Enforcing Information Flow Constraints in RBAC Environments

While role-based access control (RBAC) as an alternative to traditional discretionary and mandatory access controls is very effective and popular, subsequent attempts to apply it in various application environments also revealed some limitations of RBAC. We developed a new type of security policy, called label-based access control policy (LBACP) that can be used for enhancing RBAC. Unlike other access control policies, LBACP is not used independently. On the contrary, it should be combined with other access control policies. The basic principle is defining some labels that specify information flow constraints, and then assigning these labels to other access control policies or their components. The usage of the labeled policy components must conform to the information flow constraints defined by the labels in order to avoid being misused. Thus, some potential information leaks can be avoided. This paper investigates how the LBACP can be used to enhance RBAC.

[1]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[2]  David M. Eyers,et al.  A formal model for hierarchical policy contexts , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[3]  David F. Ferraiolo,et al.  Assessment of Access Control Systems , 2006 .

[4]  Seng-Phil Hong,et al.  Access control in collaborative systems , 2005, CSUR.

[5]  Pietro Iglio,et al.  A formal model for role-based access control with constraints , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[6]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[7]  Christoph Meinel,et al.  Label-Based Access Control Policy Enforcement and Management , 2006, Seventh ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD'06).

[8]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[9]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[10]  David M. Eyers,et al.  Policy contexts: controlling information flow in parameterised RBAC , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.