skip to main content
article

GEO-RBAC: A spatially aware RBAC

Published:01 February 2007Publication History
Skip Abstract Section

Abstract

Securing access to data in location-based services and mobile applications requires the definition of spatially aware access-control systems. Even if some approaches have already been proposed either in the context of geographic database systems or context-aware applications, a comprehensive framework, general and flexible enough to deal with spatial aspects in real mobile applications, is still missing. In this paper, we make one step toward this direction and present GEO-RBAC, an extension of the RBAC model enhanced with spatial-and location-based information. In GEORBAC, spatial entities are used to model objects, user positions, and geographically bounded roles. Roles are activated based on the position of the user. Besides a physical position, obtained from a given mobile terminal or a cellular phone, users are also assigned a logical and device-independent position, representing the feature (the road, the town, the region) in which they are located. To enhance flexibility and reusability, we also introduce the concept of role schema, specifying the name of the role, as well as the type of the role spatial boundary and the granularity of the logical position. We then extend GEO-RBAC to support hierarchies, modeling permission, user, and activation inheritance, and separation of duty constraints. The proposed classes of constraints extend the conventional ones to deal with different granularities (schema/instance level) and spatial information. We conclude the paper with an analysis of several properties concerning the resulting model.

References

  1. Atluri, V. and Mazzoleni, P. 2002. A uniform indexing scheme for geo-spatial data and authorizations. In Proceedings of the 16th IFIP WG 11.3 Conference on Data and Application Security. Kluwer Academic Publ., Boston, MA. 207--218.Google ScholarGoogle Scholar
  2. Belussi, A., Bertino, E., Catania, B., Damiani, M., and Nucita, A. 2004. An authorization model for geographical maps. In Proceedings of the 12th Annual ACM International Workshop on Geographic Information Systems. ACM Press, New York. 82--91. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Bertino, E., Damiani, M., and Momini, D. 2004. An access-control system for a web map management service. In Proceedings of the 14th International Workshop on Research Issues on Data Engineering (RIDE'04). IEEE Computer Society, Washington, D.C. 33--39. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Bhatti, R., Ghafoor, A., Bertino, E., and Joshi, J. 2005. X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access-control. ACM Transactions on Information and System Security (TISSEC) 8, 2 (May), 187--227. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Chandran, S. and Joshi, J. 2005. LoT RBAC: A location and time-based RBAC model. In Proceedings of the 6th International Conference on Web Information Systems Engineering (WISE'05). Springer-Verlag, New York. 361--375. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Chun, S. and Atluri, V. 2000. Protecting privacy from continuous high-resolution satellite surveillance. In Proceedings of the 14th IFIP 11.3 Annual Working Conference on Database Security. Schoorl, The Netherlands. 233--244. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Clementini, E., Felice, P. D., and van Oosterom, P. 1993. A small set of formal topological relationships suitable for end-user interaction. In Proceedings of the 3rd International Symposium on Advances in Spatial Databases. Lecture Notes in Computer Science, vol. 692. Springer-Verlag, New York. 277--295. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Covington, M., Moyer, M., and Ahamad, M. 2000. Generalized role-based access-control for securing future applications. In Proceedings of the 23rd National Information Systems Security Conference.Google ScholarGoogle Scholar
  9. Covington, M., Long, W., Srinivasan, S., Dev, A., Ahamad, M., and Abowd, G. 2001. Securing context-aware applications using environment roles. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT'01). ACM Press, New York. 10--20. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Damiani, M. and Bertino, E. 2006. Access control and privacy in location-aware services for mobile organizations. In Proceedings of 7th Conference on Mobile Data Management (MDM'06). IEEE Computer Society, Washington, D.C. 11. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., and Chandramouli, R. 2001. Proposed NIST standard for role-based access-control. ACM Transactions on Information and System Security (TISSEC) 4, 3 (Aug.), 224--274. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Forlizzi, L., Kuijpers, B., and Nardelli, E. 2003. Region-based query languages for spatial databases in the topological data model. In Proceedings of the 8th International Symposium on Spatial and Temporal Databases (SSTD'03). Lecture Notes in Computer Science, vol. 2750. Springer-Verlag, New York. 344--361.Google ScholarGoogle Scholar
  13. Hansen, F. and Oleshchuk, V. 2003a. Spatial role-based access-control model for wireless networks. In Proceedings of the 58th IEEE Vehicular Technology Conference (VTC'03). Vol. 3. IEEE Computer Society, Washington, D.C. 2093--2097.Google ScholarGoogle Scholar
  14. Hansen, F. and Oleshchuk, V. 2003b. SRBAC: a spatial role-based access-control model for mobile systems. In Proceedings of the 7th Nordic Workshop on Secure IT Systems (NORDSEC'03). Gj‘vik, Norway, 129--141.Google ScholarGoogle Scholar
  15. Joshi, J., Bertino, E., Latif, U., and Ghafoor, A. 2005. A generalized temporal role-based access-control model. IEEE Transactions on Knowledge and Data Engineering 17, 1 (Jan.), 4--23. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Kolaitis, P. and Vardi, M. 1998. Conjunctive-query containment and constraint satisfaction. In Proceedings of the 17th ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems (PODS'98). ACM Press, New York. 205--213. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Kuhn, D. 1997. Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. In Proceedings of the 2nd ACM Workshop on Role-Based Access Control (RBAC'97). ACM Press, New York. 23--30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Li, N., Bizri, Z., and Tripunitara, M. 2004. On mutually-exclusive roles and separation of duty. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS'04). Washington D.C. 42--51. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Matheus, A. 2005. Declaration and enforcement of fine grained access restrictions for a service-based geospatial data infrastructure. In Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT'05). ACM Press, New York. 21--28. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Open GIS Consortium. 1999. Open GIS simple features specification for SQL. Revision 1.1.Google ScholarGoogle Scholar
  21. Open GIS Consortium. 2001. The open GIS abstract specification. topic 1: Feature geometry (ISO 19107 spatial schema). Version 5.Google ScholarGoogle Scholar
  22. Open GIS Consortium. 2003. Open GIS geography markup language (GML) implementation specification. Version 3.00.Google ScholarGoogle Scholar
  23. Purevjii, B., Magasa, T. A., Imai, S., and Kanamori, Y. 2004. An access control model for geographic data in an XML-based framework. In Proceedings of the 2nd International Workshop on Security In Information Systems (WOSIS'04). INSTICC Press, Porto, Portugal. 251--260.Google ScholarGoogle Scholar
  24. Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. 1996. Role-Based Access Control Models. IEEE Computer 29, 2, 38--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Sandhu, R., Ferraiolo, D., and Kuhn, D. 2000. The NIST model for role-based access control: towards a unified standard. In Proceedings of the 5th ACM Workshop on Role-based Access Control (RBAC'00). ACM Press, New York. 47--63. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Strembeck, M. 2004. Conflict checking of separation of duty constraints in RBAC - implementation experiences. In Proceedings of the Conference on Software Engineering (SE'04). Innsbruck, Austria. 224--229.Google ScholarGoogle Scholar

