A Review of Delegation and Break-Glass Models for Flexible Access Control Management
Access control models provide important means for the systematic specification and management of the permissions in a business information system. While there are may well-known access control models (e.g., RBAC), standard access control models are often not suited for handling exceptional situations. The demand to increase the flexibility of access management has been approached mainly via the development of delegation models and break-glass models. This paper presents the results of a literature review of 329 delegation and break-glass approaches. We give an overview on the existing body of scientific literature in these two areas and compare 35 selected approaches in detail. We reveal different ways of providing delegation and break-glass concepts in general as well as in the context of business process management. Moreover, we identify different sub-topics that have not yet been addressed in detail and thus provide opportunities for future research.
KeywordsAccess control Beak-glass Business processes Delegation
Process-aware business information systems can be configured via process models that define all expected execution paths for each business process (see, e.g., ). In this context, corresponding access control models specify which subjects are authorized to perform the tasks that are included in the business processes (see, e.g., ). While this approach is well suited for process instances that conform to one of the expected (and therefore pre-defined) execution scenarios, it causes problems when dealing with exceptional situations, e.g., when no authorized subject is available to execute a particular task in case of emergency (see, e.g., ). This is because traditional access control policies, such as role-based access control (RBAC) (see, e.g., ), often cannot be configured to adequately address exceptional and unpredictable situations.
Delegation and break-glass policies provide two well-established mechanisms that help to increase the flexibility of access control mechanisms, while at the same time maintaining a certain security level. Delegation policies enable subjects to transfer their tasks, duties, or roles to another subject (see, e.g., [12, 32]). Subsequently, a subject receiving a delegation (the delegatee) will act on behalf of the delegating subject (the delegator). Break-glass policies (see, e.g., [15, 24, 30]) have been introduced to flexibly handle emergency situations by breaking or overriding the standard access permissions in a controlled manner. A break-glass policy allows a subject to perform an action under certain conditions even though he/she was not previously authorized to do so. Due to an increasing interest in flexible access management, a variety of different approaches was published offering different features for different application domains. However, the increasing number of such approaches also make it difficult for organizations to select an approach that fits their needs as well as for researchers to keep an overview of existing literature.
The contribution of this paper is threefold. First, we provide a state-of-the art overview of approaches for delegation and break-glass policies. We present a survey of 329 publications in this research area (see Sect. 2), providing insight into the development of this field and showing its emerging importance. Second, we compare different approaches for delegation and break-glass policies, distinguishing between approaches that are concerned with delegation and break-glass in general and approaches concerned explicitly with the context of business processes and workflows (see Sects. 3 and 4). Third, by comparing approaches from selected key articles in detail, we provide a foundation for the informed selection of suitable delegation and break-glass models as well as for evaluating future research in this area (see Sect. 5).
2 Development of the Research Area
To provide a better overview of the existing approaches, we have further focused our study by selecting a sub-sample of 35 articles that explicitly aim to evolve approaches for systematic delegation or break-glass procedures. In the following sections, we present an analysis of these approaches by describing for each approach (1) the policy type supported (i.e., delegation or break-glass), (2) the context where the approach can be applied, (3) its main features, (4) the types of entailment constraints supported (focusing on the most prominent examples of entailment constraints are separation of duty (SOD) and binding of duty (BOD) constraints), and (5) which kind of modeling support is provided.
3 Comparison of Delegation Approaches
Figures 3 and 4 summarize the results of our comparison of approaches which are concerned with delegation models for roles, permissions, tasks, and duties in an access control or business process context.
In , a permission-based delegation model (PBDM) is presented which allows for the delegation of roles and permissions, using delegation roles. Support for entailment constraints is limited to static separation of duty constraints. In , an extension to PBDM is presented to integrate entailment constraints in permission-based delegation. Shang and Wang  focus on static SOD constraints and shortly address related conflicts. Moreover, they analyze role-based constraints and do not consider task-based constraints. An approach similar to  is presented in , where a capability-based delegation model (CRBAC) based on RBAC96 (see ) is introduced to support cross-domain delegation of roles and permissions in terms of capability transfer. An approach for the model-based specification of role-based delegation and revocation policies via UML is introduced in . They use standard UML class and object diagrams for graphically visualizing delegation policies.
Delegation in a business-process or workflow context has received increased attention in recent years (see Sect. 2 and Fig. 4). In , the notion of delegation is extended to allow for conditional delegation. Different types of constraints, such as SOD, are addressed in the context of delegation and three types of conflicts and a runtime allocation algorithm are presented. A formal model for role-based and task-based delegation in worklows using the notions of case and organizational unit is described in , though it does not discuss the detection and resolution of conflicts. Similar approaches without related modeling support and only limited support for conflict detection are also presented in [11, 12]. The effects of some delegation operations on three workflow execution models are described in .
