty of RelBAC is that permissions are formalized as binary relations between subjects and objects which could evolve with the dynamic contexts. The expressive power of RelBAC is illustrated in a case study of a project meeting event.

Zhiwen Zou,Changqian Chen,Shiguang Ju,Jiming Chen

DOI: https://doi.org/10.1007/978-3-642-12189-0_26

2010-01-01

Abstract:The Spatial Role-Based Access Control (SRBAC) model was discussed in this paper. Firstly, the formal definition of SRBAC Model was given; then the region coverage constraint of spatial object, duration constraint of spatial object, various spatial object separations of duty constraints and spatial object cardinality constraint of role activation were researched; after extending the traditional session, the strategy of eliminating the conflictive session was presented; Finally, the role hierarchy has been discussed under the spatial environment. Combined with practical application, the theory of secure DBMS was optimized and afforded to build the stricter system.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

王新胜,熊书明,王新宇

DOI: https://doi.org/10.3778/j.issn.1002-8331.2009.36.028

2009-01-01

Computer Engineering and Applications Journal

Abstract:SARBAC/SARBAC-HH models are dominative in implementation of role hierarchy management by analyzing and comparing several typical role-based access control models.Some issues in role and permission assignment management existed in SARBAC/SARBAC-HH models.In view of these issues,an improved model named WARBAC,based on SARBAC/SARBAC-HH models,is put forward.In the model,the administrative policy of role-permission assignment is redefined and redesigned by resorting to the conception of the organization structure of the ARBAC02 model.Analysis results show that WARBAC is simple in role hierarchy management and is reasonable in complicated role-permission assignment management.

Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

BAO Zhigang,HU Yanjun,GU Xinjian

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.01.059

2006-01-01

Abstract:Firstly making reference to role based access control(RBAC)model,this paper proposes the basic idea about access control.Then it introduces database design of two realizing methods about access control and two methods’ realization in program,it also presents visual effect.Finally it analyzes and compares one to another in detail from two aspects of applicability and reusability.

Chen Zhao,NuerMaimaiti Heilili,Shengping Liu,Zuoquan Lin

2005-01-01

Abstract:Role-Based Access Control (RBAC) has been recognized as a strategy which reduces the cost and complexity of security administration in large-scale networked applications. A general family of RBAC models called RBAC96 was proposed by Sandhu et al. [1], which formally deflnes the relations among user, role and permission using the notion of set membership. Constraints is an important aspect of RBAC, which impose restrictions on acceptable conflgurations of the difierent components of RBAC. Nevertheless, it was discussed informally in the RBAC96 model. There has been some efiorts to present a logical framework for the access control models. Most of these works are based on flrst-order logic or its extensions. However, excessively rich expressiveness may bring on complex computation and confusion. We present a novel formalization of RBAC using a description logic approach. Compared with flrst-order logic, DLs achieve a better tradeofi between the computational complexity of reasoning and the expressiveness of the language. We choose the DL language ALC to represent core and hierarchical RBAC, and ALCQ that extends ALC by qualifled number restrictions to express RBAC constraints, including separation of duty and role cardinality. Based on our logical framework it is feasible to reason about RBAC and check the consistency of RBAC with constraints via a DL reasoner(e.g. RACER).

Junbiao Wang,Jianxin Zhang,Jianjun Jiang,Shichao Zhang

DOI: https://doi.org/10.3969/j.issn.1000-2758.2008.04.005

2008-01-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:Aim. Existing access control models are, in our opinion, not sufficiently effective. We now propose a novel access control model based on RBAC (Role-Based Access Control), which, we believe, is sufficiently effective. In the full paper, we explain our model in some detail. In this abstract, we just add some pertinent remarks to listing the two topics of explanation. The first topic is: the analysis of RBAC-based access control model. In the first topic, with the help of Fig.1 in the full paper, we explain in some detail how the FICS (Flexible Information Coding System) controls access. The second topic is: the implementation of our novel and effective RBAC-based access control model. Its three subtopics are: the concepts of traditional RBAC model that we utilize (subtopic 2.1), the restrictions we impose on accessing our novel and effective model (subtopic 2.2), and the access assignment strategy of FICS (subtopic 2.3). A large Chinese aircraft manufacturing enterprise has made use of our novel and effective RBAC-based access control model and has gradually widened and continues to widen the scope of its application. How the large enterprise utilizes our novel and effective model are briefly described in Fig.4 and Table 1 in the full paper.

