Caching and Auditing in the RPPM Model

  • Jason Crampton
  • James Sellwood
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8743)


Crampton and Sellwood recently introduced a variant of relationship-based access control based on the concepts of relationships, paths and principal matching, to which we will refer as the RPPM model. In this paper, we show that the RPPM model can be extended to provide support for caching of authorization decisions and enforcement of separation of duty policies. We show that these extensions are natural and powerful. Indeed, caching provides far greater advantages in RPPM than it does in most other access control models and we are able to support a wide range of separation of duty policies.


access control path condition relationship principal matching authorization caching auditing separation of duty Chinese Wall 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Fournet, C.: Access control based on execution history. In: NDSS. The Internet Society (2003)Google Scholar
  2. 2.
    Borders, K., Zhao, X., Prakash, A.: CPOL: high-performance policy evaluation. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM Conference on Computer and Communications Security, pp. 147–157. ACM (2005)Google Scholar
  3. 3.
    Brewer, D.F.C., Nash, M.J.: The Chinese Wall security policy. In: IEEE Symposium on Security and Privacy, pp. 206–214. IEEE Computer Society (1989)Google Scholar
  4. 4.
    Carminati, B., Ferrari, E., Perego, A.: Enforcing access control in web-based social networks. ACM Trans. Inf. Syst. Secur. 13(1) (2009)Google Scholar
  5. 5.
    Cheng, Y., Park, J., Sandhu, R.S.: Relationship-based access control for online social networks: Beyond user-to-user relationships. In: SocialCom/PASSAT, pp. 646–655. IEEE (2012)Google Scholar
  6. 6.
    Cheng, Y., Park, J., Sandhu, R.: A user-to-user relationship-based access control model for online social networks. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 8–24. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  7. 7.
    Crampton, J., Sellwood, J.: Caching and auditing in the RPPM model. CoRR abs/1407.7841 (2014)Google Scholar
  8. 8.
    Crampton, J., Sellwood, J.: Path conditions and principal matching: a new approach to access control. In: Osborn, S.L., Tripunitara, M.V., Molloy, I. (eds.) SACMAT, pp. 187–198. ACM (2014)Google Scholar
  9. 9.
    Edjlali, G., Acharya, A., Chaudhary, V.: History-based access control for mobile code. In: Vitek, J., Jensen, C.D. (eds.) Secure Internet Programming. LNCS, vol. 1603, pp. 413–431. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  10. 10.
    Fong, P.W.L.: Relationship-based access control: protection model and policy language. In: Sandhu, R.S., Bertino, E. (eds.) CODASPY, pp. 191–202. ACM (2011)Google Scholar
  11. 11.
    Fong, P.W.L., Mehregan, P., Krishnan, R.: Relational abstraction in community-based secure collaboration. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM Conference on Computer and Communications Security, pp. 585–598. ACM (2013)Google Scholar
  12. 12.
    Gligor, V.D., Gavrila, S.I., Ferraiolo, D.F.: On the formal definition of separation-of-duty policies and their composition. In: IEEE Symposium on Security and Privacy, pp. 172–183. IEEE Computer Society (1998)Google Scholar
  13. 13.
    Kohler, M., Brucker, A.D., Schaad, A.: Proactive caching: Generating caching heuristics for business process environments. In: CSE (3), pp. 297–304. IEEE Computer Society (2009)Google Scholar
  14. 14.
    Kohler, M., Fies, R.: Proactive caching - a framework for performance optimized access control evaluations. In: POLICY, pp. 92–94. IEEE Computer Society (2009)Google Scholar
  15. 15.
    Krukow, K., Nielsen, M., Sassone, V.: A logical framework for history-based access control and reputation systems. Journal of Computer Security 16(1), 63–101 (2008)Google Scholar
  16. 16.
    Simon, R.T., Zurko, M.E.: Separation of duty in role-based environments. In: CSFW, pp. 183–194. IEEE Computer Society (1997)Google Scholar
  17. 17.
    Wei, Q., Crampton, J., Beznosov, K., Ripeanu, M.: Authorization recycling in hierarchical rbac systems. ACM Trans. Inf. Syst. Secur. 14(1), 3 (2011)CrossRefGoogle Scholar
  18. 18.
    Zhang, R., Artale, A., Giunchiglia, F., Crispo, B.: Using description logics in relation based access control. In: Grau, B.C., Horrocks, I., Motik, B., Sattler, U. (eds.) Description Logics. CEUR Workshop Proceedings, vol. 477, (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Jason Crampton
    • 1
  • James Sellwood
    • 1
  1. 1.Royal Holloway University of LondonEghamUnited Kingdom

Personalised recommendations