Only few contributions exist which consider entailment constraints and related conflicts in the context of delegation. Gaaloul et al. [16, 17, 18] present a formal approach for integrating task delegation into the RBAC model which also considers SOD and BOD constraints. The approach presented in [16, 17, 18] does not consider the delegation of duties and does not provide a corresponding modeling extension. Crampton and Khambhamettu  address the satisfiability problem of workflows in the context of constrained delegation and provide an algorithm that determines whether to permit a delegation request. In [33, 36], an approach to model the delegation of roles, tasks, and duties in UML Activity diagrams is introduced. In addition, algorithms are introduced to systematically check for conflicts. The approach considers SOD and BOD and provides resolution strategies to resolve each conflict type.
4 Comparison of Break-Glass Approaches
Several approaches integrate break-glass policies into access control models. For example, the optimistic security principle  aims to handle exceptional cases assuming that any access is legitimate and is thus granted. Monitoring and recording functions are provided to guarantee traceability. These functions are implemented using the Clark-Wilson model (see ). A similar approach is presented by Ardagna et al. , who introduce a break-glass approach based on the definition of emergency policies. if no policy is available, a break-glass override can be granted if the system is in an emergency state and a supervisor can be notified about the override. In both approaches, the enforcement of security policies is retrospective, relying on administrators to detect unreasonable accesses. These approaches causes a significant burden for administrators.
Only few contributions exist to integrate the concept of break-glass policies into a business process context, although such an integration can be very useful . Wainer et al.  present an RBAC model for workflow systems (W-RBAC). They extend this model via exception handling functionalities that allow for the controlled overriding of entailment constraints in case of emergency. Furthermore, roles hold override privileges according to their level of responsibility. Subject-specific break-glass policies are not supported in the W-RBAC model, and corresponding modeling support is not provided.
Several other approaches exist that deal with process adaptations and process evolutions in order to flexibly handle different types of exceptions in process-aware information systems. For example,  provides a formal model to support dynamic structural changes of process instances. A set of change operations is defined that can be applied by users in order to modify a process instance execution path, while maintaining its structural correctness and consistency. In , change patterns and change support features are identified and several process management systems are evaluated regarding their ability to support process changes. Exception handling via structural adaptations of process models are also considered in . In particular, several correctness criteria and their application to specific process meta models are discussed. All these approaches have in common that processes must be changed in order to handle exceptional situations. A different approach is presented in [34, 35], where the main goal is to maintain the designed process flow, while ensuring that only authorized subjects are allowed to participate in a workflow. Moreover, [34, 35] also offer modeling and tool support for business processes and related break-glass policies.
In this paper, we presented a comparison of different delegation and break-glass models that provide means to systematically increase the flexibility of access control models. Based on a systematic literature review, we performed an in-depth review and a detailed discussion of 35 key articles in these areas. The corresponding comparison includes the essential characteristics of the different approaches and can provide decision support for practitioners and researchers when selecting one of these approaches.
Our work shows that the demand for increasing the flexibility of access control (in general as well as in a business process context) remains a lively and important research topic. So far, break-glass models have been researched to a lesser extent than delegation models. However, break-glass approaches do attract attention especially in domains with high demands for a seamless, uninterrupted system operation, such as hospitals. There are also approaches that aim to combine delegation and break-glass mechanisms, e.g., by allowing automatic delegation in case of emergency .
Furthermore, access control in a business process context has received less attention in the scientific literature. This may be due to an increased complexity that results from the combination of process flows with corresponding access control policies and access control constraints (such as entailment constraints for example). However, given the importance of the process-oriented approaches, additional research in this area would be of high relevance.
We also found that in many approaches formal metamodels are a key research artefact to integrate delegation and break-glass concepts with access control models. In contrast, visual modelling support (e.g., via respective UML extensions) or corresponding tools were rarely presented. This can make some of the approaches difficult to use and implement in practice. The limited research with regard to delegation and break-glass in business processes as well as the lack of modeling support and tool support are relevant directions for further research.
