ABSTRACT
The mobility of user-role relationship is a new feature relative to their counterparts in user-role assignments. When an administrative role assigns a role to a user with a mobile membership, this allows the user to use the permissions of the role and to be further added other roles by administrators. Immobile membership grants the user the authority to use the permissions, but does not make the user eligible for further role assignment. Two types of problems may arise in user-role assignment with the mobility of user-role relationship. One is related to authorization granting process. When a role is granted to a user, this role may be conflict with other roles of the user or together with this role; the user may have or derive a high level of authority. Another is related to authorization revocation. When a role is revoked from a user, the user may still have the role from other roles.In this paper, we discuss granting and revocation models related to mobile and immobile memberships between users and roles, then provide proposed authorization granting, weak revocation and strong revocation algorithms that are based on relational algebra and operations. We also describe how to use the new algorithms with an anonymity scalable payment scheme. Finally, comparisons with other related work are made.
- Barkley J. F., Beznosov K. and Uppal J. (1999), Supporting relationships in access control using role based access control, in 'Third ACM Workshop on RoleBased Access Control', pp. 55--65.]] Google ScholarDigital Library
- Bertino E., Castano S., Ferrari E. and Mesiti M. (2000), 'Specifying and enforcing access control policies for XML document sources', World Wide Web, 3 pp. 139--151.]] Google ScholarDigital Library
- David F. F., Dennis M. G. and Nickilyn L. (1993), An examination of federal and commercial access control policy needs, in 'NIST NCSC National Computer Security Conference', Baltimore, MD, pp. 107--116.]]Google Scholar
- Feinstein H. L. (1995), Final report: Nist small business innovative research (sbir) grant: role based access control: phase 1. technical report, in 'SETA Corp.'.]]Google Scholar
- Ferraiolo D. F. and Kuhn D. R. (1992), Role based access control, in '15th National Computer Security Conference', http: //www.citeseer.nj.nec.com/, pp. 554--563.]]Google Scholar
- Ferraiolo D. F., Barkley J. F. and Kuhn D. R. (1999), Role-based access control model and reference implementation within a corporate intranet, in 'TISSEC, Vol. 2, pp. 34--64.]] Google ScholarDigital Library
- Oh S. and Sandhu R. (2002), A model for role administration using organization structure, in 'Seventh ACM Symposium on Access Control Models and Technologies', ACM Press, pp. 155--162.]] Google ScholarDigital Library
- Okamoto T. (1995), An efficient divisible electronic cash scheme, in 'Advances in Cryptology-Crypto'95', Vol. 963 of Lectures Notes in Computer Science, Springer-Verlag, pp. 438--451.]] Google ScholarDigital Library
- Rivest R. T. (1992), 'The MD5 message digest algorithm', Internet RFC 1321 .]] Google ScholarDigital Library
- Sandhu R. (1998a), Role activation hierarchies, in 'Third ACM Workshop on RoleBased Access Control', ACM Press, pp. 33--40.]] Google ScholarDigital Library
- Sandhu R. (1998b), 'Role-Based Access Control', Advances in Computers46.]]Google ScholarCross Ref
- Sandhu R. and Bhamidipati V. (North-Holland, 1997), 'The ura97 model for role-based administration of user-role assignment', T. Y. Lin and Xiao Qian, editors, Database Security XI: Status and Prospects pp. 262--275.]] Google ScholarDigital Library
- Sandhu R. and Munawer Q. (1999), The arbac99 model for administration of roles, in 'the Annual Computer Security Applications Conference', ACM Press, pp. 229--238.]] Google ScholarDigital Library
- Sandhu R. and Park J. S. (1998), Decentralized User-Role Assignment for Web-based Intranets, in '3th ACM Workshop on Role-Based Access Control', ACM Press, pp. 1--12.]] Google ScholarDigital Library
- Wang H., Cao J. and Kambayashi Y. (2002), Building a consumer anonymity scalable payment protocol for the internet purchases, in '12th International Workshop on Research Issues on Data Engineering: Engineering E-Commerce/E-Business Systems', San Jose, USA.]] Google ScholarDigital Library
- Wang H., Cao J. and Zhang Y. (2002), Formal authorization allocation approaches for role-based access control based on relational algebra operations, in '3nd International Conference on Web Information Systems Engineering (WISE02)', Singapore, pp. 301--312.]] Google ScholarDigital Library
- Wang H. Sun L., Cao J., and Zhang Y. (2004), Anonymous access scheme for electronic-services, in 'Proceedings of the Twenty-Seventh Australasian Computer Science Conference (ACSC2004)', Dunedin, New Zealand, pp. 296--305.]] Google ScholarDigital Library
- Wang H., Zhang Y., Cao J., Kambayahsi Y. (2004), 'A global ticket-based access scheme for mobile users', Special Issue on Object-Oriented Client/Server Internet Environments, Information Systems Frontiers6(1), 35--46.]] Google ScholarDigital Library
- Wang H., Zhang Y., Cao J., Varadharajan V. (2003), 'Achieving secure and flexible m-services through tickets', IEEE Transactions on Systems, Man, and Cybernetics, Part A, Special issue on M-Services pp. 697--708.]]Google ScholarDigital Library
- Yiannis T. (1998), Fair off-line cash made easy, in 'Advances in Cryptology-Asiacrypt'98', Vol. 1346 of Lectures Notes in Computer Science, Springer-Verlag, pp. 240--252.]]Google Scholar
Index Terms
- Authorization algorithms for the mobility of user-role relationship
Recommendations
Formal authorisation allocation approaches for permission-role assignments using relational algebra operations
ADC '03: Proceedings of the 14th Australasian database conference - Volume 17In this paper, we develop formal authorization allocation algorithms for permission-role assignments. The formal approaches are based on relational structure, relational algebra and operations. The process of permission-role assignments is an important ...
A role-based XACML administration and delegation profile and its enforcement architecture
SWS '09: Proceedings of the 2009 ACM workshop on Secure web servicesThe OASIS technical committee published the XACML v3.0 administration and delegation profile (XACML-Admin) working draft on 16 April 2009 [3] in order to provide policy administration and dynamic delegation services to the XACML runtime. We enhance this ...
Self-Adaptive Authorization Framework for Policy Based RBAC/ABAC Models
DASC '11: Proceedings of the 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure ComputingAuthorization systems are an integral part of any network where resources need to be protected. They act as the gateway for providing (or denying) subjects (users) access to resources. As networks expand and organisations start to federate access to ...
Comments