Article

Cooperative role-based administration

Authors:

Horst F. Wedde,

Mario LischkaAuthors Info & Claims

SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Pages 21 - 32

https://doi.org/10.1145/775412.775416

Published: 02 June 2003 Publication History

Abstract

In large organizations the administration of access privileges (such as the assignment of an access right to a user in a particular role) is handled cooperatively through distributed administrators in various different capacities. A quorum may be necessary, or a veto may be possible for such a decision. In this paper we present two major contributions: We develop a Role-Based Access Control (RBAC) approach for specifying distributed administration requirements, and procedures between administrators, or administration teams, extending earlier work on distributed (modular) authorization. While a comprehensive specification in such a language is conceivable it would be quite tedious to evaluate, or analyze, their operational aspects and properties in practice. For this reason we create a new class of extended Petri Nets called Administration Nets such that any RBAC specification of (cooperative) administration requirements (given in terms of predicate logic formulas) can be embedded into an Administration Net. This net behaves within the constraints specified by the logical formulas, and at the same time, it explicitly exhibits all needed operational details such as to allow for an efficient and comprehensive formal analysis of administrative behavior. We introduce the new concepts and illustrate their use in several examples. While Administration Nets are much more refined and (behaviorally) explicit than work flow systems our work provides for a constructive step towards novel work-flow management tools as well.

References

[1]

W. Aalst. The Application of Petri Nets to Workflow Management. The Journal of Circuits, Systems and Computers, 8(1):21--66, 1998.

[2]

D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. A proposed standard for role-based access control. ACM Transactions on Information and System Security, 4(3):224--274, Aug. 2001.

Digital Library

[3]

H. J. Genrich and K. Lautenbach. The analysis of distributed systems by means of predicate/transition-nets. In G. Kahn, editor, Semantic of Concurrent Computation, volume 70 of Lecture Notes in Computer Science, pages 123--146, Berlin Heidelberg, 1979. Springer Verlag.

Digital Library

[4]

C. Ghezzi, D. Mandrioli, S. Morasca, and M. Pezzè. A unified high-level petri net model for time-critical systems. IEEE Transactions on Software Engineering, 17(2):160--172, feb 1991.

Digital Library

[5]

S. Jajodia, P. Samarati, and V. S. Subrahmanian. A logical language for expressing authorizations. In Proceedings of the IEEE Symp. on Research in Security and Privacy, pages 31--42, Oakland, CA, May 1997. IEEE Computer Society Press.

Digital Library

[6]

S. Jajodia, P. Samarati, V. S. Subrahmanian, and E. Bertino. A Unified Framework for Enforcing Multiple Access Control Policies Security. In Proceedings of the ACM SIGMOD International Conference on Management of Data, volume 26,2 of SIGMOD Record, pages 474--485, New York, May 13--15 1997. ACM Press.

Digital Library

[7]

M. Nyanchama and S. L. Osborn. Access rights administration in role-based security systems. In IFIP Workshop on Database Security, pages 37--56, 1994.

Digital Library

[8]

S. Oh and R. Sandhu. A model for role administration using organization structure. In R. Sandhu and E. Bertino, editors, Proceedings of the 7th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 155--162, Monterey, CA, USA, June~3--4 2002. ACM SIGSAC, ACM Press.

Digital Library

[9]

S. Osborn and Y. Guo. Modeling users in role-based access control. In K. Rebensburg, C. Youman, and V. Atluri, editors, Proceedings of the fifth ACM Workshop on Role-Based Access Control, pages 31--38, Berlin, Germany, July~26--27 2000. ACM SIGSAC, ACM Press.

Digital Library

[10]

R. Sandhu, V. Bhamidipati, and Q. Munawer. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security, 2(1):105--135, Feb. 1999.

Digital Library

[11]

R. Sandhu and Q. Munawer. The ARBAC99 model for administration of roles. In Proceedings of the 15th Annual Computer Security Applications Conference, Phoenix, Arizona, Dec 1999.

Digital Library

[12]

M. Schiffers and H. Wedde. Analyzing program solutions of coordination problems by cp-nets. In A. Mazurkiewicz, editor, Proceedings of the 7th Symposium on Mathematical Foundations of Computer Science, volume~64 of Lecture Notes in Computer Science, pages 416--422. Springer Verlag, Zakopane, Poland, 1978.

[13]

R. Valk. Infinitive behaviour of petri nets. Theoretical Computer Science, 25:311--341, 1983.

[14]

H. F. Wedde and M. Lischka. Modular Authorization. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 97--105, Chantilly, Virginia, May 3-4 2001. ACM, ACM Press.

