Function-Based Authorization Constraints Specification and Enforcement

Constraints are an important aspect of role-based access control (RBAC) and its different extensions. They are often regarded as one of the principal motivation behind these access control models. In this paper, we introduce two novel authorization constraint specification schemes named as prohibition constraint scheme and obligation constraint scheme. Both of them can be used for expressing and enforcing authorization constraints. These schemes strongly bind to authorization entity set functions and authorization entity relation functions, so they can provide the system designers a clear view about which functions should be defined in an authorization constraint system. Based on these functions, different kinds of constraint schemes can be easily defined. The security administrators can use these functions to create constraint schemes for their day-to-day operations. The constraint system can be scalable through defining new functions. This approach goes beyond the well known separation of duty constraints, and considers many aspects of entity relation constraints.

[1]  Jason Crampton,et al.  Specifying and enforcing constraints in role-based access control , 2003, SACMAT '03.

[2]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2002, ACM Trans. Inf. Syst. Secur..

[3]  Jung Hee Cheon,et al.  A Polynomial Time Algorithm for the Braid Diffie-Hellman Conjugacy Problem , 2003, CRYPTO.

[4]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[5]  Pietro Iglio,et al.  A formal model for role-based access control with constraints , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[6]  Sylvia L. Osborn,et al.  Modeling users in role-based access control , 2000, RBAC '00.

[7]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[8]  Patrick Dehornoy,et al.  Entity authentication schemes using braid word reduction , 2006, Discret. Appl. Math..

[9]  E. Artin The theory of braids. , 1950, American scientist.

[10]  Gail-Joon Ahn,et al.  The rcl 2000 language for specifying role-based authorization constraints , 2000 .

[11]  Jung Hee Cheon,et al.  New Public-Key Cryptosystem Using Braid Groups , 2000, CRYPTO.

[12]  Christoph Meinel,et al.  A Framework for Cross-Institutional Authentication and Authorisation , 2005 .

[13]  D. Goldfeld,et al.  An algebraic method for public-key cryptography , 1999 .

[14]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[15]  Emil C. Lupu,et al.  A policy based role object model , 1997, Proceedings First International Enterprise Distributed Object Computing Workshop.

[16]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[17]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[18]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[19]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[20]  Trent Jaeger,et al.  Practical safety in flexible access control models , 2001, TSEC.

[21]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..