Abstract
Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most systems have attempted to resolve such delegation requirements with ad-hoc mechanisms by compromising existing disorganized policies or simply attaching additional components to their applications. Still, there is a strong need in the large, distributed systems for a mechanism that provides effective privilege delegation and revocation management. This paper describes a rule-based framework for role-based delegation and revocation. The basic idea behind a role-based delegation is that users themselves may delegate role authorities to others to carry out some functions authorized to the former. We present a role-based delegation model called RDM2000 (role-based delegation model 2000) supporting hierarchical roles and multistep delegation. Different approaches for delegation and revocation are explored. A rule-based language for specifying and enforcing policies on RDM2000 is proposed. We describe a proof-of-concept prototype implementation of RDM2000 to demonstrate the feasibility of the proposed framework and provide secure protocols for managing delegations. The prototype is a web-based application for law enforcement agencies allowing reliable delegation and revocation. The future directions are also discussed.
- Abadi, M., Burrows, M., Lampson, B., and Plotkin, G. 1993. A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15, 4(Sept.), 706--734.]] Google Scholar
- Abiteboul, S. and Grumbach, S. 1991. A rule-based language with functions and sets. ACM Trans. Database Syst. 16, 1--30.]] Google Scholar
- Ahn, G. and Sandhu, R. 2000. Role-based authorization constraints specification. ACM Transactions on Information and System Security 3, 4, ACM (November) 207--226.]] Google Scholar
- Aura, T. 1999. Distributed access-rights management with delegation certificates. Security Internet programming. J. Vitec and C. Jensen Eds. Springer, Berlin, 211--235.]] Google Scholar
- Barka, E. and Sandhu, R. 2000. A role-based delegation model and some extensions. In Proceedings of 16th Annual Computer Security Application Conference, Sheraton New Orleans, December 11--15, 2000a.]] Google Scholar
- Barka, E. and Sandhu, R. 2000. Framework for role-based delegation model. In Proceedings of 23rd National Information Systems Security Conference, Baltimore, October 16--19, 2000b, 101--114.]]Google Scholar
- Bhamidipati, V. and Sandhu, R. 2000. Push Architectures for USER ROLE assignment. In Proceedings of 23rd National Information Systems Security Conference, Baltimore, October 16--19, 2000, 89--100.]]Google Scholar
- Blaze, M., Feigenbaum, J., and Lacy, J. 1996. Decentralized trust management. IEEE Symposium on Security and Privacy. Oakland, CA. May 1996.]] Google Scholar
- Blaze, M., Feigenbaum, J., Ioannidis, J., and Keromytis, A. 1999. The role of trust management in distributed system security. Security Internet Programming. J. Vitec and C. Jensen, eds. Springer, Berlin, 185--210.]] Google Scholar
- Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Ylonen, T. 1999. SPKI Certificate Theory, RFC2693, http://www.ietf.org/rfc/rfc2693.txt, 1999.]] Google Scholar
- Ferraiolo, D., Barkley, J., and Kuhn, D. R. 1999. A role-based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and System Security 2, 1(February), 34--64.]] Google Scholar
- Ferraiolo, D., Cugini, J., and Kuhn, D. R. 1995. Role-based access control (RBAC): features and Motivations. In Proceedings of 11th Annual Computer Security Application Conference. New Orleans, LA, December 11--15 1995, 241--241.]]Google Scholar
- Forta, B. (ed), 1998. Nate Weiss. Advanced ColdFusion 4.0 Application Development. MacMillan Company.]] Google Scholar
- Forta, B. (ed). 2001. Certified ColdFusion Developer Study Guide. 1st edn. Macromedia Press.]] Google Scholar
- Gasser, M. and McDermott, E. 1990. An architecture for practical delegation a distributed system. IEEE Computer Society Symposium on Research in Security and Privacy. Oakland, CA, May 7--9, 1990.]]Google Scholar
- Gladney, H. M. 1997. Access control for large collections. ACM Transactions on Information Systems 15, 2(April), 154--194.]] Google Scholar
