Abstract
Formal methods and reasoning techniques can be useful tools for the representation and analysis of security policies and access control procedures. This paper presents a logical approach to representing and evaluating role-based access control (RBAC) policies, using description logics and a proof method, called tableaux. We propose a new variation of the RBAC model with a classification mechanism for objects. The key feature supported is the ability to model object classes, and class hierarchies used to restrict the validity and to control the propagation of authorization rules. We also demonstrate how access control decisions are made by tableaux, considering role and class hierarchies.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Sandhu, R.S., et al.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Ferraiolo, D.F., Barkely, J.F., Kuhn, D.R.: A role based access control model and reference implementation within a corporate Intranet. ACM Trans. Inf. Syst. Secur (USA) 1(2), 34–64 (1999)
Barkely, J.F., et al.: Role based access control for the world wide web. In: NIST 20th National Computer Security Conference, pp. 331–340 (1997)
Koch, M., Mancini, L.V., Parisi-Presicce, F.: A graph-based formalism for RBAC. ACM Trans. Inf. Syst. Secur (USA) 5(3), 332–365 (2002), http://dx.doi.org/10.1145/545186.545191
Baader, F., et al.: The Description Logic Handbook: Theory, Implementation and Applications. Cambridge University Press, Cambridge (2003)
Calvanese, D., De Giacomo, G., Lenzerini, M.: Description logics: foundations for class-based knowledge representation. In: Proceedings 17th Annual IEEE Symposium on Logic in Computer Science, pp. 359–370. IEEE Computer Society Press, Los Alamitos (2002), http://dx.doi.org/10.1109/LICS.2002.1029843
Baader, F., Sattler, U.: An overview of tableau algorithms for description logics. Stud. Log (Netherlands) 69(1), 5–40 (2001), http://dx.doi.org/10.1023/A:1013882326814
Donini, F.M., et al.: Principles of Knowledge Representation, Studies in Logic, Language and Information, p. 198. CSLI Publications (1996)
Woo, T.Y.C., Lam, S.S.: Authorization in distributed systems: a new approach. J. Comput. Secur (Netherlands) 2(2-3), 107–136 (1993)
Jajodia, S., et al.: Flexible support for multiple access control policies. ACM Trans. Database Syst (USA) 26(2), 214–260 (2001), http://dx.doi.org/10.1145/383891.383894
Massacci, F.: Reasoning about security: A logic and a decision method for role-based access control. In: Nonnengart, A., et al. (eds.) FAPR 1997 and ECSQARU 1997. LNCS, vol. 1244, p. 421. Springer, Heidelberg (1997)
Abadi, M., et al.: A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst (USA) 15(4), 706–734 (1993), http://dx.doi.org/10.1145/155183.155225
Rabitti, F., et al.: A model of authorization for next-generation database systems. ACM Trans. Database Syst (USA) 16(1), 88–131 (1991), http://dx.doi.org/10.1145/103140.103144
Bertino, E., et al.: A logical framework for reasoning about access control models. ACM Trans. Inf. Syst. Secur (USA) 6(1), 71–127 (2003), http://dx.doi.org/10.1145/605434.605437
Zhao, C., et al.: Representation and reasoning on RBAC: a description logic approach. In: Van Hung, D., Wirsing, M. (eds.) ICTAC 2005. LNCS, vol. 3722, pp. 381–393. Springer, Heidelberg (2005)
Sandhu, R.S., Samarati, P.: Access control: Principles and practice. IEEE Communications Magazine 32(9), 40–48 (1994), http://dx.doi.org/10.1109/35.312842
Ferraiolo, D.E., Cugini, J.A., Kuhn, D.R.: Role-based access control (RBAC): features and motivations. In: Proceedings of 11th Annual Computer Security Applications Conference, pp. 241–248 (1995)
Ferraiolo, D.F., et al.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (USA) 4(3), 224–274 (2001), http://dx.doi.org/10.1145/501978.501980
Horrocks, I., Sattler, U.: Description logics, basics, applications, and more (2002), Retrieved from http://www.cs.man.ac.uk/~horrocks/Slides/ecai-handout.pdf
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer Berlin Heidelberg
About this paper
Cite this paper
Chae, J.H., Shiri, N. (2007). Formalization of RBAC Policy with Object Class Hierarchy. In: Dawson, E., Wong, D.S. (eds) Information Security Practice and Experience. ISPEC 2007. Lecture Notes in Computer Science, vol 4464. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-72163-5_14
Download citation
DOI: https://doi.org/10.1007/978-3-540-72163-5_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-72159-8
Online ISBN: 978-3-540-72163-5
eBook Packages: Computer ScienceComputer Science (R0)