ABSTRACT
This paper addresses the issues surrounding user-to-user delegation in RBAC. We show how delegations can be incorporated into the RBAC model in a simple and straightforward manner. A special feature of the model is that it allows fine-grained control over what rights a user wishes to delegate as opposed to delegation at the role level where all the rights of a role must be delegated. In addition, the model provides a rich set of controls regarding further delegations of a right, generic constraints that further control delegations, and an innovative model for revocations. Properties of both delegation and revocation are discussed, and our work is compared with other related research.
- Vijayalakshmi Atluri and Avigdor Gal. An authorization model for temporal and derived data: securing information portals. ACM Trans. Inf. Syst. Secur., 5(1):62--94, 2002. Google ScholarDigital Library
- Jean Bacon, Ken Moody, and Walt Yao. A model of OASIS role-based access control and its support for active security. ACM Trans. Inf. Syst. Secur., 5(4):492--540, 2002. Google ScholarDigital Library
- Ezedin S. Barka and Ravi Sandhu. Framework for role-based delegation models. In 16th Annual Computer Security Applications Conference, December 2000. http://www.acsac.org/2000/abstracts/34.html. Google ScholarDigital Library
- Ezedin S. Barka and Ravi Sandhu. A role-based delegation model and some extensions. In 23rd National Information Systems Security Conference, October 2000. http://csrc.nist.gov/nissc/2000/proceedings/papers/021.pdf.Google Scholar
- Evgeny Dantsin, Thomas Eiter, Georg Gottlob, and Andrei Voronkov. Complexity and expressive power of logic programming. ACM Comput. Surv., 33(3):374--425, 2001. Google ScholarDigital Library
- Ronald Fagin. On an authorization mechanism. ACM Trans. Database Syst., 3(3):310--319, 1978. Google ScholarDigital Library
- Cheh Goh and Adrian Baldwin. Towards a more complete model of role. In RBAC '98: Proceedings of the third ACM workshop on Role-based access control, pages 55--62. ACM Press, 1998. Google ScholarDigital Library
- Patricia P. Griffiths and Bradford W. Wade. An authorization mechanism for a relational database system. ACM Transactions on Database Systems (TODS), 1(3):242--255, 1976. Google ScholarDigital Library
- Asa Hagstrom, Sushil Jajodia, Francesco Parisi-Presicce, and Duminda Wijesekera. Revocations - a classification. In CSFW '01: Proceedings of the 14th IEEE Workshop on Computer Security Foundations, page 44. IEEE Computer Society, 2001. Google ScholarDigital Library
- JongSoon Park, YoungLok Lee, HyungHyo Lee, and BongNam Noh. A role-based delegation model using role hierarchy supporting restricted permission inheritance. In Proceedings of the International Conference on Security and Management, SAM '03, pages 294--302. CSREA Press, 2003.Google Scholar
- Chun Ruan and Vijay Varadharajan. Resolving conflicts in authorization delegations. In 7th Australian Conference on Information Security and Privacy, volume 2384 of Lecture Notes in Computer Science, pages 271--285. Springer, 2002. Google ScholarDigital Library
- R Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996. Google ScholarDigital Library
- Ravi Sandhu and Qamar Munawer. The ARBAC99 model for administration of roles. In Annual Computer Security Applications Conference, 1999. Google ScholarDigital Library
- Roberto Tamassia, Danfeng Yao, and William H. Winsborough. Role-based cascaded delegation. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, pages 146--155. ACM, 2004. Google ScholarDigital Library
- Jacques Wainer, Paulo Barthelmess, and Akhil Kumar. WRBAC - a workflow security model incorporating controlled overriding of constraints. International Journal of Cooperative Information Systems, 12(4):455--486, 2003.Google ScholarCross Ref
- Walt Yao. Fidelis: A policy-driven trust management framework. In Trust Management, First International Conference, iTrust, volume 2692 of Lecture Notes in Computer Science, pages 301--317. Springer, 2003. Google ScholarDigital Library
- Longhua Zhang, Gail-Joon Ahn, and Bei-Tseng Chu. A rule-based framework for role-based delegation and revocation. ACM Trans. Inf. Syst. Secur., 6(3):404--441, 2003. Google ScholarDigital Library
- Xinwen Zhang, Sejong Oh, and Ravi Sandhu. PBDM: a flexible delegation model in RBAC. In SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies, pages 149--157. ACM Press, 2003. Google ScholarDigital Library
Index Terms
- A fine-grained, controllable, user-to-user delegation method in RBAC
Recommendations
Fine-grained role-based delegation in presence of the hybrid role hierarchy
SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologiesDelegation of authority is an important process that needs to be captured by any access control model. In role-based access control models, delegation of authority involves delegating roles that a user can assume or the set of permissions that he can ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
A rule-based framework for role-based delegation and revocation
Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most ...
Comments