Advanced Permission-Role Relationship in Role-Based Access Control

  • Min Li
  • Hua Wang
  • Ashley Plank
  • Jianming Yong
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5107)


Permission-role assignment is an important issue in role-based access control (RBAC). There are two types of problems that may arise in permission-role assignment. One is related to authorization granting process. Conflicting permissions may be granted to a role, and as a result, users with the role may have or derive a high level of authority. The other is related to authorization revocation. When a permission is revoked from a role, the role may still have the permission from other roles. In this paper, we discuss granting and revocation models related to mobile and immobile memberships between permissions and roles, then provide proposed authorization granting algorithm to check conflicts and help allocate the permissions without compromising the security. To our best knowledge, the new revocation models, local and global revocation, have not been studied before. The local and global revocation algorithms based on relational algebra and operations provide a rich variety. We also apply the new algorithms to an anonymity scalable payment scheme.


Relational Algebra Revocation Model Payment Scheme Role Assignment Administrative Role 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bertino, E., Ferrari, E., Atluri, V.: Specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2(1) (February 1999)Google Scholar
  2. 2.
    Feinstein, H.L., et al.: Small Business Innovation Research (SBIR): Role-Based Access Control: Phase 1, McLean, VA, SETA Corporation (January 20, 1995)Google Scholar
  3. 3.
    Ferraiolo, D.F., Barkley, J.F., Richard Kuhn, D.: A role based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and System Security 2(1) ( February 1999)Google Scholar
  4. 4.
    Ferraiolo, D.F., Barkley, J.F.: Specifying and Managing Role-Based Access Control Within a Corporate Intranet. In: Proc.of the 2ed ACM Workshop on Role-Based Access Control, pp. 77–82 (1997)Google Scholar
  5. 5.
    Frankel, Y., Tsiounis, Y., Yung, M.: Fair off-line e-cash made Easy. in Advance in Cryptology. In: Proc. of Asiacrypt 1998. LNCS, vol. 1294, pp. 257–270. Springer, Heidelberg (1998)Google Scholar
  6. 6.
    Gligor, V.D., Gavrila, S.T., Ferraiolo, D.: On the formal denition of separation-of-duty policies and their composition. In: Proceedings of IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 172–183 (May 1998)Google Scholar
  7. 7.
    Nyanchama, M., Osborn, S.: The Role Graph Model and Conflict of Internet. ACM Transaction on Information and System Security 2(1), 3–33 (1999)CrossRefGoogle Scholar
  8. 8.
    Okamoto.: On efficient divisible electronic cash scheme. In: Advances in Cryptology-CRYPTO 1995. LNCS, vol. 963, pp. 438–451. Springer, Heidelberg (1995)Google Scholar
  9. 9.
    Rivest, R.: The MD5 Message-Digest Algorithm. RFC 1321. MIT Laboratory for Computer Science and RSA DATA Security Inc. (April 1992)Google Scholar
  10. 10.
    Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Transaction on Information and System Security 1(2), 105–135 (1999)CrossRefGoogle Scholar
  11. 11.
    Sandhu, R., Munawer, Q.: The ARBAC99 Model for Administration of Roles. In: The Annual Computer Security Applications Conference, pp. 229–238. ACM Press, New York (1999)Google Scholar
  12. 12.
    Wang, H., Cao, J.: Delegating revocations and authorizations. In: 1st International Workshop on Collaborative Business Processes, Brisbane, Australia (2007)Google Scholar
  13. 13.
    Wang, H., Cao, J., Kambayashi, Y.: Building a Consumer Anonymity Scalable Payment Protocol for the Internet Purchases. In: The 12th International Workshop on Research Issues on Data Engineering: Engineering E-Commerce/E-Business Systems, San Jose, USA, February 25-26, 2002, pp. 159–168 (2002)Google Scholar
  14. 14.
    Wang, H., Cao, J., Zhang, Y.: Formal authorization approaches for permission-role assignment using relational algebra operations. In: Proceedings of the 14th Australasian Database Conference, Adelaide, Australia, February 2-7, 2003, vol. 25(1), pp. 125–134 (2003)Google Scholar
  15. 15.
    Wang, H., Cao, J., Zhang, Y.: Formal Authorization Allocation Approaches for Role-Based Access Control Based on Relational Algebra Operations. In: The 3rd International Conference on Web Information Systems Engineering (WISE 2002), Singapore, December 3-6, 2002, pp. 301–310 (2002)Google Scholar
  16. 16.
    Zurko, M., Simon, R., Sanlippo, T.: A user-centered modular authorization service built on an rbac foundation. In: Proceedings of IEEE Symposium on Research in Security and Privacy, Oak-land, CA, pp. 57–71 (May 1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Min Li
    • 1
  • Hua Wang
    • 1
  • Ashley Plank
    • 1
  • Jianming Yong
    • 2
  1. 1.Department of Mathematics & ComputingUniversity of Southern QueenslandAustralia
  2. 2.School of Information SystemsFaculty of Business University of Southern QueenslandAustralia

Personalised recommendations