skip to main content
research-article

Formal foundations for hybrid hierarchies in GTRBAC

Published:22 January 2008Publication History
Skip Abstract Section

Abstract

A role hierarchy defines permission acquisition and role-activation semantics through role--role relationships. It can be utilized for efficiently and effectively structuring functional roles of an organization having related access-control needs. The focus of this paper is the analysis of hybrid role hierarchies in the context of the generalized temporal role-based access control (GTRBAC) model that allows specification of a comprehensive set of temporal constraints on role, user-role, and role-permission assignments. We introduce the notion of uniquely activable set (UAS) associated with a role hierarchy that indicates the access capabilities of a user resulting from his membership to a role in the hierarchy. Identifying such a role set is essential, while making an authorization decision about whether or not a user should be allowed to activate a particular combination of roles in a single session. We formally show how UAS can be determined for a hybrid hierarchy. Furthermore, within a hybrid hierarchy, various hierarchical relations may be derived between an arbitrary pair of roles. We present a set of inference rules that can be used to generate all the possible derived relations that can be inferred from a specified set of hierarchical relations and show that it is sound and complete. We also present an analysis of hierarchy transformations with respect to role addition, deletion, and partitioning, and show how various cases of these transformations allow the original permission acquisition and role-activation semantics to be managed. The formal results presented here provide a basis for developing efficient security administration and management tools.

References

  1. Barkley, J., Cincotta, A., Ferraiolo, D., Gavrila, S., and Kuhn, D. R. 1997. Role based access control for the world wide web. In Proceedings of 20th National Information System Security Conference. NIST/NSA.Google ScholarGoogle Scholar
  2. Bertino, E. and Ferrari, E. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2, 1 (Feb.), 65--104. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Bertino, E., Bonatti, P. A., and Ferrari, E. 2001. Trbac: A temporal role-based access control model. ACM Transactions on Information and System Security 4, 3 (Aug.), 191--233. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Biskup, J., Flegel, U., and Karabulut, Y. 1998. Secure mediation: Requirements and design. In Proceedings of 12th Annual IFIP WG 11.3 Working Conference on Database Security. Chalkidiki, Greece. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Crampton, J. and Loizou, G. 2003. Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information System Security 6, 2, 201--231. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Ferraiolo, D. F., Gilbert, D. M., and Lynch, N. 1993. An examination of federal and commercial access control policy needs. In Proceedings of NISTNCSC National Computer Security Conference. Baltimore, MD.Google ScholarGoogle Scholar
  7. Giuri, L. 1995. A new model for role-based access control. In Proceedings of 11th Annual Computer Security Application Conference. New Orleans, LA.Google ScholarGoogle Scholar
  8. Giuri, L. 1996. Role-based access control: A natural approach. In RBAC '95: Proceedings of the first ACM Workshop on Role-based access control. ACM Press, New York. 13. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Jaeger, T. and Tidswell, J. E. 2001. Practical safety in flexible access control models. ACM Transactions on Information and System Security 4, 2, 158--190. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Joshi, J. B. D., Aref, W., Ghafoor, A., and Spafford, E. H. 2001a. Security models for web-based applications. Communications of the ACM 44, 2 (Feb.), 38--72. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Joshi, J. B. D., Ghafoor, A., Aref, W., and Spafford, E. H. 2001b. Digital government security infrastructure design challenges. IEEE Computer 34, 2 (Feb.), 66--72. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Joshi, J. B. D., Bertino, E., and Ghafoor, A. 2002. Temporal hierarchies and inheritance semantics for gtrbac. In SACMAT '02: Proceedings of the seventh ACM symposium on Access control models and technologies. ACM Press, New York. 74--83. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Joshi, J. B. D., Bertino, E., Latif, U., and Ghafoor, A. 2005a. Analysis of expressiveness and design issues for a temporal role based access control model. IEEE Transactions on Dependable and Secure Computing 2, 2, 157--175. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Joshi, J. B. D., Bertino, E., Latif, U., and Ghafoor, A. 2005b. Generalized temporal role based access control model. IEEE Transactions on Knowledge and Data Engineering 17, 1 (Jan.), 4--23. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Koch, M., Mancini, L., and Parisi-Presicce, F. 2002. A graph-based formalism for rbac. ACM Transactions on Information and System Security 5, 3, 332--365. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Moffett, J. D. 1998. Control principles and role hierarchies. In RBAC '98: Proceedings of the third ACM workshop on Role-based access control. ACM Press, New York. 63--69. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Moffett, J. D. and Lupu, E. C. 1999. The uses of role hierarchies in access control. In RBAC '99: Proceedings of the fourth ACM workshop on Role-based access control. ACM Press, New York. 153--160. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Nyanchama, M. and Osborn, S. 1999. The role graph model and conflict of interest. ACM Transactions on Information and System Security 2, 1, 3--33. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Nyanchama, M. and Osborn, S. L. 1994. Access rights administration in role-based security systems. In Proceedings of the IFIP WG11.3 Working Conference on Database Security VII. North-Holland, Amsterdam. 37--56. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Osborn, S., Sandhu, R., and Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security 3, 2, 85--106. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Park, J. S., Sandhu, R., and Ahn, G. J. 2001. Role-based access control on the web. ACM Transactions on Information and System Security 4, 1 (Feb.), 37--71. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Sandhu, R. 1996. Role hierarchies and constraints for lattice-based access controls. Computer Security---Esorics'96, LNCS N. 1146, 65--79. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Sandhu, R. 1998. Role activation hierarchies. Proceedings of 2rd ACM Workshop on Role-based Access Control, 33--40. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Sandhu, R., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-based access control models. IEEE Computer 29, 2, 38--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Sandhu, R., Bhamidipani, V., and Munawer, Q. 1999. The arbac97 model for role-based administration of roles. ACM Transactions on Information and System Security 1, 2, 105--135. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Formal foundations for hybrid hierarchies in GTRBAC

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          • Published in

            cover image ACM Transactions on Information and System Security
            ACM Transactions on Information and System Security  Volume 10, Issue 4
            January 2008
            192 pages
            ISSN:1094-9224
            EISSN:1557-7406
            DOI:10.1145/1284680
            Issue’s Table of Contents

            Copyright © 2008 ACM

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 22 January 2008
            • Accepted: 1 September 2006
            • Revised: 1 April 2005
            • Received: 1 January 2003
            Published in tissec Volume 10, Issue 4

            Permissions

            Request permissions about this article.

            Request Permissions

            Check for updates

            Qualifiers

            • research-article
            • Research
            • Refereed

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!