Gang Liu,Lu Fang,Quan Wang,Xiaoqian Qi,Juan Cui,Jiayu Liu

DOI: https://doi.org/10.1007/978-3-030-15093-8_4

2018-01-01

Abstract:In information systems where there are a large number of different resources and the resource attributes change frequently, the security, reliability and dynamics of access permissions should be guaranteed. The changing raises security concerns related to authorization, and access control, but existing access control models are difficult to meet practical requirements. In this paper, a resource and attribute based access control model named RA-BAC was proposed. The model bases on attribute-based access control (ABAC) and links access control policy with resource, and redefines the access control rules. Besides, we compare RA-BAC and ABAC from the perspective of theory and simulation experiment respectively to show the advantage of RA-BAC model. We give a detailed analysis combining with instances to show the practicability of the RA-BAC model. RA-BAC solves the problems of policy conflict and policy library expansion in the ABAC model when there are too many resources and the attributes of resources are changed frequently in the system. Using RA-BAC model in system can makes permission query efficient and reduce workload of the system administrator of managing the policy library.

Pranav Subramaniam,Sanjay Krishnan

2024-08-06

Abstract:In every enterprise database, administrators must define an access control policy that specifies which users have access to which assets. Access control straddles two worlds: policy (organization-level principles that define who should have access) and process (database-level primitives that actually implement the policy). Assessing and enforcing process compliance with a policy is a manual and ad-hoc task. This paper introduces a new paradigm for access control called Intent-Based Access Control for Databases (IBAC-DB). In IBAC-DB, access control policies are expressed more precisely using a novel format, the natural language access control matrix (NLACM). Database access control primitives are synthesized automatically from these NLACMs. These primitives can be used to generate new DB configurations and/or evaluate existing ones. This paper presents a reference architecture for an IBAC-DB interface, an initial implementation for PostgreSQL (which we call LLM4AC), and initial benchmarks that evaluate the accuracy and scope of such a system. We further describe how to extend LLM4AC to handle other types of database deployment requirements, including temporal constraints and role hierarchies. We propose RHieSys, a requirement-specific method of extending LLM4AC, and DePLOI, a generalized method of extending LLM4AC. We find that our chosen implementation, LLM4AC, vastly outperforms other baselines, achieving high accuracies and F1 scores on our initial Dr. Spider benchmark. On all systems, we find overall high performance on expanded benchmarks, which include state-of-the-art NL2SQL data requiring external knowledge, and real-world role hierarchies from the Amazon Access dataset.

Databases,Cryptography and Security

Rongbin OUYANG,Yunfeng LIU,Xinzheng LONG

DOI: https://doi.org/10.13705/j.issn.1671-6833.2017.02.004

2017-01-01

Abstract:PRBAC was always implemented to achieve fine-grained access control.This paper analyzed recent research on data permissions,summarized related experiences,and presented a parameter model of PRBAC based on attribute rules.It presented the model' s design,including the rule' s formal form and its components.It also described a general implementation scheme,including the rules' specification,rule' s application time choice,algorithm of the rule' s validation,and some key techniques of the implementation.With the practice on IAAA at PKU,it showed that the model was flexible and the rules' setting was convenient.This paper also pointed out that rules' conflict checking should be implemented in future.

Q Li,JP Shi,SH Qing

DOI: https://doi.org/10.1109/icebe.2005.23

2005-01-01

Abstract:Role-based access control (RBAC) model has been widely deployed for Web security. In some large-enterprise-wide situations, however, this model is difficult to manage due to huge amount of users, roles and interrelationships. As a result, the applications of this model are greatly limited. To address this problem, we present in this paper a decentralized RBAC model (DRBAC) by proposing a new concept of groups and by introducing non-trivial modifications to the user-role assignment of the existing models

Chen Zhao,Nuermaimaiti Heilili,Shengping Liu,Zuoquan Lin

DOI: https://doi.org/10.1007/11560647_25

2005-01-01

Abstract:Role-based access control (RBAC) is recognized as an excellent model for access control in large-scale networked applications. Formalization of RBAC in a logical approach makes it feasible to reason about a specified policy and verify its correctness. We propose a formalization of RBAC by the description logic language $\mathcal{ALCQ}$. We also show that the RBAC constraints can be captured by $\mathcal{ALCQ}$. Furthermore, we demonstrate how to make access control decision, perform the RBAC functions as well as check the consistency of RBAC via the description logic reasoner RACER.

