Abstract
Recently, Role Based Access Control (RBAC) model has taken place as a promising alternative to the conventional access control models, MAC and DAC. RBAC is more general than those traditional models as was shown by Osborn et al. [17], however, mapping a role based system to a valid MAC configuration is not always possible because certain combinations of permissions that are included in a role’s effective privileges may cause information flow. Given a role-based graph where role’s permissions refer to labeled data objects, Osborn et al. showed how to find conflicts that are resulted from information flow, but they have not suggested a solution for these conflicts and they have not handled user-role assignments, for the solved scheme. In this paper, we assume a more general model of permissions conflicts than MAC. We introduce an algorithm that handles information flow conflicts in a given role-based graph, corrects the Role-based graph if needed, and proposes a consistent users-roles assignment. As RBAC and information flow are becoming extremely important in Web based information systems, this algorithm becomes very relevant.
Chapter PDF
Similar content being viewed by others
References
Ahn, G.J.: Specification and Classification of Role-Based Authorization Policies. IEEE Computer Society, Los Alamitos (2003)
Belokosztolszki, A., Eyers, D., Moody, K.: Policy Contexts: Controlling Information Flow in Parameterised RBAC. IEEE Computer Society Press, Los Alamitos (2003)
Belsis, P., Gritzalis, S.: A scalable Security Architecture enabling coalition formation between autonomous domains. In: Proceedings of ISSPIT 2005, Athens, Greece (2005)
Bertino, E., Ferrari, E., Atluri, V.: The Specification and Enforcement of Authorization Constraints in Workflow Management Systems. ACM Trans. Inf. Systems. Security 2(1), 65–104 (1999)
Bertino, E., Joshi, J., Bhatti, R., Ghafoor, A.: Access-Control Language for Multidomain Environments. IEEE Internet Computing 8(6), 40–50 (2004)
Christofides, N.: An Algorithm for the Chromatic Number of a Graph. Computer J. 14, 38–39 (1971)
Cormen, T., Leiserson, C., Rivest, R.: Introduction to Algorithms, vol. 83(89), pp. 506–539. MIT Press, Cambridge (1990)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and System Security 4(3), 224–274 (2001)
Gramm, J., Guo, J., Huffner, F., Niedermeir, R.: Data Reduction, Exact and Heuristic Algorithms for Clique Cover. In: Proceedings of the 8th Workshop on Algorithm Engineering and Experiments (ALENEX 2006), Miami, USA (January 2006)
Ionita, C.M., Osborn, S.: Privilege administration for the role graph model. In: Proc.IFIP WG11.3 Working Conference on Database Security (July 2002)
Joshi, J., Bertino, E., Shafiq, B., Ghafoor, A.: Dependencies and Separation of Duty Constraints in GTRBAC. In: SACMAT 2003, June 2-3 (2003)
Moodahi, I., Gudes, E., Lavee, O., Meisels, A.: A Secure Workflow Model Based on Distributed Constrained Role and Task Assignment for the Internet. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 171–186. Springer, Heidelberg (2004)
Moodahi, I., Gudes, E., Meisels, A.: A three tier architecture for Role/User assignment for the Internet (submitted for a journal publication)
Myers, A.C., Liskov, B.: A Decentralized Model for Information Flow Control. In: Proceedings of the 16th ACM Symposium on Operating Systems Principles, Saint-Malo, France (October 1997)
Nyanchama, M., Osborn, S.: The Role Graph Model and Conflict of Interest. ACM Transactions on Information and Systems Security 2(1), 3–33 (1999)
Osborn, S.: Information Flow Analysis of an RBAC system. In: SACMAT 2002, June 3-4 (2002)
Osborn, S., Sandhu, R., Munawer, Q.: Configuring Role-Based Access Control to enforce Mandatory and Discretionary access control policies. ACM Trans. Information and system security 3(2), 1–23 (2000)
Samarati, P., Bertino, E., Ciampichetti, A., Jajodia, S.: Information Flow Control in Object-Oriented Systems. IEEE Trans. Knowl. Data Eng. 9(4), 524–538 (1997)
Sandhu, R.: Lattice-based access control models. IEEE Computer 26(11), 9–19 (1993)
Sandhu, R.: Role Hierarchies and constraints for lattice-based Access Controls. In: Proc. Fourth European on Research in Computer Security, Rome, Italy, September 25-27 (1996)
Sandhu, R., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Skiena, S.: Finding a Vertex Coloring, 5.5.3 in Implementing Descrete Mathematics: Combinatorics and Graph Theory with Mathematica, pp. 141, 214–215. Addison-Wesley, Reading (1990)
Wang, H., Osborn, S.: An Administrative Model for Role Graphs. In: Proc. IFIP WG11.3 Working Conference on Database Security, Estes Park, Colorado (2003)
Wilf, H., Backtrack: An O(1) Expected Time Algorithm for the Graph Coloring Problem. Info. Proc. Let. 18, 119–121 (1984)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Tuval, N., Gudes, E. (2006). Resolving Information Flow Conflicts in RBAC Systems. In: Damiani, E., Liu, P. (eds) Data and Applications Security XX. DBSec 2006. Lecture Notes in Computer Science, vol 4127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11805588_11
Download citation
DOI: https://doi.org/10.1007/11805588_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-36796-3
Online ISBN: 978-3-540-36799-4
eBook Packages: Computer ScienceComputer Science (R0)