Lin Yao,Xiangwei Kong,Zichuan Xu

DOI: https://doi.org/10.1109/NCM.2008.75

2008-01-01

Abstract:Although RBAC models have received broad support as a generalized approach to access control, the administration of roles in large organizations can become quite cumbersome. In this paper, we develop a new paradigm for access control and authorization management, called task-role based access control (TRBAC) with multi-constraint. The basic idea of this model different from traditional RBAC is that roles and permissions are not connected directly but are put together by tasks. It is a dynamic authorization model with fine-grained partition on users, roles, tasks and sessions. The unit of task becomes the permission granularity. It is more convenient for enterprise privilege management such as distributed application,C/S access control and workflow management. It can reduce the administrator's burden and avoid some potential safety hazards because of adopted dynamic authorization.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1109/icsmc.2004.1401072

2004-01-01

Abstract:The idea of role has been widely applied to solving the authority, responsibility, function and interaction, which are associated with member station in organizations. Access control is a key security issue in distributed collaboration systems. After analyzing corresponding security requirements and the present status of security in distributed collaboration system, this paper presents an extensive role-based access control (ERBAC) architecture based on differentiated domain management. In this architecture, security management is classified into inter-domain one and infra-domain one, whilst, it can integrate new security policies. Based on definition of role permission type, the paper introduces a function of permission type change to make ERBAC architecture flexible. In addition, the authors discuss the methods by which the security can be implemented in an agent-based framework. The practices signify that this system can be flexibly applied various existing policy languages and protocols.

ZHANG Shuai,SUN Jian-ling,XU Bin,HUANG Chao

DOI: https://doi.org/10.3785/j.issn.1008-973X.2012.11.015

2012-01-01

Abstract:A dynamic multiple domains access control model base on role based access control(RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises.The process structures were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services.Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations.Based on this model,a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services.Simulation experiments showed the effectiveness of key part of the role mining algorithm.

Tianyi Zhu,Weidong Liu,Jiaxing Song

DOI: https://doi.org/10.1109/CIT.2011.36

2011-01-01

Abstract:coRBAC is a specifically optimized RBAC system for cloud computing environment. It inherits the existing RBAC's role model and dRBAC's domain model, optimizes and improves the access control system for services which are hosted on the cloud computing platform. coRBAC greatly improves the certification process and user experience by reducing the unnecessary process of establishing secure connection and setting up multi-level cache, reduces the space complexity and time complexity of access control system.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

Wenjuan Li,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1109/iceie.2010.5559829

2010-01-01

Abstract:Security and interoperability is the biggest challenge to promote cloud computing currently. Trust has proved to be one of the most important and effective alternative means to construct security in distributed systems. In order to efficiently and safely construct entities' trust relationship in cloud and cross-clouds environment, this paper proposed a novel cloud trust model and a new cloud security framework. The propose trust model is domain-based. It divides one cloud provider's resource nodes into the same trust domain. It designs different trust strategies for different roles. Trust recommendation is treated as one type of cloud services just like computation or storage. Based on the proposed trust model, it introduced a novel cloud security framework with an independent trust management module. Using the proposed security model, it introduced some trust-based security mechanisms. Results of simulation experiments show that the proposed security model can achieve high transaction success rate with high trust accuracy.

Hong Sun,Xueqin Zhang,Chunhua Gu

DOI: https://doi.org/10.14257/ijgdc.2014.7.3.01

2014-01-01

International Journal of Grid and Distributed Computing

Abstract:With the development of cloud computing, and as the basis of data services, security problems of cloud storage are growing more attention. Based on distributed storage, multidomain and multi-tenant characteristics, combined with access control technologies, this paper sets up the Role-based Access Control using Ontology and domians in Cloud Storage (DOnto_RBAC), which could provide a concise and effective strategy for service providers (isps). According to the characteristics of access control in cloud storage, based on the standards (called CDMI), this paper adds Domains and Time constraints of roles into RBAC. With ontology technologies and the OWL language, this paper establishes ontology model including entities' descriptions and strategies to realize reasoning of multi-domain access control permissions. We realized our system through Python and established Restful APIs. Experiments in campus-level cloud storage called Swift showed that, using requests with Restful format commands, DOnto_RBAC was proved to be effective to manage distributed and multi-domain data in cloud storage.

周鑫,潘理

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.05.049

2012-01-01

Abstract:For RBAC-based multi-domain systems, a reliable static role mapping mechanism that integrates multidomain policies without any constraint conflict is presented. By introduction of the equivalent permission concept, the goal of policy integration is defined, and the hybrid hierarchy is supported in this integration mechanism. The principle of non-rising permission and the role mapping attributes are proposed in order to achieve fine granulation and secure global policies. Due to the low algorithm complexity, this algorithm could be easily applied in practical scenarios.

