Skip to main content
SpringerLink
Log in

Policy Administration in Tag-Based Authorization

  • Conference paper
Foundations and Practice of Security (FPS 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7743))

Included in the following conference series:

Abstract

Tag-Based Authorization (TBA) is a hybrid access control model that combines the ease of use of extensional access control models with the expressivity of logic-based formalisms. The main limitation of TBA is that it lacks support for policy administration. More precisely, it does not allow policy-writers to specify administrative policies that constrain the tags that users can assign, and to verify the compliance of assigned tags with these policies. In this paper we introduce TBA2 (Tag-Based Authorization & Administration), an extension of TBA that enables policy administration in distributed systems. We show that TBA2 is more expressive than TBA and than two reference administrative models proposed in the literature, namely HRU and ARBAC97.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abadi, M., Burrows, M., Lampson, B.: A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems 15(4), 706–734 (1993)

    Article  Google Scholar 

  2. Becker, M.Y., Fournet, C.Y., Gordon, A.D.: SecPAL: Design and semantics of a decentralized authorization language. Journal of Computer Security 18(4), 619–665 (2010)

    Google Scholar 

  3. Bell, D.E.: Looking Back at the Bell-La Padula Model. In: Proceedings of ACSAC 2005, pp. 337–351. IEEE Computer Society (2005)

    Google Scholar 

  4. Ben-Ghorbel-Talbi, M., Cuppens, F., Cuppens-Boulahia, N., Bouhoula, A.: Revocation Schemes for Delegation Licences. In: Chen, L., Ryan, M.D., Wang, G. (eds.) ICICS 2008. LNCS, vol. 5308, pp. 190–205. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  5. Ben-Ghorbel-Talbi, M., Cuppens, F., Cuppens-Boulahia, N., Bouhoula, A.: A delegation model for extended RBAC. Int. J. Inf. Sec. 9(3), 209–236 (2010)

    Article  Google Scholar 

  6. Bertino, E., Samarati, P., Jajodia, S.: An Extended Authorization Model for Relational Databases. IEEE Trans. Knowl. Data Eng. 9(1), 85–101 (1997)

    Article  Google Scholar 

  7. Cederquist, J.G., Corin, R., Dekker, M.A.C., Etalle, S., den Hartog, J.I., Lenzini, G.: Audit-based compliance control. Int. J. Inf. Sec. 6(2), 133–151 (2007)

    Article  Google Scholar 

  8. Crampton, J., Khambhammettu, H.: Delegation in role-based access control. Int. J. Inf. Sec. 7(2), 123–136 (2008)

    Article  Google Scholar 

  9. Crampton, J., Loizou, G., Oshea, G.: A logic of access control. The Computer Journal 44(1), 137–149 (2001)

    Article  MATH  Google Scholar 

  10. Dekker, M., Crampton, J., Etalle, S.: RBAC administration in distributed systems. In: Proceedings of SACMAT 2008, pp. 93–102. ACM (2008)

    Google Scholar 

  11. Greco, G., Greco, S., Zumpano, E.: A logical framework for querying and repairing inconsistent databases. IEEE Trans. Knowl. Data Eng. 15(6), 1389–1408 (2003)

    Article  Google Scholar 

  12. Griffiths, P.P., Wade, B.W.: An authorization mechanism for a relational database system. ACM Trans. Database Syst. 1(3), 242–255 (1976)

    Article  Google Scholar 

  13. Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  14. Heeps, S., Sventek, J., Dulay, N., Schaeffer Filho, A.E., Lupu, E., Sloman, M., Strowes, S.: Dynamic Ontology Mapping for Interacting Autonomous Systems. In: Hutchison, D., Katz, R.H. (eds.) IWSOS 2007. LNCS, vol. 4725, pp. 255–263. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  15. Hinrichs, T.L., Garrison III, W.C., Lee, A.J., Saunders, S., Mitchell, J.C.: TBA: A Hybrid of Logic and Extensional Access Control Systems. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 198–213. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  16. Koshutanski, H., Martinelli, F., Mori, P., Vaccarelli, A.: Fine-grained and History-based Access Control with Trust Management for Autonomic Grid Services. In: Proceedings of ICAS 2006, pp. 34–43. IEEE Computer Society (2006)

