Delegation in role-based access control

User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively studied grant delegations, but transfer delegations have largely been ignored. This is largely because enforcing transfer delegation policies is more complex than grant delegation policies. This paper, primarily, studies transfer delegations for role-based access control models. We also include grant delegations in our model for completeness. We present various mechanisms that authorize delegations in our model. In particular, we show that the use of administrative scope for authorizing delegations is more efficient than using relations. We also discuss the enforcement and revocation of delegations. Finally, we study delegation in the context of workflow systems. In particular, we demonstrate the application of the administrative scope and administrative domain concepts to control delegation of tasks in worklist-based workflow systems.

[1]  Ravi S. Sandhu,et al.  Secure Role-Based Workflow Models , 2001, DBSec.

[2]  Akhil Kumar,et al.  A fine-grained, controllable, user-to-user delegation method in RBAC , 2005, SACMAT '05.

[3]  Sushil Jajodia,et al.  Revocations - A classification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[4]  Roberto Tamassia,et al.  Role-based cascaded delegation , 2004, SACMAT '04.

[5]  SangYeob Na,et al.  Role delegation in role-based access control , 2000, RBAC '00.

[6]  Ravi Sandhu,et al.  A Role-Based Delegation Model and Some Extensions , 2000 .

[7]  Andreas Schaad,et al.  A framework for organisational control principles , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[8]  Vijayalakshmi Atluri,et al.  Supporting conditional delegation in secure workflow management systems , 2005, SACMAT '05.

[9]  Akhil Kumar,et al.  DW-RBAC: A formal security model of delegation and revocation in workflow systems , 2007, Inf. Syst..

[10]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[11]  George Loizou,et al.  Administrative scope: A foundation for role-based administrative models , 2003, TSEC.

[12]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[13]  Karin Venter The Delegation Authorization Model: A Model For The Dynamic Delegation Of Authorization Rights In A Secure Workflow Management System , 2002, ISSA.

[14]  Jason Crampton Understanding and developing role-based administrative models , 2005, CCS '05.

[15]  Tuomas Aura,et al.  Distributed Access-Rights Managements with Delegations Certificates , 2001, Secure Internet Programming.

[16]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[17]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[18]  BongNam Noh,et al.  A Role-Based Delegation Model Using Role Hierarchy Supporting Restricted Permission Inheritance , 2003, Security and Management.

[19]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[20]  Elisa Bertino,et al.  Supporting Delegation in Secure Workflow Management Systems , 2003, DBSec.

[21]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.