论文信息 - Risk Based Security Analysis of Permissions in RBAC

Risk Based Security Analysis of Permissions in RBAC

Because of its vulnerability to errors and, hence, unauthorised access, assignment of access rights is a critically important aspect of RBAC. Despite major advances in addressing this clearly using formal models, there is still a need for a more robust formulation, especially incorporating strict guidelines on assignment of access rights and how to perform such tasks as delegation of access rights. In this respect, this paper proposes a precise mathematical framework, capable of considering important factors such as the relative security risks posed by different access operations when performed by different users. This is based on a novel concept of a security risk ordering relation on such tasks, to be established by a detailed independent risk assessment process. In the case of lack of information on security risks, the approach makes conservative assumptions, thus forcing the security analyst to re-assess such situations if he disagrees with this default interpretation. The risk ordering relation is central to a security-orientated definition of role hierarchies and a security-risk minimising strategy to role delegation.

Etienne J. Khayat | Nimal Nissanke

[1] Ravi S. Sandhu,et al. Role-Based Access Control Models , 1996, Computer.

[2] Etienne J. Khayat,et al. A formal model for flat role-based access control , 2003 .

[3] American National Standard for Information Technology – Role Based Access Control , 2004 .

[4] SangYeob Na,et al. Role delegation in role-based access control , 2000, RBAC '00.

[5] Ravi Sandhu,et al. A Role-Based Delegation Model and Some Extensions , 2000 .

[6] Ravi S. Sandhu,et al. The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[7] Ravi S. Sandhu,et al. PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[8] Nimal Nissanke,et al. A Mathematical Framework for Safecharts , 2003, ICFEM.

[9] Ramaswamy Chandramouli,et al. The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[10] D. Richard Kuhn,et al. Role-Based Access Control ( RBAC ) : Features and Motivations , 2014 .

[11] Gail-Joon Ahn,et al. A role-based delegation framework for healthcare information systems , 2002, SACMAT '02.

[12] David R. Kuhn,et al. Role-Based Access Control (RBAC): Features and Motivations | NIST , 1995 .

[13] Ravi S. Sandhu,et al. Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).