Abstract
Delegation of access control (i.e. transferring access rights on a resource to another tenant) is crucial to efficiently decentralize the access control management in large and dynamic scenarios. Most of the delegation methods available in the literature are based on the RBAC or ABAC models. However, their applicability can be hampered by: (i) the effort required to manage and enforce multiple roles for each delegatee (i.e. access roles and delegated roles) and (ii) the efforts required to specify constraints for the enforcement of the delegated roles or policies. Moreover, the performance of these methods decreases proportionally as the number of users increase. To tackle these issues, we propose an ontology-based delegation framework that enhances the standard XACML delegation profile by modeling the delegation logics in an ontological way. By means of the ontology, the operations of delegation, verification and revocation of access rights can be performed on the workflow generated by instantiating the ontology classes and their interrelations according to the entities involved in the delegation. By exploiting these workflows, we propose a cost-effective algorithm that performs delegation operations without involving any human intervention.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ferraiolo, D.F., Kuhn, R.D., Chandramouli, R.: Role-Based Access Control, 2nd edn. Artech House Inc, Norwood (2007)
Wang, Q., Li, N., Chen, H.: On the security of delegation in access control systems. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 317–332. Springer, Heidelberg (2008)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29, 38–47 (1996)
Hu, V.C., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication (2014)
XACML v3.0 Administration and Delegation Profile Version 1.0, vol. 3.0. OASIS (2009)
Ruan, C., Varadharajan, V.: Dynamic delegation framework for role based access control in distributed data management systems. Distrib. Parallel Databases 32, 245–269 (2014)
Sohr, K., Kuhlmann, M., Gogolla, M., Hu, H., Ahn, G.-J.: Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL. Inf. Softw. Technol. 54, 1396–1417 (2012)
Wainer, J., Kumar, A., Barthelmess, P.: DW-RBAC: a formal security model of delegation and revocation in workflow systems. Inf. Syst. 32, 365–384 (2007)
Ahn, G.-J., Mohan, B., Hong, S.-P.: Towards secure information sharing using role-based delegation. J. Netw. Comput. Appl. 30, 42–59 (2007)
Wainer, J., Kumar, A.: A fine-grained, controllable, user-to-user delegation method in RBAC. In: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies, pp. 59–66. ACM, Stockholm (2005)
Carminati, B., Ferrari, E., Heatherly, R., Kantarcioglu, M., Thuraisingham, B.: A semantic web based framework for social network access control. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pp. 177–186. ACM, Stresa (2009)
Gusmeroli, S., Piccione, S., Rotondi, D.: A capability-based security approach to manage access control in the internet of things. Math. Comput. Model. 58, 1189–1205 (2013)
Xu, M., Wijesekera, D.: A role-based XACML administration and delegation profile and its enforcement architecture. In: Proceedings of the 2009 ACM Workshop on Secure Web Services, pp. 53–60. ACM, Chicago (2009)
Seitz, L., Rissanen, E., Sandholm, T., Firozabadi, B.S., Mulmo, O.: Policy administration control and delegation using XACML and Delegent. In: 2005 The 6th IEEE/ACM International Workshop on Grid Computing, p. 6 (2005)
Coyne, E., Weil, T.R.: ABAC and RBAC: scalable, flexible, and auditable access management. IT Prof. 15(3), 14–16 (2013)
Priebe, T., Dobmeier, W., Kamprath, N.: Supporting attribute-based access control with ontologies. In: 2006 The First International Conference on Availability, Reliability and Security ARES 2006, p. 8 (2006)
Choi, C., Choi, J., Kim, P.: Ontology-based access control model for security policy reasoning in cloud computing. J. Supercomput. 67, 711–722 (2014)
Acknowledgements and Disclaimer
This work was partly supported by the European Commission under FP7 project Inter-Trust and H2020 project CLARUS, by the Spanish Ministry of Science and Innovation (through projects CO-PRIVACY TIN2011-27076-C03-01 and ICWT TIN2012-32757) and by the Government of Catalonia (under grant 2014 SGR 537). This work was also made possible through the support of a grant from Templeton World Charity Foundation. The opinions expressed in this paper are those of the authors and do not necessarily reflect the views of UNESCO of the Templeton World Charity Foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Daud, M.I., Sánchez, D., Viejo, A. (2015). Ontology-Based Delegation of Access Control: An Enhancement to the XACML Delegation Profile. In: Fischer-Hübner, S., Lambrinoudakis, C., López, J. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2015. Lecture Notes in Computer Science(), vol 9264. Springer, Cham. https://doi.org/10.1007/978-3-319-22906-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-22906-5_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22905-8
Online ISBN: 978-3-319-22906-5
eBook Packages: Computer ScienceComputer Science (R0)