Dependencies and separation of duty constraints in GTRBAC

A Generalized Temporal Role Based Access Control (GTRBAC) model that captures an exhaustive set of temporal constraint needs for access control has recently been proposed. GTRBAC's language constructs allow one to specify various temporal constraints on role, user-role assignments and role-permission assignments. In this paper, we identify various time-constrained cardinality, control flow dependency and separation of duty constraints (SoDs). Such constraints allow specification of dynamically changing access control requirements that are typical in today's large systems. In addition to allowing specification of time, the constraints introduced here also allow expressing access control policies at a finer granularity. The inclusion of control flow dependency constraints allows defining much stricter dependency requirements that are typical in workflow types of applications.

[1]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[2]  David F. Ferraiolo,et al.  An Examination of Federal and Commercial Access Control Policy Needs , 1993 .

[3]  Luigi Giuri,et al.  Role-based access control: a natural approach , 1996, RBAC '95.

[4]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[5]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[6]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[7]  Trent Jaeger,et al.  Practical safety in flexible access control models , 2001, TSEC.

[8]  Elisa Bertino,et al.  Temporal hierarchies and inheritance semantics for GTRBAC , 2002, SACMAT '02.

[9]  Walid G. Aref,et al.  Digital Government Security Infrastructure Design Challenges , 2001, Computer.

[10]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[11]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[12]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[13]  Walid G. Aref,et al.  Security models for web-based applications , 2001, CACM.

[14]  BertinoElisa,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999 .

[15]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[16]  D. Richard Kuhn,et al.  Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems , 1997, RBAC '97.

[17]  Ravi S. Sandhu Role Hierarchies and Constraints for Lattice-Based Access Controls , 1996, ESORICS.

[18]  David F. Ferraiolo,et al.  Role Based Access Control for the World Wide Web , 1997 .

[19]  Elisa Bertino,et al.  Generalized Temporal Role Based Access Control Model (GTRBAC) Part I Specification and Modeling , 2001 .

[20]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.