Detecting conflicts in a role-based delegation model

The RBAC96 access control model has been the basis for extensive work on role-based constraint specification and role-based delegation. However these practical extensions can also lead to conflicts at compile and run-time. We demonstrate, following a role-based, declarative approach, how conflicts between specified separation of duty constraints and delegation activities can be detected. This approach also demonstrates the general suitability of Prolog as an executable specification language for the simulation and analysis of role-based systems. Using an extended definition of a role we show how at least one of the conflicts can be resolved and discuss the impacts of this extension on the specified constraints.

[1]  Andreas Schaad,et al.  The Incorporation of Control Principles into Access Control Policies , 2001 .

[2]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[3]  William F. Clocksin,et al.  Programming in Prolog , 1987, Springer Berlin Heidelberg.

[4]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[5]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[6]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[7]  Gail-Joon Ahn,et al.  A rule-based framework for role based delegation , 2001, SACMAT '01.

[8]  Michael J. Nash,et al.  Some conundrums concerning separation of duty , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[10]  Emil C. Lupu,et al.  A policy based role framework for access control , 1996, RBAC '95.

[11]  Morris Sloman,et al.  The source of authority for commercial access control , 1988, Computer.

[12]  Ravi Sandhu,et al.  Transaction control expressions for separation of duties , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[13]  D. Richard Kuhn,et al.  Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems , 1997, RBAC '97.

[14]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.