Constraints for Permission-Based Delegations

Permission-Based Delegation Model (PBDM) is a flexible model for delegation of authority in RBAC. It supports permission level delegation through temporary delegation roles. Multi-step delegation is also supported. However, constraints for PBDM have not been investigated in the literature, and it is not secure for a system to employ PBDM without constraints considered. We present a Constraints model for user-user Permission-Based Delegation (CPBD) to secure such systems. Delegation roles bring violation of the security based on the constraints specified on regular roles. In CPBD, these constraints are extended to involve delegation roles by the new concept of source regular role, and this extension ensures the security based on constrains. Authorization constraints on delegation roles are also considered to satisfy secure requirements of users. For security administrators to obtain more control of delegations, constraints on permission-based delegation itself are provided, in particular, maximum delegation depth and maximum delegation range.

[1]  Fang Chen,et al.  Constraints for role-based access control , 1996, RBAC '95.

[2]  Roberto Tamassia,et al.  Role-based cascaded delegation , 2004, SACMAT '04.

[3]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[4]  Trent Jaeger On the increasing importance of constraints , 1999, RBAC '99.

[5]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[6]  Ravi S. Sandhu,et al.  Role-based delegation model/hierarchical roles (RBDM1) , 2004, 20th Annual Computer Security Applications Conference.

[7]  Andreas Schaad Detecting conflicts in a role-based delegation model , 2001, Seventeenth Annual Computer Security Applications Conference.

[8]  Akhil Kumar,et al.  A fine-grained, controllable, user-to-user delegation method in RBAC , 2005, SACMAT '05.

[9]  Andreas Schaad,et al.  A lightweight approach to specification and analysis of role-based access control extensions , 2002, SACMAT '02.

[10]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[11]  Gail-Joon Ahn,et al.  A rule-based framework for role based delegation , 2001, SACMAT '01.

[12]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[13]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[14]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[15]  Ravi Sandhu,et al.  A Role-Based Delegation Model and Some Extensions , 2000 .

[16]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[17]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[18]  Gail-Joon Ahn,et al.  Specification and classification of role-based authorization policies , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[19]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).