Index Terms

  1. GEO-RBAC: A spatially aware RBAC

                Recommendations

                Reviews

                Eduardo B. Fernandez

                In a recent paper, Bertino and her associates created an excellent extension of the role-based access control (RBAC) model to include time constraints. Now, they have taken on RBAC with spatial constraints. I imagine that in their next paper, they will consider the combination of these aspects: a time-space-constrained RBAC. In their handling of spatial constraints, they have done another very complete job. They have extended the standard RBAC models?core, hierarchical, and role constrained?to include spatial constraints. For each case, the corresponding model is developed and its properties are formally proved. A key aspect is the use of the Open Geospatial Consortium (OGC) standard to define locations. While they provide a good survey of related work, there is no mention of the work on context-aware security models oriented to mobile devices. For example, Corradi and others developed several models for this purpose. Those models use contexts that include other aspects, not just location, but they are clearly relevant. This paper is a must-read for anybody working on location-based or context-based security or on RBAC models. Online Computing Reviews Service

                Access critical reviews of Computing literature here

                Become a reviewer for Computing Reviews.

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                • Published in

                  cover image ACM Transactions on Information and System Security
                  ACM Transactions on Information and System Security  Volume 10, Issue 1
                  February 2007
                  106 pages
                  ISSN:1094-9224
                  EISSN:1557-7406
                  DOI:10.1145/1210263
                  Issue’s Table of Contents

                  Copyright © 2007 ACM

                  Publisher

                  Association for Computing Machinery

                  New York, NY, United States

                  Publication History

                  • Published: 1 February 2007
                  Published in tissec Volume 10, Issue 1

                  Permissions

                  Request permissions about this article.

                  Request Permissions

                  Check for updates

                  Qualifiers

                  • article

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!