Trust-orBAC: A Trust Access Control Model in Multi-Organization Environments

  • Khalifa Toumi
  • César Andrés
  • Ana Cavalli
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7671)


Access control in Multi-Organization Environment is a critical issue. Classical access control models like Role Based Access Control (RBAC) and Organization Based Access Control (orBAC) need some improvements to be used in such environment, where the collaboration is established between organizations and not directly with the clients. In particular, some characteristics of this scenario are that the users may be unknown in advance and/or the behaviors of the users and the organization may change during the collaboration. Hence, in this context the use of trust management with an access control model is recommended.

To achieve this goal in this paper a new model called Trust-orBAC that adds the notion of trust management to orBAC is presented. This approach consists in defining two dynamic trust vectors: one for the organizations and one for users which are based on different parameters such as knowledge, reputation and experience. Finally, we illustrate the use of Trust-orBAC with a case study.


Access Control Trust Model Security Policy Trust Management Trust Level 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bertino, E., Ferrari, E., Squicciarini, A.: Trust negotiations: Concepts, systems, and languages. Computing in Science & Engineering 6, 27–34 (2004)Google Scholar
  2. 2.
    Chakraborty, S., Ray, I.: TrustBAC: integrating trust relationships into the RBAC model for access control in open systems. In: ACM Symposium on Access Control Models And Technologies, SACMAT 2006. ACM (2006)Google Scholar
  3. 3.
    Cuppens, F., Cuppens-Boulahia, N., Coma, C.: O2O: Virtual Private Organizations to Manage Security Policy Interoperability. In: Bagchi, A., Atluri, V. (eds.) ICISS 2006. LNCS, vol. 4332, pp. 101–115. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Abi Haidar, D., Cuppens-Boulahia, N., Cuppens, F., Debar, H.: XeNA: an access negotiation framework using XACML. Annals of Telecommunications 64(1-2), 155–169 (2009)CrossRefGoogle Scholar
  5. 5.
    Jiang, T., Baras, J.S.: Trust credential distribution in autonomic networks. In: Global Communications Conf., GLOBECOM 2008. IEEE (2008)Google Scholar
  6. 6.
    Cavalli, A., Toumi, K., El Maarabani, M.: Role based interoperability security policies in collaborative systems. In: Int. Symposium on Security in Collaboration Technologies and Systems. IEEE Press (2012)Google Scholar
  7. 7.
    El Kalam, A.A., Deswarte, Y., Baina, A., Kaaniche, M.: PolyOrBAC: A security framework for critical infrastructures. Int. Journal on Critical Infrastructure Protection 2(4), 154–169 (2009)CrossRefGoogle Scholar
  8. 8.
    Kamel, M., Laborde, R., Benzekri, A., Barrere, F.: A best practices-oriented approach for establishing trust chains within virtual organisations. In: Enterprise Distributed Object Computing Conf. Workshops, EDOCW 2008. IEEE (2008)Google Scholar
  9. 9.
    Tu Phan Le, C., Cuppens, F., Cuppens, N., Maillé, P.: Evaluating the Trustworthiness of Contributors in a Collaborative Environment. In: Bertino, E., Joshi, J.B.D. (eds.) CollaborateCom 2008. LNICST, vol. 10, pp. 451–460. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Liu, D., Zic, J.: Policy-Based Attestation of Service Behavior for Establishing Rigorous Trust. In: Meersman, R., Dillon, T.S., Herrero, P. (eds.) OTM 2010, Part I. LNCS, vol. 6426, pp. 240–255. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Mammar, A., Cavalli, A., Jimenez, W., Mallouli, W., de Oca, E.M.: Using Testing Techniques for Vulnerability Detection in C Programs. In: Wolff, B., Zaïdi, F. (eds.) ICTSS 2011. LNCS, vol. 7019, pp. 80–96. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  12. 12.
    Marmol, F.G., Perez, G.M.: Security threats scenarios in trust and reputation models for distributed systems. Computers & Security 28(7), 545–556 (2009)CrossRefGoogle Scholar
  13. 13.
    Komarova, M., Riguidel, M.: Adjustable Trust Model for Access Control. In: Rong, C., Jaatun, M.G., Sandnes, F.E., Yang, L.T., Ma, J. (eds.) ATC 2008. LNCS, vol. 5060, pp. 429–443. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Ray, I., Chakraborty, S.: A Vector Model of Trust for Developing Trustworthy Systems. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 260–275. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Ray, I., Ray, I., Chakraborty, S.: An interoperable context sensitive model of trust. Journal of Intelligent Information Systems 32(1), 75–104 (2009)CrossRefGoogle Scholar
  16. 16.
    Resnick, P., Zeckhauser, R., Friedman, E., Kuwabara, K.: Reputation systems. Communications of the ACM 43(12) (2000)Google Scholar
  17. 17.
    Sacha, K.: Trust Management Languages and Complexity. In: Meersman, R., Dillon, T., Herrero, P., Kumar, A., Reichert, M., Qing, L., Ooi, B.-C., Damiani, E., Schmidt, D.C., White, J., Hauswirth, M., Hitzler, P., Mohania, M. (eds.) OTM 2011, Part II. LNCS, vol. 7045, pp. 588–604. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  18. 18.
    Toumi, K., Andrés, C., Cavalli, A., El Maarabani, M.: A vector based model approach for defining trust in multi-organization environments. In: 7th Int. Conf. on Risks and Security of Internet and Systems, CRISIS 2012. IEEE Computer Society Press (in press, 2012)Google Scholar
  19. 19.
    Wang, Y., Li, L.: Two-dimensional trust rating aggregations in service-oriented applications. IEEE Transactions on Services Computing 4(4), 257–271 (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Khalifa Toumi
    • 1
  • César Andrés
    • 2
  • Ana Cavalli
    • 1
  1. 1.IT/ TELECOM & Management SudParis, EVRYFrance
  2. 2.Departamento de Sistemas Informáticos y ComputaciónUniversidad Complutense de MadridSpain

Personalised recommendations