Skip to main content
SpringerLink
Log in

A formal graph based framework for supporting authorization delegations and conflict resolutions

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Authorization delegations and negations are two important features of a flexible access control model. When a system allows both authorization delegation and negation, conflict problems can become crucial since multiple administrators greatly increase the chance of conflicts. However the problem of handling conflicts in authorization delegations has not been explored by researchers. The existing conflict resolution methods seem limited for certain applications and cyclic authorizations can even lead to undesirable situations. This paper presents an authorization framework that can support authorization delegation for both positive and negative authorizations. A conflict resolution method based on the underlying grant-connectivity relation is proposed, which gives higher priorities to the predecessors to achieve controlled delegation. For conflicts where grantors are not grant-connected, our model supports multiple resolution policies so that users can select the specific one that best suits their requirements. In addition, cyclic authorizations are avoided and cascade overriding is supported when an administrative privilege is overridden. We give a formal description of our model and describe in detail the algorithms to implement the model. Our model is represented using labeled digraphs that provide a formal basis for proving the semantic correctness of our model.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abadi M, Burrows M, Lampson B, Plotkin G (1993) A calculus for access control in distributed systems. ACM Trans Program Lang Syst 15(4):706–734

  2. Bertino E, Jajodia S, Samarati P (1996) Supporting multiple access control policies in database systems. Proc. of the IEEE Symposium on Research in Security and Privacy, Oakland (CA), pp 94–107

  3. Bertino E, Samarati P, Jajodia S (1997) An extended authorization model for relational databases. IEEE Trans Knowl Data Eng 9(1):85–101

  4. Bertino E, Buccafurri F, Ferrari E, Rullo P (1999) A logical framework for reasoning on data access control policies. Proceedings of the 12th IEEE Computer Society Foundations Workshop. IEEE Computer Society Press, Los Alamitos, pp 175–189

  5. Crampton J, Loizou G, O’Shea G (2001) A logic of access control. Comput J 44:54–66

  6. Castano S, Fugini M, Martella G, Samarati P (1995) Database Security. Addison-Wesley Publishing Company

  7. Fagin R (1978) On an authorization mechanism. ACM Trans Database Syst 3:310–319

  8. Harrison M, Ruzzo W, Ullman J (1976) Protection in operating systems. Commun ACM 19(8):461–471

  9. Gal-Oz N, Gudes E, Fernandez EB (1993) A model of methods access authorization in object-oriented databases. Proceedings of International Conference on Very Large Data Bases, pp 52–61

  10. Jajodia S, Samarati P, Subrahmanian VS (1997) A logical language for expressing authorizations. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, pp 31–42

  11. Jajodia S, Samarati P, Subrahmanian VS, Bertino E (1997) A unified framework for enforcing multiple access control policies. Proceedings of ACM SIGMOD Conference on Management of Data, pp 474–485

  12. Lunt TF, Denning DE, Scheel RR, Heckman M, Shockley WR (1990) The SeaView security model. IEEE Trans Software Engineering 16(6):593–607

  13. Ruan C, Varadharajan V, Zhang Y (2002) Logic-based reasoning on delegatable authorizations. Proceedings of the 13th International Symposium on Methodologies for Intelligent Systems, pp 185–193

  14. Ruan C, Varadharajan V, Zhang Y: Temporal authorization delegation and negation, submitted

  15. Rabitti F, Bertino E, Kim W, Woelk D (1991) A model of authorization for next generation database systems. ACM Trans Database Syst 16(1):88–131

  16. Satyanarayanan M (1989) Interating security in a large distributed system. ACM-TOCS 7(3):247–280

  17. Sandhu RS (1992) The typed access matrix model. Proceedings of IEEE Symposium on Research in Security and Privacy, pp 122–136

  18. Spooner DL, Demurjian SA, Dobson JE (ed)(1996) Database Security IX – Status and Prospects. Chapman & Hall

  19. Woo T, Lam S (1992) Authorization in distributed systems: a formal approach. Proceedings of IEEE Symposium on Research in Security and Privacy, pp 33–50

  20. Woo T, Lam S (1998) Designing a distributed authorization service. Proceedings of IEEE INFOCOM’98, pp 419–429

Download references

Author information

Authors and Affiliations

  1. School of Computing and Information Technology, University of Western Sydney, NSW 1797, South Penrith DC, Australia

    Chun Ruan

  2. Department of Computing, Macquarie University, NSW 2109, North Ryde, Australia

    Vijay Varadharajan

Authors
  1. Chun Ruan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vijay Varadharajan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Chun Ruan or Vijay Varadharajan .

Rights and permissions

Reprints and permissions

About this article

Cite this article

Ruan , C., Varadharajan , V. A formal graph based framework for supporting authorization delegations and conflict resolutions. IJIS 1, 211–222 (2003). https://doi.org/10.1007/s10207-003-0018-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-003-0018-4

Keywords

Search

Navigation