ACISP 2002: Information Security and Privacy pp 271-285 | Cite as

Resolving Conflicts in Authorization Delegations

  • Chun Ruan
  • Vijay Varadharajan
Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2384)

Abstract

In this paper, we first discuss some drawbacks of the existing conflict authorization resolution methods when access rights are delegated, and then propose a flexible authorization model to deal with the conflict resolution problem with delegation. In our model, conflicts are classified into comparable and incomparable ones. With comparable conflicts, the conflicts come from the grantors that have grant connectivity relationship with each other, and the predecessor’s authorizations will always take precedence over the successor’s. In this way, the access rights can be delegated but the delegation can still be controlled. With incomparable conflicts, the conflicts come from the grantors that do not have grant connectivity relationship with each other. Multiple resolution policies are provided so that users can select the specific one that best suits their requirements. In addition, the overridden authorizations are still preserved in the system and they can be reactivated when other related authorizations are revoked or the policy for resolving conflicts is changed. We give a formal description of our model and describe in detail the algorithms to implement the model. Our model is represented using labelled digraphs, which provides a formal basis for proving the semantic correctness of our model.

This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    E. Bertino, F. Buccafurri, E. Ferrari, P. Rullo, A logical framework for reasoning on data access control policies. proceedings of the 12th IEEE Computer Society Foundations Workshop, IEEE Computer Society Press, Los Alamitos, 1999, pp. 175–189.CrossRefGoogle Scholar
  2. 2.
    E. Bertino, S. Jajodia, P. Samarati, Supporting multiple access control policies in database systems. Proc.of the IEEE Symposium on Research in Security and Privacy, Oakland(CA), 1996.Google Scholar
  3. 3.
    R. Fagin, On an authorization mechanism. ACM Transaction on Database Systems, Vol. 3, 1978, pp 310–319.CrossRefGoogle Scholar
  4. 4.
    M. Harrison, W. Ruzzo and J. Ullman, Protection in operating systems. Communications of ACM 19(8),pp 461–471, 1976.MATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    N. Gal-Oz, E. Gudes, and E.B. Fernandez, A model of methods access authorization in object-oriented databases. Proceedings of International Conference on Very Large Data Bases, pp 52–61, 1993.Google Scholar
  6. 6.
    T.F. Lunt et al, Secure Distributed Data Views, Vol. 1–4, SRI International, 1989.Google Scholar
  7. 7.
    F. Rabitti, E. Bertino, W. Kim, and D. Woelk, A model of authorization for next generation database systems. ACM Transaction on Database Systems, Vol 16, pp88–131, 1991.CrossRefGoogle Scholar
  8. 8.
    M. Satyanarayanan, Integrating security in a large distributed system. ACM-TOCS, vol. 7, no. 3, pp 247–280, Aug. 1989.CrossRefGoogle Scholar
  9. 9.
    T. Woo and S. Lam, Designing a distributed authorization service. Proceedings of IEEE INFOCOM’98, 1998.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Chun Ruan
    • 1
  • Vijay Varadharajan
    • 1
  1. 1.School of Computing and Information TechnologyUniversity of W.SydneyKingswoodAustralia

Personalised recommendations