JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

CH Fang,W Peng,XZ Ye,SY Zhang

DOI: https://doi.org/10.1109/cscwd.2005.194248

2007-01-01

Journal of Software

Abstract:Access control is one of the key steps to ensuring the availability, confidentiality and integrity of system resources. While it has been fully applied in various network systems, it's still relatively new for collaborative CAD. This paper provides a new framework of multi-level access control for collaborative CAD based on hierarchical product modeling. A layered privilege model (LPM) has been developed to provide multi-granularity access permissions in the part level and feature level. An extended hierarchy role-based access control (EHRBAC) is implemented, integrated with LPM and common Hierarchy RBAC, to provide hierarchical access control of collaborative feature modeling in the component/part level and design feature level. Mesh simplification techniques are used to create variable level-of-detail for individual features.

Bs Liao,J Gao,J Hu,Jj Chen

DOI: https://doi.org/10.1007/978-3-540-30483-8_42

2004-01-01

Abstract:The integration of web services and intelligent agents is promising for automated service discovery, negotiation, and cooperation. But due to the dynamic and heterogeneous nature of web services and agents, it is challenging to guide the behaviors of underlying agents to meet the high-level business (changeful) requirements. Traditional Policy-driven methods (Ponder, Rei, KAoS, etc) are not adaptable to direct the discovery, negotiation and cooperation of dynamic agents who may join in or leave out of a specific community or organization (virtual organization) at run time. The purpose of this paper is to model an ontology-based, policy-driven control framework that is suitable to supervise the dynamic agents according to high-level policies. On the basis of federated multi-agents infrastructure and ontologies of policies, domain concepts, and agent federations, a model of role-based policy specification framework is presented in this paper.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ICNDS.2009.94

2009-01-01

Abstract:Access control is always essential for safe and security access to the system resource. Role based access control (RBAC) model is widely used in large enterprise software systems. The quality of the RBAC policy design especially role definition has great impact on the system security policy implementation. In this paper we propose a novel role engineering methods with security KAOS (SKAOS), which guide the engineering process via keeping decomposing the functional requirement objective and combining the system security requirement. SKAOS not only simplifies the system userpsilas involvement in the role engineering process via supplying with the objective decomposition but also reduces the complexity of the operation analysis. After building the objective decomposition and activity analysis diagrams, the role definition can be delivered. We illustrate the effectiveness of our method via analyzing a real world requirement problem.

Aya Mohamed,Dagmar Auer,Daniel Hofer,Josef Küng

2023-06-22

Abstract:The increasing use of graph-structured data for business- and privacy-critical applications requires sophisticated, flexible and fine-grained authorization and access control. Currently, role-based access control is supported in graph databases, where access to objects is restricted via roles. This does not take special properties of graphs into account such as vertices and edges along the path between a given subject and resource. In previous iterations of our research, we started to design an authorization policy language and access control model, which considers the specification of graph paths and enforces them in the multi-model database ArangoDB. Since this approach is promising to consider graph characteristics in data protection, we improve the language in this work to provide flexible path definitions and specifying edges as protected resources. Furthermore, we introduce a method for a datastore-independent policy enforcement. Besides discussing the latest work in our XACML4G model, which is an extension to the Extensible Access Control Markup Language (XACML), we demonstrate our prototypical implementation with a real case and give an outlook on performance.

Cryptography and Security

Rocco De Nicola,Alessandro Maggi,Joseph Sifakis

DOI: https://doi.org/10.48550/arXiv.1805.03724

2018-10-24

Abstract:Modern systems evolve in unpredictable environments and have to continuously adapt their behavior to changing conditions. The "DReAM" (Dynamic Reconfigurable Architecture Modeling) framework, has been designed for modeling reconfigurable dynamic systems. It provides a rule-based language, inspired from Interaction Logic, which is expressive and easy to use encompassing all aspects of dynamicity including parametric multi-modal coordination with creation/deletion of components as well as mobility. Additionally, it allows the description of both endogenous/modular and exogenous/centralized coordination styles and sound transformations from one style to the other. The DReAM framework is implemented in the form of a Java API bundled with an execution engine. It allows to develop runnable systems combining the expressiveness of the rule-based notation together with the flexibility of this widespread programming language.

Formal Languages and Automata Theory,Software Engineering

Yibin Xu,Tijs Slaats,Boris Düdder,Thomas Troels Hildebrandt,Tom Van Cutsem

DOI: https://doi.org/10.1002/smr.2730

2024-09-28

Journal of Software Evolution and Process

Abstract:The paper introduces the use of dynamic condition response (DCR) Graphs for role‐based and declarative access control in smart contracts. This approach enhances the security and adaptability of smart contracts by enabling dynamic role adjustments and visualizing access control rights. The methodology supports straightforward declaration of access control rights, improves code auditing, and facilitates the safe evolution of smart contracts. Smart contracts executed on blockchains are interactive programs where external actors generate events that trigger function invocations. Events can be emitted by participants asynchronously. However, some functionalities should be restricted to participants inhabiting specific roles in the system, which might be dynamically adjusted while the system evolves. We argue that current smart contract languages adopting imperative programming paradigms require additional complicated access control code. Furthermore, smart contracts are often developed and evolved independently and cannot share a joint access control policy. This makes it challenging to ensure the correctness of access control properties and to maintain correctness when the contracts are adapted. We propose using dynamic condition response (DCR) graphs for role‐based and declarative access control for smart contracts and techniques for test‐driven modelling and refinement of DCR graphs to support the safe design and evolution of smart contracts. We show that they allow for capturing and visualizing a form of dynamic access control where access rights evolve as the contract state progresses. Their use supports the straightforward declaration of access control rights, improved code auditing, test‐driven modelling, and safe evolution of smart contracts and improves users' understanding.

