A Constrained Role-Based Delegation Model

Delegation is an important security policy that should be supported by RBAC model. The basic idea of delegation is that some active entity in a system delegates authority to another active entity to carry out some functions on behalf of the former. The grantor of the delegated roles should be responsible for the usage of them, so constraints on the usage of the delegated roles are critical components of the whole delegation model. Currently, there’re some models that extend RBAC model to support role delegation. However, their supports for constraints on the usage of delegated roles are very limited. This paper presents the requirements of role-based delegation, including temporary constraints, regular role dependency constraints, partial delegation constraints and propagation constraints. The former two kinds of constraints are modeled with a formal model – CRDM, which provides the foundation for applications in need of the constrained delegation.

[1]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[2]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[3]  Trent Jaeger On the increasing importance of constraints , 1999, RBAC '99.

[4]  Elisa Bertino,et al.  Temporal hierarchies and inheritance semantics for GTRBAC , 2002, SACMAT '02.

[5]  Ravi Sandhu,et al.  A Role-Based Delegation Model and Some Extensions , 2000 .

[6]  Morrie Gasser,et al.  An architecture for practical delegation in a distributed system , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Fang Chen,et al.  Constraints for role-based access control , 1996, RBAC '95.

[8]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[9]  Gail-Joon Ahn,et al.  A rule-based framework for role based delegation , 2001, SACMAT '01.

[10]  Doug Lea,et al.  Practical delegation for secure distributed object environments , 1998, Distributed Syst. Eng..

[11]  Henry M. Gladney,et al.  Access control for large collections , 1997, TOIS.

[12]  Mads Dam,et al.  Constrained delegation , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[13]  Elisa Bertino,et al.  Dependencies and separation of duty constraints in GTRBAC , 2003, SACMAT '03.

[14]  Dong Guang-yu Role-Based Authorization Constraint with Time Character , 2002 .

[15]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[16]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[17]  Ravi S. Sandhu,et al.  Rationale for the RBAC96 family of access control models , 1996, RBAC '95.

[18]  Hua Chen,et al.  UC-RBAC: A Usage Constrained Role-Based Access Control Model , 2003, ICICS.

[19]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[20]  Morris Sloman,et al.  The source of authority for commercial access control , 1988, Computer.

[21]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).