Zhu Yiqun,Li Jianhua,Zhang Quanhai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.11.054

2008-01-01

Abstract:In accordance with the increasing customers and the various resource access policies in service-oriented environments,the limi- tation of the related research is anallyzed,and a multi-policy services-oriented attribute-based role-based access control(AB-RBAC) model is proposed.Based on the relationship between the resource attribute and the user attribute in multi-policies,different role groups are defined,and relevant rules are made.User-rde assignment is realized based on a finite set of rules,and the requirement of multiple access policies is satis- fied.The flexibility of access control is enhanced,and the efficiency of the system is improved.A case that uses the AB-RBAC model is de- scribed,and a detailed comparison among several models is made,which clearly shows the advantages of AB-RBAC.

Ying Chen,Shoubao Yang,Leitao Guo

DOI: https://doi.org/10.1007/11590354_22

2005-01-01

Abstract:To improve system scalability and restrain cheat, which are two important aspects in resource sharing gird environment, a dynamic-role based access control framework is proposed in this paper. This framework imports trust model, proposes “conversion parameter” and dynamic-role to resolve the problems of access control across multi domains. Simulation results show that it can realize access control easily, prohibit malicious behavior of entities, and improve the scalability of the system. An implementation is also shown in this paper.

Lina Ge,Shaohua Tang,Qiao Kuang

DOI: https://doi.org/10.1109/apscc.2006.46

2006-01-01

Abstract:In the grid environment, the resource providers should maintain the ultimate authority over their resources, including access authorization and grain scale control. Apparently, the traditional RBAC model will be inappropriate in multi-autonomous domains environment. Focusing on the autonomous, heterogeneous and dynamic features of grid computing, we propose the concept of "Resource Role". We also initiate the Dual-Role Based Access Control (DRBAC) framework, where the resource role permission mapping is defined in resource domain and user role resource role mapping is negotiated by user domain and resource domain. This framework is simple and works better than the traditional RBAC in multi domains environment.

袁平鹏,陈刚,董金祥

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.04.006

2004-01-01

Abstract:An access control paradigm composed of basic model and role model is proposed for collaborative applications. Basic model specifies the relationship among privileges and the way of ranking privileges. It relates privilege with operations on the objects, so the model appears more straightforward. Moreover, if Brokers' implementation permits, the model can support any grained access control. Role model re-defines the role concept of RBAC96, divides the permissions of role into public permissions, protect permissions and private permissions. It allows user to define roles more flexibly, prevents private permissions of roles from being inherited and reduces the definition of ancillary roles.

谷和武,潘理

DOI: https://doi.org/10.3969/j.issn.1009-8054.2010.06.040

2010-01-01

Abstract:For the access control in multi-domain,this paper proposes a method for policy conflicts classification and detection.The secure interoperation model based on RBAC and its security characteristics are studied,the policy conflicts resulted from the introduction of role mapping are analyzed and classified.The role system is abstracted as directed graph,and the effective roles and role hierarchy are utilized to propose a method based on directed graph of role system for detecting policy conflicts.Finally,the computational complexity?of the proposed method is analyzed,and the solutions for policy conflicts are given.

Zhang Xiantao,Li Qi,Qing Sihan,Zhang Huanguo,Zhang Liqiang

DOI: https://doi.org/10.1109/ISCIT.2007.4392214

2007-01-01

Abstract:Role-based Access Control (RBAC) become an important techniques to secure e-commerce systems during recent years. However, RBAC management issue is still an unresolved problem. Moreover, with the development of IT technologies in many departments, there emerge many group communications which require dynamic user-role assignments. In these scenarios it is infeasible for few security officers to administrate the assignment for local variant applications. In this paper, we propose a novel RBAC model for decentralized and distributed systems. We also present an administration model of our PBAC model to address the management issues in traditional RBAC systems. As one of the main contributions, this paper proposes a decentralized administration model by introducing a component of group assignment to implement a novel user authorization mechanism and a new user-role assignment (UA) approach which provides a two-level administration for user and role management through the concept of group. Our model can be applied for the current group communication applications with dynamic assignments where typically local administrators take charge of the dynamic assignments. In this way, many administrative tasks for different applications can spread over many different local administrators, and a fine-grained administration model of RBAC based on the local administration policies is realized. As a proof-of-concept we implemented a prototype in Xen virtualization environment based on our proposed model to secure real distributed applications.

