Policy contexts: controlling information flow in parameterised RBAC

Many RBAC models have augmented the fundamental requirement of a role abstraction with features such as parameterised roles and environment-aware policy. We examine the potential for unintentional leakage of information during RBAC policy enforcement, either through the exchange of parameters with external services when checking environmental conditions, or through a policy design which does not appropriately separate policy subsections with different basic purposes. We propose a simple, robust mechanism for handling these problems, and illustrate our approach with a current application of our OASIS RBAC system.

[1]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[2]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[3]  Stuart E. Madnick,et al.  Working Paper Alfred P. Sloan School of Management Database Systems in a Dynamic Environment Database Systems in a Dynamic Environment Received Context Interchange: Overcoming the Challenges of Large-scale Interoperable Database Systems in a Dynamic Environment* , 2022 .

[4]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[5]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2002, ACM Trans. Inf. Syst. Secur..

[6]  Ken Moody,et al.  Meta-policies for distributed role-based access control systems , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[7]  Elisa Bertino,et al.  TRBAC: a temporal role-based access control model , 2000, RBAC '00.

[8]  Emil C. Lupu,et al.  Reconciling role based management and role based access control , 1997, RBAC '97.

[9]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[10]  David Eyers,et al.  SHIELDING THE OASIS RBAC INFRASTRUCTURE FROM CYBER-TERRORISM , 2002 .

[11]  Adrian Baldwin,et al.  Towards a more complete model of role , 1998, RBAC '98.

[12]  Ravi S. Sandhu,et al.  The ARBAC97 model for role-based administration of roles: preliminary description and outline , 1997, RBAC '97.

[13]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[14]  Luigi Giuri,et al.  Role-based access control: a natural approach , 1996, RBAC '95.