    Google Scholar 

  17. Li, N., Mao, Z.: Administration in role-based access control. In: Proceedings of ASIACCS 2007, pp. 127–138. ACM (2007)

    Google Scholar 

  18. Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a Role-Based Trust-Management Framework. In: Proceedings of S&P 2002, pp. 114–130. IEEE Computer Society (2002)

    Google Scholar 

  19. Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management. Journal of Computer Security 11(1), 35–86 (2003)

    Google Scholar 

  20. Najafian Razavi, M., Iverson, L.: Supporting selective information sharing with people-tagging. In: Proceedings of CHI 2008, pp. 3423–3428. ACM (2008)

    Google Scholar 

  21. Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. 3(2), 85–106 (2000)

    Article  Google Scholar 

  22. Ribeiro, C., Zuquete, A., Ferreira, P., Guedes, P.: SPL: An access control language for security policies with complex constraints. In: Proceedings of NDSS 2011 (2001)

    Google Scholar 

  23. Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)

    Article  Google Scholar 

  24. Trivellato, D., Spiessens, F., Zannone, N., Etalle, S.: Reputation-Based Ontology Alignment for Autonomy and Interoperability in Distributed Access Control. In: Proceedings of CSE 2009, vol. 3, pp. 252–258. IEEE Computer Society (2009)

    Google Scholar 

  25. Trivellato, D., Zannone, N., Etalle, S.: GEM: a Distributed Goal Evaluation Algorithm for Trust Management. Journal of Theory and Practice of Logic Programming (2012) (to appear)

    Google Scholar 

  26. Wang, Q., Jin, H., Li, N.: Usable Access Control in Collaborative Environments: Authorization Based on People-Tagging. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 268–284. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  27. Wijesekera, D., Jajodia, S.: Policy algebras for access control - the predicate case. In: Proceedings of CCS 2001, pp. 171–180. ACM (2001)

    Google Scholar 

  28. Zhang, N., Ryan, M., Guelev, D.P.: Synthesising verified access control systems through model checking. Journal of Computer Security 16(1), 1–61 (2008)

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Eindhoven University of Technology, Netherlands

    Sandro Etalle, Daniel Trivellato & Nicola Zannone

  2. University of Twente, Netherlands

    Sandro Etalle

  3. University of Illinois at Chicago, USA

    Timothy L. Hinrichs

  4. University of Pittsburgh, USA

    Adam J. Lee

Authors
  1. Sandro Etalle
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Timothy L. Hinrichs
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Adam J. Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Daniel Trivellato
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Nicola Zannone
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. TELECOM SudParis, 9 rue Charles Fourier, 91011, Evry, CEDEX, France

    Joaquin Garcia-Alfaro

  2. TELECOM Bretagne, 2 rue de la Châtaigneraie, 35512, Cesson Sévigné, CEDEX, France

    Frédéric Cuppens  & Nora Cuppens-Boulahia  & 

  3. Ryerson University, 245 Church Street, M5B 2K3, Toronto, ON, Canada

    Ali Miri

  4. Université Laval, 1065 avenue de la médecine, G1V 0A6, Quebec, Canada

    Nadia Tawbi

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Etalle, S., Hinrichs, T.L., Lee, A.J., Trivellato, D., Zannone, N. (2013). Policy Administration in Tag-Based Authorization. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds) Foundations and Practice of Security. FPS 2012. Lecture Notes in Computer Science, vol 7743. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37119-6_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-37119-6_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-37118-9

  • Online ISBN: 978-3-642-37119-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation