Abstract
Authorization delegations and negations are two important features of a flexible access control model. When a system allows both authorization delegation and negation, conflict problems can become crucial since multiple administrators greatly increase the chance of conflicts. However the problem of handling conflicts in authorization delegations has not been explored by researchers. The existing conflict resolution methods seem limited for certain applications and cyclic authorizations can even lead to undesirable situations. This paper presents an authorization framework that can support authorization delegation for both positive and negative authorizations. A conflict resolution method based on the underlying grant-connectivity relation is proposed, which gives higher priorities to the predecessors to achieve controlled delegation. For conflicts where grantors are not grant-connected, our model supports multiple resolution policies so that users can select the specific one that best suits their requirements. In addition, cyclic authorizations are avoided and cascade overriding is supported when an administrative privilege is overridden. We give a formal description of our model and describe in detail the algorithms to implement the model. Our model is represented using labeled digraphs that provide a formal basis for proving the semantic correctness of our model.
Similar content being viewed by others
References
Abadi M, Burrows M, Lampson B, Plotkin G (1993) A calculus for access control in distributed systems. ACM Trans Program Lang Syst 15(4):706–734
Bertino E, Jajodia S, Samarati P (1996) Supporting multiple access control policies in database systems. Proc. of the IEEE Symposium on Research in Security and Privacy, Oakland (CA), pp 94–107
Bertino E, Samarati P, Jajodia S (1997) An extended authorization model for relational databases. IEEE Trans Knowl Data Eng 9(1):85–101
Bertino E, Buccafurri F, Ferrari E, Rullo P (1999) A logical framework for reasoning on data access control policies. Proceedings of the 12th IEEE Computer Society Foundations Workshop. IEEE Computer Society Press, Los Alamitos, pp 175–189
Crampton J, Loizou G, O’Shea G (2001) A logic of access control. Comput J 44:54–66
Castano S, Fugini M, Martella G, Samarati P (1995) Database Security. Addison-Wesley Publishing Company
Fagin R (1978) On an authorization mechanism. ACM Trans Database Syst 3:310–319
Harrison M, Ruzzo W, Ullman J (1976) Protection in operating systems. Commun ACM 19(8):461–471
Gal-Oz N, Gudes E, Fernandez EB (1993) A model of methods access authorization in object-oriented databases. Proceedings of International Conference on Very Large Data Bases, pp 52–61
Jajodia S, Samarati P, Subrahmanian VS (1997) A logical language for expressing authorizations. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, pp 31–42
Jajodia S, Samarati P, Subrahmanian VS, Bertino E (1997) A unified framework for enforcing multiple access control policies. Proceedings of ACM SIGMOD Conference on Management of Data, pp 474–485
Lunt TF, Denning DE, Scheel RR, Heckman M, Shockley WR (1990) The SeaView security model. IEEE Trans Software Engineering 16(6):593–607
Ruan C, Varadharajan V, Zhang Y (2002) Logic-based reasoning on delegatable authorizations. Proceedings of the 13th International Symposium on Methodologies for Intelligent Systems, pp 185–193
Ruan C, Varadharajan V, Zhang Y: Temporal authorization delegation and negation, submitted
Rabitti F, Bertino E, Kim W, Woelk D (1991) A model of authorization for next generation database systems. ACM Trans Database Syst 16(1):88–131
Satyanarayanan M (1989) Interating security in a large distributed system. ACM-TOCS 7(3):247–280
Sandhu RS (1992) The typed access matrix model. Proceedings of IEEE Symposium on Research in Security and Privacy, pp 122–136
Spooner DL, Demurjian SA, Dobson JE (ed)(1996) Database Security IX – Status and Prospects. Chapman & Hall
Woo T, Lam S (1992) Authorization in distributed systems: a formal approach. Proceedings of IEEE Symposium on Research in Security and Privacy, pp 33–50
Woo T, Lam S (1998) Designing a distributed authorization service. Proceedings of IEEE INFOCOM’98, pp 419–429
Author information
Authors and Affiliations
Corresponding authors
Rights and permissions
About this article
Cite this article
Ruan , C., Varadharajan , V. A formal graph based framework for supporting authorization delegations and conflict resolutions. IJIS 1, 211–222 (2003). https://doi.org/10.1007/s10207-003-0018-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-003-0018-4