skip to main content
research-article

Authorization recycling in hierarchical RBAC systems

Published:06 June 2011Publication History
Skip Abstract Section

Abstract

As distributed applications increase in size and complexity, traditional authorization architectures based on a dedicated authorization server become increasingly fragile because this decision point represents a single point of failure and a performance bottleneck. Authorization caching, which enables the reuse of previous authorization decisions, is one technique that has been used to address these challenges.

This article introduces and evaluates the mechanisms for authorization “recycling” in RBAC enterprise systems. The algorithms that support these mechanisms allow making precise and approximate authorization decisions, thereby masking possible failures of the authorization server and reducing its load. We evaluate these algorithms analytically as well as using simulation and a prototype implementation. Our evaluation results demonstrate that authorization recycling can improve the performance of distributed-access control mechanisms.

References

  1. Adamic, L. and Huberman, B. 2002. Zipf's law and the Internet. Glottometrics 3, 1, 143--50.Google ScholarGoogle Scholar
  2. ANSI. 2004. ANSI INCITS 359-2004 for role based access control. American National Standards Institute, New York, NY.Google ScholarGoogle Scholar
  3. Astley, M., Sturman, D. C., and Agha, G. A. 2001. Customizable middleware for modular distributed software. Comm. ACM. 44, 5, 99--107. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Bell, D. and LaPadula, L. 1973a. Secure computer systems: A mathematical model. Tech. rep. MTR-2547, Volume II. Mitre Corporation, Bedford, MA.Google ScholarGoogle Scholar
  5. Bell, D. and LaPadula, L. 1973b. Secure computer systems: Mathematical foundations. Tech. rep. MTR-2547, Volume I. Mitre Corporation, Bedford, MA.Google ScholarGoogle Scholar
  6. Beznosov, K. 2005. Flooding and recycling authorizations. In Proceedings of the New Security Paradigms Workshop (NSPW'05). ACM Press, New York, NY, 67--72. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Borders, K., Zhao, X., and Prakash, A. 2005. CPOL: High-performance policy evaluation. In Proceedings of the 12th ACM Conference on Computer and Communications Security. ACM Press, New York, NY, 147--157. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Breslau, L., Cao, P., Fan, L., Phillips, G., and Shenker, S. 1999. Web caching and Zipf-like distributions: Evidence and implications. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE Computer Society Press, Los Alamitos, CA, 126--134.Google ScholarGoogle Scholar
  9. Bücker, A., Antonius, J., Riexinger, D., Sommer, F., and Sumida, A. 2003. Enterprise Business Portals II with IBM Tivoli Access Manager. IBM Redbooks, Armonk, NY, ibm.com/redbooks.Google ScholarGoogle Scholar
  10. Committee, X. T. 2005. OASIS eXtensible Access Control Markup Language (XACML) v. 2.0. OASIS, Burlington, VT.Google ScholarGoogle Scholar
  11. Crampton, J., Leung, W., and Beznosov, K. 2006. Secondary and approximate authorizations model and its application to Bell-LaPadula policies. In Proceedings of the ACM Symposium on Access Control Models and Technologies. ACM Press, New York, NY, 111--120. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. DeMichiel, L. G., Yalçinalp, L. Ü., and Krishnan, S. 2001. Enterprise JavaBeans, v. 2.0. Sun. Oracle, Redwood Shores, CA.Google ScholarGoogle Scholar
  13. Entrust. 1999. GetAccess design and administration guide. Entrust, Dallas, TX.Google ScholarGoogle Scholar
  14. Ferraiolo, D. and Kuhn, R. 1992. Role-based access controls. In Proceedings of the 15th NIST-NCSC National Computer Security Conference. Gaithersburg, MD, 554--563.Google ScholarGoogle Scholar
  15. Francis, W. and Kucera, H. 1967. Computational Analysis of Present-Day American English. Brown University Press, Providence, RI.Google ScholarGoogle Scholar
  16. Gittler, F. and Hopkins, A. C. 1995. The DCE security service. Hewlett-Packard J. 46, 6, 41--48.Google ScholarGoogle Scholar
  17. Internet2. 2008. Shibboleth system. http://shibboleth.internet2.edu.Google ScholarGoogle Scholar
  18. Johnson, B. 1996. Fault-Tolerant Computer System Design. Prentice-Hall, Upper Saddle River, NJ, 1--87.Google ScholarGoogle Scholar
  19. Kaijser, P. 1998. A review of the SESAME development. In Information Security and Privacy, C. Boyd and E. Dawson, Eds. Lecture Notes in Computer Science, vol. 1438. Springer, Berlin, Germany, 1438, 1--8. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Kalbarczyk, Z., Lyer, R. K., and Wang, L. 2005. Application fault tolerance with Armor middleware. IEEE Internet Comput. 9, 2, 28--38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Karjoth, G. 2003. Access control with IBM Tivoli Access Manager. ACM Trans. Info. Syst. Sec. 6, 2, 232--57. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Klemm, A., Lindemann, C., Vernon, M. K., and Waldhorst, O. P. 2004. Characterizing the query behavior in peer-to-peer file sharing systems. In Proceedings of the SIGCOMM Internet Measurement Conference. New York, NY, 55--67. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Lorch, M., Proctor, S., Lepro, R., Kafura, D., and Shah, S. 2003. First experiences using XACML for access control in distributed systems. In Proceedings of XMLSec. ACM, Press, New York, NY, 25--37. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Markoff, J. and Hansell, S. 2006. Google's not-so-very-secret weapon. International Herald Tribune. June 13.Google ScholarGoogle Scholar
