ABSTRACT
For flexible and dynamic resource management in environments where users collaborate to fulfill their common tasks, various attempts at modeling delegation of authority have been proposed using the role-based access control (RBAC) model. However, to achieve a higher level of collaboration in large-scale networked systems, it is worthwhile supporting cross-domain delegation with low administration cost. For that purpose, we propose a capability-role-based access control (CRBAC) model, by integrating a capability-based access control mechanism into the RBAC96 model. Central to this scheme is the mapping of capabilities to permissions as well as to roles in each domain, thereby realizing the delegation of permissions and roles by capability transfer. By taking this approach of capability-based access control, our model has the advantages of flexibility and reduced administration costs. We also demonstrate the effectiveness of our model by using examples of various types of delegation in clinical information systems.
- V. Atluri and J. Warner. Supporting conditional delegation in secure workflow management systems, Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT'05), pp.49--58, 2005. Google ScholarDigital Library
- E. Barka and R. Sandhu. A Role-based Delegation Model and Some Extensions. Proceedings of the 23rd National Information Systems Security Conference, pp.101--114, 2000.Google Scholar
- E. Barka and R. Sandhu. Role-Based Delegation Model/Hierarchical Roles, Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), pp.396--404, 2004. Google ScholarDigital Library
- D. W. Chadwick and A. Otenko. The PERMIS X.509 Role Based Privilege Management Infrastructure, Proceedings of the 10th IFIP Open Conference on Communications and Multimedia Security (CMS'06), pp.67--86, 2006.Google ScholarDigital Library
- E. M. Clarke, O Grumberg, and D. A. Peled. Model Checking, MIT Press, 2000.Google ScholarDigital Library
- J. Crampton and H. Khambhammettu. Delegation in Role-Based Access Control, Proceedings of the 11th European Symposium on Research in Computer Security (ESORICS'06), LNCS vol.4189, pp.174--191, 2006. Google ScholarDigital Library
- R. Geambasu, M. Balazinska, S. D. Gribble, and M. Levy. HomeViews: Peer-to-Peer Middleware for Personal Data Sharing Applications, Proceedings of the ACM SIGMOD International Conference on Management of Data, pp.235--246, 2007. Google ScholarDigital Library
- H. Gomi, M. Hatakeyama, S. Hosono, and S. Fujita. A Delegation Framework for Federated Identity Management, Proceedings of the ACM Workshop on Digital Identity Management (DIM'05), pp.94--103, 2005. Google ScholarDigital Library
- L. Gong. A Secure Identity-Based Capability System, IEEE Symposium on Security and Privacy, pp.56--63, 1989.Google ScholarCross Ref
- H. M. Levy. Capability-Based Computer Systems, Digital Equipment Corporation, 1984. Google ScholarDigital Library
- B. C. Neuman. Proxy-Based Authorization and Accounting for Distributed Systems, Proceedings of the 13th International Conference on Distributed Computing Systems, pp.283--291, 1993.Google ScholarCross Ref
- Q. Pham, J. Reid, A. McCullagh, and E. Dawson. On a Taxonomy of Delegation, the FIFP International Information Security Conference (IFIP/SEC-2009), pp.353--363, 2009.Google Scholar
- J. T. Regan and C. D. Jensen. Capability File Names: Separating Authorization from User Management in an Internet File System, Proceedings of the USENIX Security Symposium, pp.211--233, 2001. Google ScholarDigital Library
- R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-Based Access Control Models, IEEE Computer, vol.29, no.2, pp.38--47, 1996. Google ScholarDigital Library
- L. Snyder. Formal Models of Capability-Based Protection Systems, IEEE Trans. on Computers, vol.c-30, no.3, pp.172--181, 1981. Google ScholarDigital Library
- K. Sohr, M. Drouineaud, and G-J. Ahn. Formal Specification of Role--based Security Policies for Clinical Information Systems, Proceedings of the 20th Annual ACM Symposium on Applied Computing (SAC'05), pp.332--339, 2005. Google ScholarDigital Library
- J. G. Steiner, B. C. Neuman, and J. I. Schiller. Kerberos: An Authentication Service for Open Network Systems, Proceedings of the Winter 1988 USENIX Conference, pp.191--201, 1988.Google Scholar
- J. Wainer and A Kumar. A Fine-grained, Controllable, User to User Delegation Method in RBAC, Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT'05), pp.59--66, 2005. Google ScholarDigital Library
- L. Zhang, G. Ahn, B. T. Chu. A rule-based framework for role based delegation, Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT'01), pp.153--162, 2001. Google ScholarDigital Library
- L. Zhang, G. Ahn, and B. T. Chu. A Role-Based Delegation Framework for Healthcare Information Systems, Proceedings of the 7th ACM Symposium on Access Control Models and Technologies (SACMAT'02), pp.125--134, 2001. Google ScholarDigital Library
- X. Zhang, S. Oh, and R. Sandhu. PBDM: A Flexible Delegation Model in RBAC, Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT'03), pp.149--157, 2003. Google ScholarDigital Library
Index Terms
- Capability-based delegation model in RBAC
Recommendations
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
A fine-grained, controllable, user-to-user delegation method in RBAC
SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologiesThis paper addresses the issues surrounding user-to-user delegation in RBAC. We show how delegations can be incorporated into the RBAC model in a simple and straightforward manner. A special feature of the model is that it allows fine-grained control ...
Capability-Role-Based Delegation in Workflow Systems
EUC '10: Proceedings of the 2010 IEEE/IFIP International Conference on Embedded and Ubiquitous ComputingVarious security models for supporting delegation in workflow systems have been proposed to achieve flexible access control in collaborative business processes. Since workflow systems come into their own when controlling large-scale business processes ...
Comments