Inheritance hierarchies in the Or-BAC model and application in a network environment

Role hierarchy was first introduced in the Role Based Access Control (RBAC) model. Inheritance of permissions is associated with this hierarchy. This is useful to design security policies in a modular way. In this paper, we extend this approach in the context of the Organization Based Access Control (Or-BAC) model. We first define hierarchies of roles, views and activities and formally model inheritance mechanism associated with each hierarchy. We then define hierarchy of organizations. We show that this provides efficient means to derive policies of security components from corporate security policies specification. We illustrate our approach in the context of network security policy, in particular to configure firewalls.

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[3]  Jonathan D. Moffett,et al.  Control principles and role hierarchies , 1998, RBAC '98.

[4]  Emil C. Lupu,et al.  The uses of role hierarchies in access control , 1999, RBAC '99.

[5]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[6]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[7]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[8]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[9]  Ravi S. Sandhu,et al.  A model for role administration using organization structure , 2002, SACMAT '02.

[10]  Jason Crampton,et al.  On permissions, inheritance and role hierarchies , 2003, CCS '03.

[11]  E. Bertino,et al.  A logical framework for reasoning about access control models , 2003, TSEC.

[12]  Frédéric Cuppens,et al.  Modelling contexts in the Or-BAC model , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[13]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.