Article

Specifying and enforcing constraints in role-based access control

Author:
Jason Crampton

University of London, Egham, United Kingdom

University of London, Egham, United Kingdom
View Profile

SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesJune 2003Pages 43–50https://doi.org/10.1145/775412.775419

Published:02 June 2003Publication History

SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Pages 43–50

ABSTRACT

Constraints in access control in general and separation of duty constraints in particular are an important area of research. There are two important issues relating to constraints: their specification and their enforcement. We believe that existing separation of duty specification schemes are rather complicated and that the few enforcement models that exist are unlikely to scale well.We examine the assumptions behind existing approaches to separation of duty and present a combined specification and implementation model for a class of constraints that includes separation of duty constraints. The specification model is set-based and has a simpler syntax than existing approaches. We discuss the enforcement of constraints and the relationship between static, dynamic and historical separation of duty constraints. Finally, we propose a model for a scalable role-based reference monitor, based on dynamic access control structures, that can be used to enforce constraints in an efficient manner.

References

Abadi, M., and Fournet, C. Access control based on execution history. In Proceedings of 10th Annual Network and Distributed System Security Symposium (2003). To appear.Google Scholar
Ahn, G.-J., and Sandhu, R. Role-based authorization constraints specification. ACM Transactions on Information and System Security 3, 4 (2000), 207--226. Google ScholarDigital Library
Bell, D., and LaPadula, L. Secure computer systems: Unified exposition and Multics interpretation. Tech. Rep. MTR-2997, Mitre Corporation, Bedford, Massachusetts, 1976.Google ScholarCross Ref
Bertino, E., Ferrari, E., and Atluri, V. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2, 1 (1999), 65--104. Google ScholarDigital Library
Brewer, D., and Nash, M. The Chinese Wall security policy. In Proceedings of 1989 IEEE Symposium on Security and Privacy (Oakland, California, 1989), IEEE Computer Society Press, pp. 206--214.Google ScholarCross Ref
Clark, D., and Wilson, D. A comparison of commercial and military computer security policies. In Proceedings of 1987 IEEE Symposium on Security and Privacy (Oakland, California, 1987), pp. 184--194.Google ScholarCross Ref
Crampton, J., and Loizou, G. Structural complexity of conflict of interest policies. Tech. Rep. BBKCS-00-07, Birkbeck College, University of London, 2000.Google Scholar
Edjlali, G., Acharya, A., and Chaudhary, V. History-based access control for mobile code. In Proceedings of Fifth ACM Conference on Computer and Communications Security (1998), pp. 38--48. Google ScholarDigital Library
Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., and Chandramouli, R. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security 4, 3 (2001), 224--274. Google ScholarDigital Library
Gavrila, S., and Barkley, J. Formal specification for role based access control user/role and role/role relationship management. In Proceedings of Third ACM Workshop on Role-Based Access Control (Fairfax, Virginia, 1998), pp. 81--90. Google ScholarDigital Library
Gligor, V., Gavrila, S., and Ferraiolo, D. On the formal definition of separation-of-duty policies and their composition. In Proceedings of 1998 IEEE Symposium on Research in Security and Privacy (Oakland, California, 1998), pp. 172--183.Google ScholarCross Ref
Jaeger, T., and Tidswell, J. Practical safety in flexible access control models. ACM Transactions on Information and System Security 4, 2 (2001), 158--190. Google ScholarDigital Library
Nyanchama, M., and Osborn, S. The role graph model and conflict of interest. ACM Transactions on Information and System Security 2, 1 (1999), 3--33. Google ScholarDigital Library
Sandhu, R. Transaction control expressions for separation of duties. In Proceedings of 4th Aerospace Computer Security Conference (Orlando, Florida, 1988), pp. 282--286.Google ScholarCross Ref

Index Terms

Specifying and enforcing constraints in role-based access control

Recommendations

Configuring role-based access control to enforce mandatory and discretionary access control policies

Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Read More
Role-based authorization constraints specification

Constraints are an important aspect of role-based access control (RBAC) and are often regarded as one of the principal motivations behind RBAC. Although the importance of contraints in RBAC has been recogni zed for a long time, they have not recieved ...
Read More
Delegation in role-based access control

User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies
June 2003
246 pages
ISBN:1581136811
DOI:10.1145/775412
General Chair:
Elena Ferrari
University of Insubria, Italy
,
Program Chair:
David Ferraiolo
National Institute of Standards & Technology, USA
Copyright © 2003 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 June 2003
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
authorization constraint
enforcement context
role-based access control
separation of duty constraint
Qualifiers
- Article
Conference

Acceptance Rates
SACMAT '03 Paper Acceptance Rate23of63submissions,37%Overall Acceptance Rate177of597submissions,30%
More
Upcoming Conference
SACMAT 2024

Sponsor:

sigsac

The 29th ACM Symposium on Access Control Models and Technologies

May 15 - 17, 2024

San Antonio , TX , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 81
  Total Citations
  View Citations
- 1,379
  Total Downloads
- Downloads (Last 12 months)14
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Specifying and enforcing constraints in role-based access control

SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

ABSTRACT

References

Cited By

Index Terms

Recommendations

Configuring role-based access control to enforce mandatory and discretionary access control policies

Role-based authorization constraints specification

Delegation in role-based access control