Cooperative role-based administration

In large organizations the administration of access privileges (such as the assignment of an access right to a user in a particular role) is handled cooperatively through distributed administrators in various different capacities. A quorum may be necessary, or a veto may be possible for such a decision. In this paper we present two major contributions: We develop a Role-Based Access Control (RBAC) approach for specifying distributed administration requirements, and procedures between administrators, or administration teams, extending earlier work on distributed (modular) authorization. While a comprehensive specification in such a language is conceivable it would be quite tedious to evaluate, or analyze, their operational aspects and properties in practice. For this reason we create a new class of extended Petri Nets called Administration Nets such that any RBAC specification of (cooperative) administration requirements (given in terms of predicate logic formulas) can be embedded into an Administration Net. This net behaves within the constraints specified by the logical formulas, and at the same time, it explicitly exhibits all needed operational details such as to allow for an efficient and comprehensive formal analysis of administrative behavior. We introduce the new concepts and illustrate their use in several examples. While Administration Nets are much more refined and (behaviorally) explicit than work flow systems our work provides for a constructive step towards novel work-flow management tools as well.

[1]  Kurt Lautenbach,et al.  The Analysis of Distributed Systems by Means of Predicate ? Transition-Nets , 1979, Semantics of Concurrent Computation.

[2]  Carlo Ghezzi,et al.  A Unified High-level Petri Net Model for Time Critical Systems , 1991 .

[3]  Horst F. Wedde,et al.  Modular authorization , 2001, SACMAT '01.

[4]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[5]  Horst F. Wedde,et al.  Analyzing Program Solutions of Coordination problems by CP-Nets , 1978, MFCS.

[6]  Wil M. P. van der Aalst,et al.  The Application of Petri Nets to Workflow Management , 1998, J. Circuits Syst. Comput..

[7]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[8]  Sylvia L. Osborn,et al.  Modeling users in role-based access control , 2000, RBAC '00.

[9]  Carlo Ghezzi,et al.  A Unified High-Level Petri Net Formalism for Time-Critical Systems , 1991, IEEE Trans. Software Eng..

[10]  Rüdiger Valk Infinite Behaviour of Petri Nets , 1983, Theor. Comput. Sci..

[11]  Ravi S. Sandhu,et al.  The ARBAC99 model for administration of roles , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[12]  Ravi S. Sandhu,et al.  A model for role administration using organization structure , 2002, SACMAT '02.

[13]  Horst F. Wedde,et al.  COMPOSING HETEROGENOUS ACCESS POLICIES BETWEEN ORGANIZATIONS , 2003 .

[14]  Sylvia L. Osborn,et al.  Access Rights Administration in Role-Based Security Systems , 1994, DBSec.

[15]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.