Safe Use of Protected Web Resources

  • Sylvia Encheva
  • Sharil Tumin
Conference paper
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 228)


This paper focuses on a framework that ensures the safe use of protected Web resources among independent organizations in collaboration. User membership and group membership in each organization are managed independently of other organizations. User authentication and user authorization for a protected resource in one organization is determined by user group membership in other organizations. Furthermore, users never discloses their user-identifiers and passwords in a foreign domain. Every set of related roles in a single organization is defined as an antichain and every set of related roles in the collaborating organizations is defined as a complete lattice. The ranking order of roles for a resource depends on operations. One can add or remove users from roles by managing their membership in corresponding groups.




  1. [1]
    E. Barka and R. Sandhu. Role-based delegation model/hierarchical roles. 20th Annual Computer Security Applications Conference, Tucson, Arizona, 2004.Google Scholar
  2. [2]
    E. Bertino E., P.A. Bonatti and E. Ferrari. TRBAC: A temporal Role-Based Access Control model. ACM Transactions on information and system security 3(3): 191–223, 2001.CrossRefGoogle Scholar
  3. [3]
    R. Bhatti, E. Bertino, A. Ghafoor and J.B.D. Joshi. XML-based specification for Web services document security. IEEE Computer 37(4), 2004.Google Scholar
  4. [4]
    C. Carpineto and G. Romano. Concept Data Analysis: Theory and Applications. John Wiley and Sons, Ltd., 2004.Google Scholar
  5. [5]
    S-C. Chou. L n RBAC: A multiple-levelled Role-Based Access Control model for protecting privacy in object-oriented systems. Journal of Object Technology 3(3):91–120, 2004.Google Scholar
  6. [6]
    B.A. Davey and H.A. Priestley. Introduction to lattices and order. Cambridge University Press, 2005.Google Scholar
  7. [7]
    D. Denning. A lattice model of secure information flow. Communications of the ACM 19(5) 1976.Google Scholar
  8. [8]
    J. Dowling and V. Cahill. Self-managed decentralized systems using K-components and collaborative reinforcement learning. Proceedings of the Workshop on Self Managed Systems, 41–49, 2004.Google Scholar
  9. [9]
    D. Ferraiolo, R. Sandhu, S. Gavrila, R.D. Kuhn and R. Chandramouli. Proposed NIST standard for Role-Based Access Control. ACM Transactions on Information and System Security. 4(3):224–274, 2001.CrossRefGoogle Scholar
  10. [10]
    D. Ferraiolo, and R.D. Kuhn and R. Chandramouli. Role-Based Access Control. Computer Security Series. Artech House, 2003.Google Scholar
  11. [11]
    B. Ganter, G. Stumme and R. Wille. Formal Concept Analysis-Foundations and Applications. Springer LNCS 114, Berlin, 3626, 2005.Google Scholar
  12. [12]
    A. Martelli and D. Ascher. Python Cookbook. O’Reilly, UK, 2002.Google Scholar
  13. [13]
    T. Hildmann and J. Barholdt. Managing trust between collaborating companies using outsourced role based control. 4rd ACM Workshop on RBAC, 105–111, 1999.Google Scholar
  14. [14]
    A. Herzberg, Y. Mass, J. Mihaeli, D. Naor and Y. Ravid. Access control meets public key infrastructure, Or; Assigning roles to strangers. IEEE Symposium on security and privacy, 2000.Google Scholar
  15. [15]
    B. Kropp and M. Gallaher, Role-based access control systems can save organizations time and money. Information Security Magazine, 2005.Google Scholar
  16. [16]
    http://www.oasis-open.orgGoogle Scholar
  17. [17]
    R. Sandhu. Lattice-Based access control models. IEEE Computer, 26(11), 1993.Google Scholar
  18. [18]
    R. Sandhu. Role activation hierarchies. 3rd ACM Workshop on RBAC, 33–40, 1998.Google Scholar
  19. [19] Scholar
  20. [20]
    R. Simon and M. Zurko. Separation of duty in role-based environments. Proceedings of 10th IEEE Computer Security Foundations Workshop. Rockport, Mass., 183–194, 1997.Google Scholar
  21. [21]
    M. Strembeck and G. Neumann. An integrated approach to engineer and enforce context constraints in RBAC environments. ACM Transactions on Information and System Security, 7(3):392–427, 2004.CrossRefGoogle Scholar
  22. [22]
    R. Taouil and Y. Bastide. Computing proper implications. Proceedings of the IOCS-2001 International Workshop on Concept Lattice-Based Theory, methods and Tools for Knowledge Discovery in Databases, Palo Alto, CA, USA, 49–61 2001.Google Scholar
  23. [23]
    R. Wille. Concept lattices and conceptual knowledge systems. Computers Math. Applic. 23(6–9):493–515, 1992.zbMATHCrossRefGoogle Scholar

Copyright information

© International Federation for Information Processing 2006

Authors and Affiliations

  • Sylvia Encheva
    • 1
  • Sharil Tumin
    • 2
  1. 1.Stord/Haugesund University CollegeHaugesundNorway
  2. 2.IT-Dept.University of BergenBergenNorway

Personalised recommendations