computer science, software engineering

Pranav Subramaniam,Sanjay Krishnan

2024-08-06

Abstract:In every enterprise database, administrators must define an access control policy that specifies which users have access to which assets. Access control straddles two worlds: policy (organization-level principles that define who should have access) and process (database-level primitives that actually implement the policy). Assessing and enforcing process compliance with a policy is a manual and ad-hoc task. This paper introduces a new paradigm for access control called Intent-Based Access Control for Databases (IBAC-DB). In IBAC-DB, access control policies are expressed more precisely using a novel format, the natural language access control matrix (NLACM). Database access control primitives are synthesized automatically from these NLACMs. These primitives can be used to generate new DB configurations and/or evaluate existing ones. This paper presents a reference architecture for an IBAC-DB interface, an initial implementation for PostgreSQL (which we call LLM4AC), and initial benchmarks that evaluate the accuracy and scope of such a system. We further describe how to extend LLM4AC to handle other types of database deployment requirements, including temporal constraints and role hierarchies. We propose RHieSys, a requirement-specific method of extending LLM4AC, and DePLOI, a generalized method of extending LLM4AC. We find that our chosen implementation, LLM4AC, vastly outperforms other baselines, achieving high accuracies and F1 scores on our initial Dr. Spider benchmark. On all systems, we find overall high performance on expanded benchmarks, which include state-of-the-art NL2SQL data requiring external knowledge, and real-world role hierarchies from the Amazon Access dataset.

Databases,Cryptography and Security

John Slankas,Xusheng Xiao,Laurie A. Williams,Tao Xie

DOI: https://doi.org/10.1145/2664243.2664280

2014-01-01

Abstract:With over forty years of use and refinement, access control, often in the form of access control rules (ACRs), continues to be a significant control mechanism for information security. However, ACRs are typically either buried within existing natural language (NL) artifacts or elicited from subject matter experts. To address the first situation, our research goal is to aid developers who implement ACRs by inferring ACRs from NL artifacts . To aid in rule inference, we propose an approach that extracts relations (i.e., the relationship among two or more items) from NL artifacts such as requirements documents. Unlike existing approaches, our approach combines techniques from information extraction and machine learning. We develop an iterative algorithm to discover patterns that represent ACRs in sentences. We seed this algorithm with frequently occurring nouns matching a subject--action--resource pattern throughout a document. The algorithm then searches for additional combinations of those nouns to discover additional patterns. We evaluate our approach on documents from three systems in three domains: conference management, education, and healthcare. Our evaluation results show that ACRs exist in 47% of the sentences, and our approach effectively identifies those ACR sentences with a precision of 81% and recall of 65%; our approach extracts ACRs from those identified ACR sentences with an average precision of 76% and an average recall of 49%.

Qi Li,Zongkai Lin,Yuchai Guo,Shouxun Lin

2001-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:Secure, flexible and efficient access control mechanism is a key part of DBMS supporting cooperation. Access control mechanism in traditional DBMS can not meet the requirement of dynamic and group based cooperative applications. The paper presents GACM (generic access control method) which provides fine-grained hierarchical access control method and reduce the authorization work as much as possible, keeping good balance between flexibility and efficiency. Another feature of GACM is its support for group management. GACM is able to manage multi groups and multi roles. It can also check rights dynamically. The paper compares GACMwith the model provided by P. Cewan and H. Shen lastly.

JeeHyun Hwang,Tao Xie,Vincent Hu,Mine Altunay

DOI: https://doi.org/10.1109/POLICY.2010.22

2010-01-01

Abstract:Access control mechanisms are a widely adopted technology for information security. Since access decisions (i.e., permit or deny) on requests are dependent on access control policies, ensuring the correct modeling and implementation of access control policies is crucial for adopting access control mechanisms. To address this issue, we develop a tool, called ACPT (Access Control Policy Testing), that helps to model and implement policies correctly during policy modeling, implementation, and verification.

Huiying Li,Xiang Zhang,Honghan Wu,Yuzhong Qu

2005-01-01

Abstract:Access control is an important issue among the security problems of resources in distributed systems. In order to enable entities in distributed systems to understand and interpret policies correctly, common concern is drawn to the problem of expressing access control policies with semantic information. In this paper, we introduce how to express access control policies based on OWL and SWRL. It includes a definition of OWL ontology to describe the terms and a declaration of SWRL rules to explicit the relationship between properties. Finally some use cases are given to explain how to express policies in form of rule using the terms defined beforehand.