- 1.Alqatawna, J., Rissanen, E., Sadighi, B.: Overriding of access control in XACML. In: Proceedings of the 8th IEEE International Workshop on Policies for Distributed Systems and Networks (2007)Google Scholar
- 3.Atluri, V., Warner, J.: Supporting conditional delegation in secure workflow management systems. In: Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT) (2005)Google Scholar
- 4.Barka, E., Sandhu, R.: A role-based delegation model and some extensions. In: Proceedings of the 23rd National Information Systems Security Conference (2000)Google Scholar
- 5.Barka, E., Sandhu, R.: Framework for role-based delegation models. In: Proceedings of the 16th Annual Computer Security Applications Conference (2000)Google Scholar
- 6.Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT) (2009)Google Scholar
- 7.Carminati, B., Ferrari, E., Guglielmi, M.: Secure information sharing on support of emergency management. In: Proceedings of the International Conference on Privacy, Security, Risk and Trust (2011)Google Scholar
- 8.Carminati, B., Ferrari, E., Guglielmi, M.: SHARE: Secure information sHaring frAmework for emeRgency managemEnt. In: Proceedings of the 29th International Conference on Data Engineering (ICDE) (2013)Google Scholar
- 9.Clark, D.D., Wilson, D.R.: A comparison of commercial and military security policies. In: IEEE Symposium on Security and Privacy (1987)Google Scholar
- 11.Crampton, J., Khambhammettu, H.: Delegation and satisfiability in workflow systems. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT) (2008)Google Scholar
- 12.Crampton, J., Khambhammettu, H.: On delegation and workflow execution models. In: Proceedings of the 2008 ACM Symposium on Applied Computing (SAC) (2008)Google Scholar
- 14.Ferreira, A., Chadwick, D., Farinha, P., Correia, R., Zao, G., Chilro, R., Antunes, L.: How to securely break into RBAC: the BTG-RBAC model. In: Proceeings of the 2009 Annual Computer Security Applications Conference (2009)Google Scholar
- 15.Ferreira, A., Cruz-Correia, R., Antunes, L., Farinha, P., Oliveira-Palhares, E., Chadwick, D.W., Costa-Pereira, A.: How to break access control in a controlled manner. In: Proceedings of the 19th IEEE Symposium on Computer-Based Medical Systems (2006)Google Scholar
- 19.Ghorbel-Talbi, M.B., Cuppens, F., Cuppens-Boulahia, N.: Negotiating and delegating obligations. In: Proceedings of the International Conference on Management of Emergent Digital EcoSystems (MEDES) (2010)Google Scholar
- 20.Ben Ghorbel-Talbi, M., Cuppens, F., Cuppens-Boulahia, N., Le Métayer, D., Piolle, G.: Delegation of obligations and responsibility. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IFIP AICT, vol. 354, pp. 197–209. Springer, Heidelberg (2011)CrossRefGoogle Scholar
- 21.Hasebe, K., Mabuchi, M., Matsushita, A.: Capability-based delegation model in RBAC. In: Proceedings of the 15th ACM Symposium on Access Control Models and Technologies (SACMAT) (2010)Google Scholar
- 22.Jalali, S., Wohlin, C.: Systematic literature studies: database searches vs. backward snowballing. In: Proceedings of the ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM ’12, pp. 29–38. ACM, New York (2012)Google Scholar
- 24.Marinovic, S., Craven, R., Ma, J., Dulay, N.: Rumpole: a flexible break-glass access control model. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies (2011)Google Scholar
- 25.Nurcan, S.: A survey on the flexibility requirements related to business processes and modeling artifacts. In: Proceedings of the 41st Annual Hawaii International Conference on System Sciences (2008)Google Scholar
- 26.Povey, D.: Optimistic security: a new access control paradigm. In: Proceedings of the 1999 Workshop on New Security Paradigms (2000)Google Scholar
- 32.Schaad, A., Moffett, J.D.: Delegation of obligations. In: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (2002)Google Scholar
- 34.Schefer-Wenzl, S., Strembeck, M.: A UML extension for modeling break-glass policies. In: Proceedings of the 5th International Workshop on Enterprise Modelling and Information Systems Architectures (EMISA) (2012)Google Scholar
- 35.Schefer-Wenzl, S., Strembeck, M.: Generic support for RBAC break-glass policies in process-aware information systems. In: Proceedings of the 28th ACM Symposium on Applied Computing (SAC) (2013)Google Scholar
- 36.Schefer-Wenzl, S., Strembeck, M., Baumgrass, A.: An approach for consistent delegation in process-aware information systems. In: Abramowicz, W., Kriksciuniene, D., Sakalauskas, V. (eds.) BIS 2012. LNBIP, vol. 117, pp. 60–71. Springer, Heidelberg (2012)Google Scholar
- 37.Shang, Q., Wang, X.: Constraints for permission-based delegations. In: Proceedings of the 8th IEEE International Conference on Computer and Information Technology Workshops (2008)Google Scholar
- 45.Zhang, X., Oh, S., Sandhu, R.: PBDM: a flexible delegation model in RBAC. In: Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (2003)Google Scholar