Wei Zhang,Zuoquan Lin

DOI: https://doi.org/10.1109/skg.2012.5

2012-01-01

Abstract:The ANSI RBAC standard provides no mechanism for access policies. This paper employs answer set programming (ASP) as the policy language and presents a new logic-based RBAC formalization framework. The powerful expression ability of ASP ensures the representation of various policies, while high-efficient answer set solvers help our framework suit for reasoning in industrial level applications. We show that properties of the proposed framework support flexible policies well. Furthermore, systems based on the proposed framework are proved to be safe and available.

Cheng Zang,Zhongdong Huang,Ke Chen,Jinxiang Dong

DOI: https://doi.org/10.1007/978-3-540-72863-4_64

2007-01-01

Abstract:Dynamic policy enables the system to adjust the policies according to the changing circumstance, and makes the system more flexible and adaptive. We have proposed a dynamic model and the idea is to dynamically change the policy according to a pair of states rather than one state, which provides more information for the policy decision making, thus makes policy more accurate. The dynamic policy architecture based on this model is built in this paper, and we describe the components and steps of detecting a change, deciding the pair of current and previous states and picking up the policy according to the change.

Thang Bui,Scott D. Stoller

DOI: https://doi.org/10.48550/arXiv.2008.08444

2020-11-24

Abstract:Attribute-Based Access Control (ABAC) and Relationship-based access control (ReBAC) provide a high level of expressiveness and flexibility that promote security and information sharing, by allowing policies to be expressed in terms of attributes of and chains of relationships between entities. Algorithms for learning ABAC and ReBAC policies from legacy access control information have the potential to significantly reduce the cost of migration to ABAC or ReBAC. This paper presents the first algorithms for mining ABAC and ReBAC policies from access control lists (ACLs) and incomplete information about entities, where the values of some attributes of some entities are unknown. We show that the core of this problem can be viewed as learning a concise three-valued logic formula from a set of labeled feature vectors containing unknowns, and we give the first algorithm (to the best of our knowledge) for that problem.

Cryptography and Security,Artificial Intelligence

shaomin zhang,hongbian yang,baoyi wang

DOI: https://doi.org/10.1007/978-3-642-27287-5_94

2012-01-01

Abstract:For the problems of attribute elements maintenance difficulty and heterogeneous attribute of multi-domain in ABAC model, we propose the method of using ontology to maintain access control elements and distributed attribute management, which describe the logical relationships among attributes with OWL and introduce attribute mapping technology in access control decision-making. It can reduce the complexity of attribute management and raise the security of the cross-domain access. It makes up the defects in original ABAC model, and has a good reference to research the cross-domain access control.

Chaoyi Pang,David P. Hansen,Anthony J. Maeder

DOI: https://doi.org/10.1145/1229285.1229306

2007-01-01

Abstract:ABSTRACTIn this paper, we study the maintenance of role-based access control (RBAC) models in database environments using transitive closure relations. In particular, the algorithms that express and remove redundancy from a component, a RBAC state, and from conflict constraints. The transitive closure relations on a RBAC state specify the reachability among user groups, roles and from user groups to roles. These relations can assist the process of authorization and make some queries easier to answer. Paper [17] shows that the transitive closure relations on a RBAC model can be used to manage and maintain the model's dynamic changes in a simple and efficient way. In this paper, we firstly show that the transitive closure relations are natural byproducts when formulating RBAC components. We then adapt the conventional RBAC model to accord the inherent reachability of a RBAC model. We show that the use of transitive closure relations as the auxiliary relations for the maintenance of a RBAC state alleviates the process of query evaluation, removing redundancy and the description of hierarchies. Thirdly, in the presence of conflict constraints, we explain how conflicts can be expressed, checked and evaluated under the existence of TC relations, in addition to the removal of conflicts redundancy and finding inferred conflicts. Lastly, we briefly discuss the first-order maintenance operations.All the algorithms for the maintenance are first-order algorithms with simple structures and can be implemented in SQL.