Yahui Lu,Li Zhang,Yinbo Liu,Jiaguang Sun

DOI: https://doi.org/10.1109/cscwd.2006.253050

2006-01-01

Abstract:Role-based access control (RBAC) models have been successfully implemented in various information systems in recent years. However, the traditional centralized authorization and administration mechanisms in RBAC have several drawbacks in collaborative environments. In this paper, we propose a distributed Domain Administration of RBAC Model, DARBAC, in which the authorization and administration privileges are distributed to multiple administrative domains. Each administrative role is assigned to an administrative domain and can only execute administrative operations within its domain. By introducing the concept of administrative domain and administrative role hierarchy, the DARBAC model can flexibly meet the access control requirements in collaborative environments. We also describe how to implement the model in the PLM product and how to apply the model in a distributed enterprise environment to support cooperative work.

SHEN Qing-ni,YANG Ya-hui,YU Xi,ZHANG Li-zhe,CHEN Zhong

2011-01-01

Abstract:Cloud Storage is a multi-tenancy shared environment,so achieving data separation between different users effectively in the platform has become one of issues most concerned by users.In this paper,we provide business users a flexible access control policy,which is built on top of RBAC(Role-based Access Control),combined with organization label and a variety of security attributes with logical combinations.First of all,it provides strict inter-enterprise data isolation on cloud storage,ensuring that business users could not access data which doesn't belong to their organization.Moreover,it provides proper separation of organization internal data.Business users could customize the policy flexibly according to their own security requirements,isolating data from different sectors or geographical area.Finally,the policy provides a mechanism for corporations to share data on cloud storage by introducing the concept of "virtual organization",and guarantee companies with the same conflict set of interest could not be allowed to share data through traditional Chinese Wall Policy.This paper presents the design and implementation of a prototype based Hadoop distributed file system(HDFS),including security label,security policy,security decision module,enforcement procedure of security decision and user command interface.Then it analyzes the effectiveness and performance of the security mechanisms with experiments.The result shows that the policy meets the security requirement well and loss of system run-time performance is within an acceptable range.

Ruoyu Wu,Xinwen Zhang,Gail‐Joon Ahn,Hadi Sharifi,Haiyong Xie

IF: 56.9

2013-01-01

Science

Abstract:Organizations and enterprises have been outsourcing their computation, storage, and workflows to Infrastructure-as-a-Service (IaaS) based cloud platforms. The heterogeneity and high diversity of IaaS cloud environment demand a comprehensive and finegrained access control mechanism, in order to meet dynamic, extensible, and highly configurable security requirements of these cloud consumers. However, existing security mechanisms provided by IaaS cloud providers do not satisfy these requirements. To address such an emergent demand, we propose a new cloud service called access control as a service (ACaaS), a service-oriented architecture in cloud to support multiple access control models, with the spirit of pluggable access control modules in modern operating systems. As a proof-of-concept reference prototype, we design and implement ACaaSRBAC to provide role-based access control (RBAC) for Amazon Web Services (AWS), where cloud customers can easily integrate the service into enterprise applications in order to extend RBAC policy enforcement in AWS. We describe challenges and lessons in implementing ACaaSRBAC, demonstrate how this service can be seamlessly integrated with enterprise cloud applications, and discuss evaluation results.

HU Ying-song,CHEN Gang,ZHU A-ke,CHEN Zhong-xin

2006-01-01

Abstract:A new access control model based on roles and departments is proposed,which extends the traditional RBAC model. The new model abstracts the department from the property of roles,and becomes an important factor of permission control. Furthermore,this paper designs a three-layered architecture for this cross-platform security administration and one of the access control policies is described in detail.

Tang Bo,Li Qi,Sandhu Ravi

DOI: https://doi.org/10.1109/PST.2013.6596058

2013-01-01

Abstract:Most cloud services are built with multi-tenancy which enables data and configuration segregation upon shared infrastructures. In this setting, a tenant temporarily uses a piece of virtually dedicated software, platform, or infrastructure. To fully benefit from the cloud, tenants are seeking to build controlled and secure collaboration with each other. In this paper, we propose a Multi-Tenant Role-Based Access Control (MT-RBAC) model family which aims to provide fine-grained authorization in collaborative cloud environments by building trust relations among tenants. With an established trust relation in MT-RBAC, the trustee can precisely authorize cross-tenant accesses to the truster's resources consistent with constraints over the trust relation and other components designated by the truster. The users in the trustee may restrictively inherit permissions from the truster so that multi-tenant collaboration is securely enabled. Using SUN's XACML library, we prototype MT-RBAC models on a novel Authorization as a Service (AaaS) platform with the Joyent commercial cloud system. The performance and scalability metrics are evaluated with respect to an open source cloud storage system. The results show that our prototype incurs only 0.016 second authorization delay for end users on average and is scalable in cloud environments.