  25. Motro, R. 1989. An access authorization model for relational databases based on algebraic manipulation of view definitions. In Proceedings of the International Conference on Data Engineering. IEEE Computer Society Press, Los Alamitos, CA, 339--347. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Netegrity. 2000. Siteminder concepts guide. Tech. rep. Netegrity, Waltham, MA.Google ScholarGoogle Scholar
  27. Nicomette, V. and Deswarte, Y. 1997. An authorization scheme for distributed object systems. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 21--30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. OMG. 2002. Common object services specification, security service specification v1.8. OMG, Needham, MA.Google ScholarGoogle Scholar
  29. Oracle. 2008. Oracle entitlements server: Programming security for web services. Tech. rep. Oracle. Redwood Shores, CA.Google ScholarGoogle Scholar
  30. Rizvi, S., Mendelzon, A., Sudarshan, S., and Roy, P. 2004. Extending query rewriting techniques for fine-grained access control. In Proceedings of the SIGMOD International Conference on Management of Data. ACM, Press, New York, NY. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Rosenthal, A. and Sciore, E. 2001. Administering permissions for distributed data: Factoring and automated inference. In Proceedings of AWCDAS. Kluwer, Norwell, MA, 91--104. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Ryutov, T. and Neuman, C. 2000. Generic authorization and access control application program interface: C-bindings. Internet Draft draft-ietf-cat-gaa-bind-03, Internet Engineering Task Force. www.ietf.orgo.Google ScholarGoogle Scholar
  33. Saltzer, J. and Schroeder, M. 1975. The protection of information in computer systems. Proc. IEEE 63, 6, 1278--1308.Google ScholarGoogle ScholarCross RefCross Ref
  34. Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. 1996. Role-based access control models. IEEE Comput. 29, 2, 38--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Schaad, A., Moffett, J., and Jacob, J. 2001. The role-based access control system of a European bank: A case study and discussion. In Proceedings of the ACM Symposium on Access Control Models and Technologies. ACM Press, New York, NY, 3--9. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Schroder-Preikschat, W., Lohmann, D., Scheler, F., Gilani, W., and Spinczyk, O. 2006. Static and dynamic weaving in system software with AspectC++. In Proceedings of the Hawaii International Conference on System Sciences. 214.1. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Securant. 1999. Unified access management: A model for integrated Web security. Tech. rep. Securant Technologies. Belford, MA.Google ScholarGoogle Scholar
  38. Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., and Lepreau, J. 1999. The Flask security architecture: System support for diverse security policies. In Proceedings of the 8th USENIX Security Symposium. USENIX Berkeley, CA, 123--140. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Strong, P. 2007. How ebay scales with networks and the challenges. In Proceedings of the 16th ACM/IEEE International Symposium on High-Performance Distributed Computing. ACM Press, New York, NY. Invited talk.Google ScholarGoogle Scholar
  40. Tripunitara, M. V. and Carbunar, B. 2009. Efficient access enforcement in distributed role-based access control (RBAC) deployments. In Proceedings of the ACM Symposium on Access Control Models and Technologies ACM Press, Press, New York, NY, 155--164. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Vaidya, J., Atluri, V., and Guo, Q. 2007. The role mining problem: Finding a minimal descriptive set of roles. In Proceedings of the ACM Symposium on Access Control Models and Technologies ACM Press. New York, NY, 175--184. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Vogels, W. 2004. How wrong can you be? Getting lost on the road to massive scalability. In Proceedings of the 5th International Middleware Conference. ACM Press, New York, NY. Keynote address.Google ScholarGoogle Scholar
  43. Wei, Q., Ripeanu, M., and Beznosov, K. 2007. Cooperative secondary authorization recycling. In Proceedings of the IEEE International on High-Performance Distributed Computing. IEEE, Coputer Society Press, Los Alamitos, CA, 65--74. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Authorization recycling in hierarchical RBAC systems

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Information and System Security
          ACM Transactions on Information and System Security  Volume 14, Issue 1
          May 2011
          366 pages
          ISSN:1094-9224
          EISSN:1557-7406
          DOI:10.1145/1952982
          Issue’s Table of Contents

          Copyright © 2011 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 6 June 2011
          • Accepted: 1 April 2010
          • Revised: 1 December 2009
          • Received: 1 October 2008
          Published in tissec Volume 14, Issue 1

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!