Authorization Constraints Specification and Enforcement

Constraints are an important aspect of role-based access control (RBAC) and its different extensions. They are often regarded as one of the principal motivations behind these access control models. There are two important issues relating to constraints: their specification and their enforcement. However, the existing approaches cannot comprehensively support both of them. On the other hand, the early research effort mainly concentrates on separation of duty. In this paper, we introduce two novel authorization constraint specification schemes named prohibition constraint scheme and obligation constraint scheme respectively. Both of them can be used for both expressing and enforcing authorization constraints. These schemes are strongly bound to authorization entity set functions and relation functions that could be mapped to the functions that need to be developed in application systems, so they can provide the system developers a clear view about which functions should be developed in an authorization constraint system. Based on these functions, various constraint schemes can be easily defined. The security administrators can use these functions to create constraint schemes for their day-to-day operations. A constraint system could be scalable through defining new entity set functions and entity relation functions. This approach goes beyond the well known separation of duty constraints, and considers many aspects of entity relation constraints.

[1]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[2]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[3]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[4]  Trent Jaeger,et al.  Practical safety in flexible access control models , 2001, TSEC.

[5]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[6]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[7]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[8]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[9]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[10]  Francis M. Kugblenu,et al.  Separation of Duty in Role Based Access , 2007 .

[11]  Emil C. Lupu,et al.  A policy based role object model , 1997, Proceedings First International Enterprise Distributed Object Computing Workshop.

[12]  Christoph Meinel,et al.  Team and Task Based RBAC Access Control Model , 2007, 2007 Latin American Network Operations and Management Symposium.

[13]  David W. Chadwick,et al.  Multi-session Separation of Duties (MSoD) for RBAC , 2007, 2007 IEEE 23rd International Conference on Data Engineering Workshop.

[14]  Christoph Meinel,et al.  A Framework for Cross-Institutional Authentication and Authorisation , 2005 .

[15]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[16]  Pietro Iglio,et al.  Role templates for content-based access control , 1997, RBAC '97.

[17]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[18]  Jason Crampton,et al.  Specifying and enforcing constraints in role-based access control , 2003, SACMAT '03.

[19]  Ninghui Li,et al.  On mutually-exclusive roles and separation of duty , 2004, CCS '04.

[20]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[21]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[22]  Seng-Phil Hong,et al.  Access control in collaborative systems , 2005, CSUR.

[23]  Pietro Iglio,et al.  A formal model for role-based access control with constraints , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.