Abstract
Role-Based Access Control (RBAC) is supported directly or in a closely related form, by a number of products. This article presents a formalization of RBAC using graph transformations that is a graphical specification technique based on a generalization of classical string grammars to nonlinear structures. The proposed formalization provides an intuitive description for the manipulation of graph structures as they occur in information systems access control and a precise specification of static and dynamic consistency conditions on graphs and graph transformations. The formalism captures the RBAC models published in the literature, and also allows a uniform treatment of user roles and administrative roles, and a detailed analysis of the decentralization of administrative roles.
- Aho, A. V., Garey, M. R., and Ullman, J. D. 1972. The transitive reduction of a directed graph. SIAM J. Comput. 1, 2, 131--137.Google ScholarDigital Library
- Baldwin, R. 1990. Naming & grouping privileges to simplify security management in large databases. In Proceedings of the 1990 IEEE Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., pp. 116--132.Google ScholarCross Ref
- Ehrig, H., Engels, G., Kreowski, H.-J., and Rozenberg, G., Eds. 1999. Handbook of Graph Grammars and Computing by Graph Transformations. Vol. II: Applications, Languages, and Tools. World Scientific. Google ScholarDigital Library
- Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., and Chandramouli, R. 2001. Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secu. 4, 3, 222--274. Google ScholarDigital Library
- Gavrila, S. I. and Barkley, J. F. 1998. Formal specification for role based access control user/role and role/role relationship management. In Proceedings of 3rd ACM Workshop on Role-Based Access Control. ACM, New York, pp. 81--90. Google ScholarDigital Library
- Grosse-Rhode, M., Parisi-Presicce, F., and Simeoni, M. 2000. Refinements of graph transformation systems via rule expressions. In Proceedings of TAGT'98, H. Ehrig, G. Engels, H.-J. Kreowski, and G. Rozenberg, eds. Lecture Notes in Computer Science, vol. 1764. Springer-Verlag, New York, pp. 368--382. Google ScholarDigital Library
- Heckel, R., and Wagner, A. 1995. Ensuring consistency of conditional graph grammars--A constructive approach. In Proceedings of SEGRAGRA'95, Volume 2 of Electronic Notes of TCS A. Corradini, and U. Montanari, eds. Elsevier North-Holland, Amsterdam, The Netherlands, pp. 95--103. http://www.elsevier.nl/locate/entcs/volume2.html.Google Scholar
- Koch, M., Mancini, L. V., and Parisi-Presicce, F. 2000. A formal model for role-based access control using graph transformation. In Proceedings of the 6th European Symposium on Research in Computer Security (ESORICS 2000) F. Cuppens. et al. eds. Lecture Notes in Computer Science, vol. 1895. Springer Verlag, New York, pp. 122--139. Google ScholarDigital Library
- Koch, M., Mancini, L. V., and Parisi-Presicce, F. 2001. On the specification and evolution of access control policies. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies ACM, New York, pp. 121--130. Google ScholarDigital Library
- Koch, M., Mancini, L. V., and Parisi-Presicce, F. 2002. Decidability of safety in graph-based models for access control. In Proceedings of the 7th European Symposium on Research in Computer Security (ESORICS 2002), Lecture Notes in Computer Science, to appear. Google ScholarDigital Library
- Nyanchama, M., and Osborn, S. 1994. Access right administration in role-based security systems. In Proceedings of IFIP WG 11.3 Database Security, Vol. VIII. North Holland, Amsterdam, The Netherlands, pp. 37--56. Google ScholarDigital Library
- Nyanchama, M., and Osborn, S. 1999. The role graph model and conflict of interest. ACM Trans. Inf. Syst. Sec. 1, 2, 3--33. Google ScholarDigital Library
- Osborn, S., Sandhu, R., and Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Sec. 3, 2, 85--106. Google ScholarDigital Library
- Rozenberg, G., ed. 1997. Handbook of Graph Grammars and Computing by Graph Transformations. Vol. I: Foundations. World Scientific. Google ScholarDigital Library
- Sandhu, R. S. 1998. Role-based access control. In Advances in Computers, Vol. 46. Academic Press, Orlands, Fla.Google Scholar
- Sandhu, R. S., Bhamidipati, V., and Munawer, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security 2, 1, 105--135. Google ScholarDigital Library
- Sandhu, R. S., Coyne, E., Feinstein, H., and Youman, C. 1996. Role-based access control models. IEEE Comput. 29, 2, 38--47. Google ScholarDigital Library
- Sandhu, R., Ferraiolo, D., and Kuhn, R. 2000. The NIST Model for Role-Based Access Control: Towards A Unified Standard. In Proceedings of the 5th ACM Workshop on Role-Based Access Control. ACM, New York, pp. 47--63. Google ScholarDigital Library
Index Terms
- A graph-based formalism for RBAC
Recommendations
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
DW-RBAC: A formal security model of delegation and revocation in workflow systems
One reason workflow systems have been criticized as being inflexible is that they lack support for delegation. This paper shows how delegation can be introduced in a workflow system by extending the role-based access control (RBAC) model. The current ...
A delegation model for extended RBAC
In the field of access control, delegation is an important aspect that is considered part of the administration mechanism. Thus, a comprehensive access control model must provide a flexible administration model to manage delegation and revocation. ...
Comments