- Hagstrom, A., Jajodia, S., Presicce, F. P., and Wijesekera, D. 2001. Revocations---a classification. In Proceedings of 14th IEEE Computer Security Foundations Workshop, Nova Scotia, Canada, June 2001, 44--58.]] Google Scholar
- Hayton, R., Bacon, J., and Moody, K. 1998. OASIS: access control in an open, distributed environment. In Proceedings of 1998 IEEE Symposium on Security and Privacy. Oakland, CA, May 3--6. IEEE Computer Society Press, Los Alamitos, CA, 3--14.]]Google Scholar
- Jajodia, S., Samarati, P., and Subrahmanian, V. S. 1997. A Logical language for expressing authorizations. IEEE Symposium on Security and Privacy. May 1997.]] Google Scholar
- Lampson, B. W., Abadi, M., Burrows, M. L., and Wobber, E. 1992. Authentication in distributed systems: theory and practice. ACM Transactions on Computer Systems 10, 4, 265--310, November 1992.]] Google Scholar
- Li, N., Feigenbaum, J., and Grosof, B. N. 1999. A logic-based knowledge representation for authorization with delegation (extended abstract). In Proceeding 12th intl. IEEE Computer Security Foundations Workshop, (extended version is IBM Research Report RC 21492).]] Google Scholar
- Li, N. and Grosof, B. N. 2000. A practically implementation and tractable delegation logic. IEEE Symposium on Security and Privacy. May 2000.]] Google Scholar
- Liebrand, M., Ellis, H. J., Phillips, C., and Ting, T. C. 2002. Role delegation for a distributed, unified RBAC/MAC. In Proceedings of Sixteenth Annual IFIP WG 11.3 Working Conference on Data and Application Security King's College, University of Cambridge, UK July 29--31, 2002.]]Google Scholar
- Linn, J. and Nyström, M. 1999. Attribute certification: an enabling technology for delegation and role-based controls in distributed environments. ACM Workshop on Role-Based Access Control 121--130.]] Google Scholar
- McNamara, C. 1997. Basics of delegating. http://www.mapnp.org/library/guiding/delegate/basics.htm.]]Google Scholar
- Sandhu, R. 1997. Rational for the RBAC96 family of access control models. In Proceedings of 1st ACM Workshop on Role-based Access Control.]] Google Scholar
- Sandhu, R., Bhamidipati, V., and Munawer, O. 1999. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security 2, 1(February), 105--135.]] Google Scholar
- Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. 1996. Role-based access control model. IEEE Computer 29, 2(February).]] Google Scholar
- Wielemaker, J. SWI-Prolog. http://www.swi.psy.uva.nl/projects/SWI-Prolog/]]Google Scholar
- Yao, W., Moody, K., and Bacon, J. 2001. A model of OASIS role-based access control and its support for active security. In Proceedings of ACM Symposium on Access Control Models and Technologies (SACMAT), Chantilly, VA, May 3--4, 2001, 171--181.]] Google Scholar
- Zhang, L., Ahn, G., and Chu, B. 2001. A Rule-based framework for role-based delegation. In Proceedings of ACM Symposium on Access Control Models and Technologies (SACMAT 2001), Chantilly, VA, May 3--4, 2001 153--162.]] Google Scholar
- Zhang, L., Ahn, G., and Chu, B. 2002. A role-based delegation framework for healthcare information systems. In Proceedings of ACM Symposium on Access Control Models and Technologies (SACMAT 2002). Monterey, CA, June 3--4, 2002, 125--134.]] Google Scholar
Index Terms
- A rule-based framework for role-based delegation and revocation
Recommendations
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
A role-based delegation framework for healthcare information systems
SACMAT '02: Proceedings of the seventh ACM symposium on Access control models and technologiesAs organizations implement information strategies that call for sharing access to resources in the networked environment, mechanisms must be provided to protect the resources from adversaries. The proposed delegation framework addresses the issue of how ...
A rule-based framework for role based delegation
SACMAT '01: Proceedings of the sixth ACM symposium on Access control models and technologiesIn current role-based systems, security officers handle assignments of users to roles. However, fully depending on this functionality may increase management efforts in a distributed environment because of the continuous involvement from security ...
Comments