Abstract
Recently, Role Based Access Control (RBAC) model has taken place as a promising alternative to the conventional access control models, MAC and DAC. RBAC is more general than those traditional models as was shown by Osborn et al. [17], however, mapping a role based system to a valid MAC configuration is not always possible because certain combinations of permissions that are included in a role’s effective privileges may cause information flow. Given a role-based graph where role’s permissions refer to labeled data objects, Osborn et al. showed how to find conflicts that are resulted from information flow, but they have not suggested a solution for these conflicts and they have not handled user-role assignments, for the solved scheme. In this paper, we assume a more general model of permissions conflicts than MAC. We introduce an algorithm that handles information flow conflicts in a given role-based graph, corrects the Role-based graph if needed, and proposes a consistent users-roles assignment. As RBAC and information flow are becoming extremely important in Web based information systems, this algorithm becomes very relevant.
Keywords
- Role based access control
- role graph consistency
- canonical groups
Chapter PDF
References
Ahn, G.J.: Specification and Classification of Role-Based Authorization Policies. IEEE Computer Society, Los Alamitos (2003)
Belokosztolszki, A., Eyers, D., Moody, K.: Policy Contexts: Controlling Information Flow in Parameterised RBAC. IEEE Computer Society Press, Los Alamitos (2003)
Belsis, P., Gritzalis, S.: A scalable Security Architecture enabling coalition formation between autonomous domains. In: Proceedings of ISSPIT 2005, Athens, Greece (2005)
Bertino, E., Ferrari, E., Atluri, V.: The Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Trans. Inf. Systems. Security 2(1), 65–104 (1999)
Bertino, E., Joshi, J., Bhatti, R., Ghafoor, A.: Access-Control Language for Multidomain Environments. IEEE Internet Computing 8(6), 40–50 (2004)
Christofides, N.: An Algorithm for the Chromatic Number of a Graph. Computer J. 14, 38–39 (1971)
Cormen, T., Leiserson, C., Rivest, R.: Introduction to Algorithms, vol. 83(89), pp. 506–539. MIT Press, Cambridge (1990)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and System Security 4(3), 224–274 (2001)
Gramm, J., Guo, J., Huffner, F., Niedermeir, R.: Data Reduction, Exact and Heuristic Algorithms for Clique Cover. In: Proceedings of the 8th Workshop on Algorithm Engineering and Experiments (ALENEX 2006), Miami, USA (January 2006)
Ionita, C.M., Osborn, S.: Privilege administration for the role graph model. In: Proc.IFIP WG11.3 Working Conference on Database Security (July 2002)
Joshi, J., Bertino, E., Shafiq, B., Ghafoor, A.: Dependencies and Separation of Duty Constraints in GTRBAC. In: SACMAT 2003, June 2-3 (2003)
Moodahi, I., Gudes, E., Lavee, O., Meisels, A.: A Secure Workflow Model Based on Distributed Constrained Role and Task Assignment for the Internet. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 171–186. Springer, Heidelberg (2004)
Moodahi, I., Gudes, E., Meisels, A.: A three tier architecture for Role/User assignment for the Internet (submitted for a journal publication)
Myers, A.C., Liskov, B.: A Decentralized Model for Information Flow Control. In: Proceedings of the 16th ACM Symposium on Operating Systems Principles, Saint-Malo, France (October 1997)
Nyanchama, M., Osborn, S.: The Role Graph Model and Conflict of Interest. ACM Transactions on Information and Systems Security 2(1), 3–33 (1999)
Osborn, S.: Information Flow Analysis of an RBAC system. In: SACMAT 2002, June 3-4 (2002)
Osborn, S., Sandhu, R., Munawer, Q.: Configuring Role-Based Access Control to enforce Mandatory and Discretionary access control policies. ACM Trans. Information and system security 3(2), 1–23 (2000)
Samarati, P., Bertino, E., Ciampichetti, A., Jajodia, S.: Information Flow Control in Object-Oriented Systems. IEEE Trans. Knowl. Data Eng. 9(4), 524–538 (1997)
Sandhu, R.: Lattice-based access control models. IEEE Computer 26(11), 9–19 (1993)
Sandhu, R.: Role Hierarchies and constraints for lattice-based Access Controls. In: Proc. Fourth European on Research in Computer Security, Rome, Italy, September 25-27 (1996)
Sandhu, R., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Skiena, S.: Finding a Vertex Coloring, 5.5.3 in Implementing Descrete Mathematics: Combinatorics and Graph Theory with Mathematica, pp. 141, 214–215. Addison-Wesley, Reading (1990)
Wang, H., Osborn, S.: An Administrative Model for Role Graphs. In: Proc. IFIP WG11.3 Working Conference on Database Security, Estes Park, Colorado (2003)
Wilf, H., Backtrack: An O(1) Expected Time Algorithm for the Graph Coloring Problem. Info. Proc. Let. 18, 119–121 (1984)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Tuval, N., Gudes, E. (2006). Resolving Information Flow Conflicts in RBAC Systems. In: Damiani, E., Liu, P. (eds) Data and Applications Security XX. DBSec 2006. Lecture Notes in Computer Science, vol 4127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11805588_11
Download citation
DOI: https://doi.org/10.1007/11805588_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-36796-3
Online ISBN: 978-3-540-36799-4
eBook Packages: Computer ScienceComputer Science (R0)