In this paper we present a novel scenario-driven role engineering process for RBAC roles. The scenario concept is of central significance for the presented approach. Due to the strong human factor in role engineering ...
详细信息
ISBN:
(纸本)9781581134964
In this paper we present a novel scenario-driven role engineering process for RBAC roles. The scenario concept is of central significance for the presented approach. Due to the strong human factor in role engineering scenarios are a good means to drive the process. We use scenarios to derive permissions and to define tasks. Our approach considers changeability issues and enables the straightforward incorporation of changes into affected models. Finally we discuss the experiences we gained by applying the scenario-driven role engineering process in three case studies.
Scope: a variety of things are expressed under the heading of accesscontrol: permission assignments, constraints, activations, transition, hierarchies, ect. What things really need to be expressed?Concepts: What mode...
ISBN:
(纸本)9781581134964
Scope: a variety of things are expressed under the heading of accesscontrol: permission assignments, constraints, activations, transition, hierarchies, ect. What things really need to be expressed?Concepts: What modeling concepts are available to express these things? Where are we in understanding the usability of these models?Complexity-flexibility tradeoff: How do we make trade-offs between the flexibility of expression (expressive power) and applying more usable concepts? Can this be measured?Domain specificity: Improving ease of use often involves increasing the level of the specification using domain-specific techniques. What techniques are possible? How can we compare teh effectiveness of these techniques?Composition: How can the modularity of accesscontrol policies be leveraged? Is there any modularity?Completeness: How do we integrate accesscontrol effectively with support for audit and intrusion detection?
As organizations implement information strategies that call for sharing access to resources in the networked environment, mechanisms must be provided to protect the resources from adversaries. The proposed delegation ...
详细信息
ISBN:
(纸本)9781581134964
As organizations implement information strategies that call for sharing access to resources in the networked environment, mechanisms must be provided to protect the resources from adversaries. The proposed delegation framework addresses the issue of how to advocate selective information sharing in role-based systems while minimizing the risks of unauthorized access. We introduce a systematic approach to specify delegation and revocation policies using a set of rules. We demonstrate the feasibility of our framework through policy specification, enforcement, and a proof-of-concept implementation on specific domains, e.g. the healthcare environment. We believe that our work can be applied to organizations that rely heavily on collaborative tasks.
A Generalized Temporal Role Based accesscontrol (GTRBAC) model that allows specification of a comprehensive set of temporal constraint for accesscontrol has recently been proposed. The model constructs allow one to ...
详细信息
ISBN:
(纸本)9781581134964
A Generalized Temporal Role Based accesscontrol (GTRBAC) model that allows specification of a comprehensive set of temporal constraint for accesscontrol has recently been proposed. The model constructs allow one to specify various temporal constraints on role, user-role assignments and role-permission assignments. However, Temporal constraints on role enablings and role activations can have various implications on a role hierarchy. In this paper, we present an analysis of the effects of GTRBAC temporal constraints on a role hierarchy and introduce various kinds of temporal hierarchies. In particular, we show that there are certain distinctions that need to be made in permission inheritance and role activation semantics in order to capture all the effects of GTRBAC constraints such as role enablings and role activations on a role hierarchy.
Role-based accesscontrol (RBAC) is recognized as an excellent model for accesscontrol in an enterprise environment. In large enterprises, effective RBAC administration is a major issue. ARBAC97 is a well-known solut...
详细信息
ISBN:
(纸本)9781581134964
Role-based accesscontrol (RBAC) is recognized as an excellent model for accesscontrol in an enterprise environment. In large enterprises, effective RBAC administration is a major issue. ARBAC97 is a well-known solution for decentralized RBAC administration. ARBAC97 authorizes administrative roles by means of role ranges' and prerequisite conditions'. Although attractive and elegant in their own right, we will see that these mechanisms have significant *** propose an improved role administration model named ARBAC02 to overcome the weaknesses of ARBAC97. ARBAC02 adopts the organization unit for new user and permission pools independent of role or role hierarchy. It uses a refined prerequisite condition. In addition, we present a bottom-up approach to permission-role administration in contrast to the top-down approach of ARBAC97.
The need for accesscontrol in a hierarchy arises in severaldifferent contexts. One such context is managing the information ofan organization where the users are divided into different securityclasses depending on wh...
详细信息
ISBN:
(纸本)9781581134964
The need for accesscontrol in a hierarchy arises in severaldifferent contexts. One such context is managing the information ofan organization where the users are divided into different securityclasses depending on who has access to what. Several cryptographicsolutions have been proposed to address this problem --- thesolutions are based on generating cryptographic keys for eachsecurity class such that the key for a lower level security classdepends on the key for the security class that is higher up in thehierarchy. Most solutions use complex cryptographic techniques:integrating these into existing systems may not be trivial. Othershave impractical requirement: if a user at a security level wantsto access data at lower levels, then all intermediate nodes must betraversed. Moreover, if there is an accesscontrol policy that doesnot conform to the hierarchical structure, such policy cannot behandled by existing solutions. We propose a new solution thatovercomes the above mentioned shortcomings. Our solution not onlyaddresses the problem of accesscontrol in a hierarchy but also canbe used for general cases. It is a scheme similar to the RSAcryptosystem and can be easily incorporated in existing systems.
In this paper we develop the concept of Usage control (UCON) that encompasses traditional accesscontrol, trust management, and digital rights management and goes beyond them in its definition and scope. While usage c...
ISBN:
(纸本)9781581134964
In this paper we develop the concept of Usage control (UCON) that encompasses traditional accesscontrol, trust management, and digital rights management and goes beyond them in its definition and scope. While usage control concepts have been mentioned off and on in the security literature for some time, there has been no systematic treatment so far. By unifying these three areas UCON offers a promising approach for the next generation of accesscontrol. Traditional accesscontrol has focused on a closed system where all users are known and primarily utilizes a server-side reference monitor within the system. Trust management has been introduced to cover authorization for strangers in an open environment such as the Internet. Digital rights management has dealt with client-side control of digital information usage. Each of these areas is motivated by its own target problems. Innovations in information technology and business models are creating new security and privacy issues which require elements of all three areas. To deal with these in a systematic unified manner we propose the new UCON model. UCON enables finer-grained control over usage of digital objects than that of traditional accesscontrol policies and models. For example, print once as opposed to unlimited prints. Unlike traditional accesscontrol or trust management, it covers both centrally controllable environment and an environment where central control authority is not available. UCON also deals with privacy issues in both commercial and non-commercial environments. In this paper we first discuss accesscontrol, trust management, and digital rights management and describe general concepts of UCON in the information security discipline. Then we define components of the UCON model and discuss how authorizations and accesscontrols can be applied in the UCON model. Next we demonstrate some applications of the UCON model and develop further details. We use several examples during these discussions to sh
暂无评论