Lianshan Sun,Gang Huang

DOI: https://doi.org/10.1016/j.sysarc.2010.11.001

IF: 5.836

2011-01-01

Journal of Systems Architecture

Abstract:Access control is a common concern in most software applications. In component-based systems, although developers can implement access control requirements (ACRs) by simply declaring role-based access control configurations (ACCs) of components, it is still difficult for them to define and evolve ACCs accurately implementing ACRs due to the gap between the complex high-level ACRs and the voluminous ACCs enforced by underlying middleware platforms, and the ad hoc mistakes of human. This paper introduces and clarifies the concept of accuracy of ACCs relative to ACRs, and presents a set of metrics and algorithms which can be used to automatically evaluate and improve accuracy of ACCs by evaluating and reconfiguring the software architecture with ACCs. We apply our achievements in a composed e-shop application.

Pierre de Leusse,Bartosz Kwolek,Krzysztof Zielinski

DOI: https://doi.org/10.48550/arXiv.1203.0435

2012-03-02

Distributed, Parallel, and Cluster Computing

Abstract:The rule technological landscape is becoming ever more complex, with an extended number of specifications and products. It is therefore becoming increasingly difficult to integrate rule-driven components and manage interoperability in multi-rule engine environments. The described work presents the possibility to provide a common interface for rule-driven components in a distributed system. The authors' approach leverages on a set of discovery protocol, rule interchange and user interface to alleviate the environment's complexity.

JIAO Zhen-hai,DING Er-yu,LUO Bin

2008-01-01

Abstract:This paper presented a design and implemented approach of rule strategy based access control to fulfill this requirement.And started with the set expressions and definition of the rule model,and focused on the implement of rule interpreter and some detailed algorithms.At last,also presented a practical application.

Kamrun Nahar,Asif Qumer Gill,Terry Roach

DOI: https://doi.org/10.1002/spy2.160

2021-03-23

Security and Privacy

Abstract:Abstract There is an increasing interest in embedding the security in the design of digital enterprise architecture (EA) modeling platform to secure the digital assets. Access control management (ACM) is one of the key aspects of a secure digital enterprise architecture modeling platform design. Typical enterprise architecture modeling approaches mainly focus on the modeling of business, information, and technology elements. This draws our attention to this important question: how to model ACM for a secure digital EA modeling platform to ensure secure access to digital assets? This article aims to address this important research question in collaboration with our industry partner and developed an ontology‐based ACM metamodel that can be used by enterprises to model their ACM for a particular situation. This research has been conducted using the well‐known action‐design research (ADR) method to develop and evaluate the ACM metamodel for the secure digital EA modeling platform.

Yahui Lu,Li Zhang,Jiaguang Sun

DOI: https://doi.org/10.1016/j.compind.2009.02.009

IF: 10

2009-01-01

Computers in Industry

Abstract:The fast evolving workflow technologies facilitate organizations to interact and cooperate with each other to achieve their business goals by process collaborations. Task-role based access control is an important security mechanism to protect data and resources in information systems. However, the traditional centralized authorization and administration mechanism in access control can not satisfy the administrative requirements in process collaboration environments. In this paper, we propose a domain based administration model for task-role based access control (DATRBAC), in which the authorization and administration permissions are distributed to multiple administrative domains and administrative roles. Then we propose the solution to detect and resolve the conflicts between access control policies defined by different administrative roles. We also described the implementation of the model in the PLM product and the experiments based on the practical application data.

Grzegorz J. Nalepa

DOI: https://doi.org/10.1007/978-3-642-13232-2_73

2010-01-01

Abstract:In this paper a new rule engine called HeaRT (HeKatE Run Time) is proposed. It uses a custom rule representation called XTT2, which is based on a formalized rule description and allows a formalized analysis of rule quality. The engine is integrated with a complete design environment that provides visual rule design capabilities. The engine supports modularized rule bases and custom inference mechanisms. The rule-based logic can be integrated with the environment using external callback functions in Prolog and Java. In the paper the architecture of the engine is discussed as well as selected implementation issues are given.

Lionel Montrieux,Yijun Yu,Michel Wermelinger,Zhenjiang Hu

DOI: https://doi.org/10.1109/mise.2013.6595288

2013-01-01

Abstract:The integration of domain-specific concepts in a model-driven engineering (MDE) approach raises a number of interesting research questions. There are two possibilities to represent these concepts. The first one focuses on models that contain domain-specific concepts only, i.e. domain-specific modelling languages (DSML). The second one advocates the integration of domain-specific concepts in general-purpose models, using what we will refer to in this paper as domain-specific modelling annotation languages (DSMAL). In this position paper, we argue that each approach is particularly suited for specific activities and specific actors, and show how they can be developed and used together. We also highlight the challenges created by the use of two representations, such as the evaluation of models OCL constraints and the synchronisation between the two representations. As an illustration, we present rbacUML, our approach for integrating role-based access control (RBAC) concepts into an MDE approach.