Digital Library

[15]

H. F. Wedde and M. Lischka. Composing Heterogenous Access Policies between Organizations. In Proceedings of the IADIS International Conference e-Society 2003, Lisbon/ Portuagal, June, 3-6 2003. International Association for Development of the Information Society. to be published.

Cited By

González-Manzano LGonzález-Tablas Ade Fuentes JRibagorda A(2014)CooPeDComputers and Security10.1016/j.cose.2014.06.00347:C(41-65)Online publication date: 1-Nov-2014
https://dl.acm.org/doi/10.1016/j.cose.2014.06.003
Li NMao ZBao FMiller S(2007)Administration in role-based access controlProceedings of the 2nd ACM symposium on Information, computer and communications security10.1145/1229285.1229305(127-138)Online publication date: 20-Mar-2007
https://dl.acm.org/doi/10.1145/1229285.1229305
Oh S(2005)Master Integrity Principle for Effective Management of Role HierarchyThe KIPS Transactions:PartC10.3745/KIPSTC.2005.12C.7.98112C:7(981-988)Online publication date: 1-Dec-2005
https://doi.org/10.3745/KIPSTC.2005.12C.7.981
Show More Cited By

Index Terms

Cooperative role-based administration
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Modular authorization and administration

In large organizations the administration of access privileges (such as the assignment of access rights to a user in a particular role) is handled cooperatively through distributed administrators in various different capacities. A quorum may be ...
The ARBAC97 model for role-based administration of roles
Special issue on role-based access control

In role-based access control (RBAC), permissions are associated with roles' and users are made members of roles, thereby acquiring the roles; permissions. RBAC's motivation is to simplify administration of authorizations. An appealing possibility is to ...
Domain Administration of Task-role Based Access Control for Process Collaboration Environments
IAS '09: Proceedings of the 2009 Fifth International Conference on Information Assurance and Security - Volume 01

The fast evolving workflow technologies facilitate organizations to interact and cooperate with each other to achieve their business goals by process collaborations. Task-role based access control is an important security mechanism to protect data and ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

June 2003

246 pages

ISBN:1581136811

DOI:10.1145/775412

General Chair:
Elena Ferrari
University of Insubria, Italy
,
Program Chair:
David Ferraiolo
National Institute of Standards & Technology, USA

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 June 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SACMAT03

Sponsor:

SACMAT03: 8th ACM Symposium on Access Control Models and Technologies 2003

June 2 - 3, 2003

Como, Italy

Acceptance Rates

SACMAT '03 Paper Acceptance Rate 23 of 63 submissions, 37%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
1,359
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

González-Manzano LGonzález-Tablas Ade Fuentes JRibagorda A(2014)CooPeDComputers and Security10.1016/j.cose.2014.06.00347:C(41-65)Online publication date: 1-Nov-2014
https://dl.acm.org/doi/10.1016/j.cose.2014.06.003
Li NMao ZBao FMiller S(2007)Administration in role-based access controlProceedings of the 2nd ACM symposium on Information, computer and communications security10.1145/1229285.1229305(127-138)Online publication date: 20-Mar-2007
https://dl.acm.org/doi/10.1145/1229285.1229305
Oh S(2005)Master Integrity Principle for Effective Management of Role HierarchyThe KIPS Transactions:PartC10.3745/KIPSTC.2005.12C.7.98112C:7(981-988)Online publication date: 1-Dec-2005
https://doi.org/10.3745/KIPSTC.2005.12C.7.981
Chinaei ATompa F(2005)User-managed access control for health care systemsProceedings of the Second VDLB international conference on Secure Data Management10.1007/11552338_5(63-72)Online publication date: 2-Sep-2005
https://dl.acm.org/doi/10.1007/11552338_5
Warner JAtluri VMukkamala R(2005)A credential-based approach for facilitating automatic resource sharing among ad-hoc dynamic coalitionsProceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security10.1007/11535706_19(252-266)Online publication date: 7-Aug-2005
https://dl.acm.org/doi/10.1007/11535706_19
Wedde HLischka MJaeger TFerrari E(2004)Role-based access control in ambient and remote spaceProceedings of the ninth ACM symposium on Access control models and technologies10.1145/990036.990040(21-30)Online publication date: 2-Jun-2004
https://dl.acm.org/doi/10.1145/990036.990040
Atluri VWarner J(2004)Automatic enforcement of access control policies among dynamic coalitionsProceedings of the First international conference on Distributed Computing and Internet Technology10.1007/978-3-540-30555-2_43(369-378)Online publication date: 22-Dec-2004
https://dl.acm.org/doi/10.1007/978-3-540-30555-2_43
Wang HOsborn S(2004)An Administrative Model for Role GraphsData and Applications Security XVII10.1007/1-4020-8070-0_22(302-315)Online publication date: 2004
https://doi.org/10.1007/1-4020-8070-0_22

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents