The Conflict Detection Between Permission Assignment Constraints in Role-Based Access Control

  • Chang-Joo Moon
  • Woojin Paik
  • Young-Gab Kim
  • Ju-Hum Kwon
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3822)


Assuring integrity of permission assignment (PA) constraints is a difficult task in role-based access control (RBAC) because of the large number of constraints, users, roles and permissions in a large enterprise environment. We provide solutions to this problem using the conflict concept. This paper introduces the conflict model in order to understand the conflicts easily and to detect conflicts effectively. The conflict model is classified as a permission-permission model and a role-permission model. This paper defines two type conflicts using the conflict model. The first type is an inter-PA-constraints (IPAC) conflict that takes place between PA constraints. The other type is a PA–PAC conflict that takes place between a PA and a PA constraint (PAC). Also, the conditions of conflict occurrence are formally specified and proved. We can assure integrity on permission assignment by checking conflicts before PA and PA constraints are applied.


Security Manager Association Relationship Conflict Detection Prerequisite Permission Conflict Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ferraiolo, D.F., et al.: Role-Based Access Control, Artech House (2003)Google Scholar
  2. 2.
    Kuhn, D.R.: Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control Systems. In: Second ACM Workshop on Role-Based Access Control (1997)Google Scholar
  3. 3.
    Gligor, V.D., Gavrila, S.I., Ferraiolo, D.: On the formal definition of separation-of-duty policies and their composition. In: IEEE Symposium on Security and Privacy, Oakland, California (May 1998)Google Scholar
  4. 4.
    Nyanchama, M., Osborn, S.: The Role Graph Model and Conflict of Interest. ACM Transactions on Information and System Security 2(1), 3–33 (1999)CrossRefGoogle Scholar
  5. 5.
    Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2(1), 65–104 (1999)CrossRefGoogle Scholar
  6. 6.
    Moon, C.-J., Park, D.-H., Park, S.-J., Baik, D.-K.: Symmetric RBAC Model that Takes the Separation of Duty and Role Hierarchies into Consid-eration. Computers & Security 23(2), 126–136 (2004)CrossRefGoogle Scholar
  7. 7.
    Ahn, G.-J., Sandhu, R.: Role-Based Authorization Constraints Specification. ACM Transactions on Information and System Security 3(4), 207–226 (2000)CrossRefGoogle Scholar
  8. 8.
    Sandhu, R.S., Coynek, E.J., Feinsteink, H.L., Youmank, C.E.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  9. 9.
    Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST Model for Role-Base Access Control: Toward A Unified Standard. In: Proceedings, 5th ACM Workshop on Role Based Access Control, July 26-27 (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Chang-Joo Moon
    • 1
  • Woojin Paik
    • 1
  • Young-Gab Kim
    • 2
  • Ju-Hum Kwon
    • 3
  1. 1.Department of Computer ScienceKonkuk UniversityChungcheongbuk-doKorea
  2. 2.Department of Computer Science and EngineeringKorea UniversitySeoulKorea
  3. 3.Korea Air Force Central Computer CenterChungcheongnam-doKorea

Personalised recommendations