Abstract
Permission-role assignment is an important issue in role-based access control (RBAC). There are two types of problems that may arise in permission-role assignment. One is related to authorization granting process. Conflicting permissions may be granted to a role, and as a result, users with the role may have or derive a high level of authority. The other is related to authorization revocation. When a permission is revoked from a role, the role may still have the permission from other roles. In this paper, we discuss granting and revocation models related to mobile and immobile memberships between permissions and roles, then provide proposed authorization granting algorithm to check conflicts and help allocate the permissions without compromising the security. To our best knowledge, the new revocation models, local and global revocation, have not been studied before. The local and global revocation algorithms based on relational algebra and operations provide a rich variety. We also apply the new algorithms to an anonymity scalable payment scheme.
The research is support by an ARC Discovery Grant DP0663414.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bertino, E., Ferrari, E., Atluri, V.: Specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2(1) (February 1999)
Feinstein, H.L., et al.: Small Business Innovation Research (SBIR): Role-Based Access Control: Phase 1, McLean, VA, SETA Corporation (January 20, 1995)
Ferraiolo, D.F., Barkley, J.F., Richard Kuhn, D.: A role based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and System Security 2(1) ( February 1999)
Ferraiolo, D.F., Barkley, J.F.: Specifying and Managing Role-Based Access Control Within a Corporate Intranet. In: Proc.of the 2ed ACM Workshop on Role-Based Access Control, pp. 77–82 (1997)
Frankel, Y., Tsiounis, Y., Yung, M.: Fair off-line e-cash made Easy. in Advance in Cryptology. In: Proc. of Asiacrypt 1998. LNCS, vol. 1294, pp. 257–270. Springer, Heidelberg (1998)
Gligor, V.D., Gavrila, S.T., Ferraiolo, D.: On the formal denition of separation-of-duty policies and their composition. In: Proceedings of IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 172–183 (May 1998)
Nyanchama, M., Osborn, S.: The Role Graph Model and Conflict of Internet. ACM Transaction on Information and System Security 2(1), 3–33 (1999)
Okamoto.: On efficient divisible electronic cash scheme. In: Advances in Cryptology-CRYPTO 1995. LNCS, vol. 963, pp. 438–451. Springer, Heidelberg (1995)
Rivest, R.: The MD5 Message-Digest Algorithm. RFC 1321. MIT Laboratory for Computer Science and RSA DATA Security Inc. (April 1992)
Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Transaction on Information and System Security 1(2), 105–135 (1999)
Sandhu, R., Munawer, Q.: The ARBAC99 Model for Administration of Roles. In: The Annual Computer Security Applications Conference, pp. 229–238. ACM Press, New York (1999)
Wang, H., Cao, J.: Delegating revocations and authorizations. In: 1st International Workshop on Collaborative Business Processes, Brisbane, Australia (2007)
Wang, H., Cao, J., Kambayashi, Y.: Building a Consumer Anonymity Scalable Payment Protocol for the Internet Purchases. In: The 12th International Workshop on Research Issues on Data Engineering: Engineering E-Commerce/E-Business Systems, San Jose, USA, February 25-26, 2002, pp. 159–168 (2002)
Wang, H., Cao, J., Zhang, Y.: Formal authorization approaches for permission-role assignment using relational algebra operations. In: Proceedings of the 14th Australasian Database Conference, Adelaide, Australia, February 2-7, 2003, vol. 25(1), pp. 125–134 (2003)
Wang, H., Cao, J., Zhang, Y.: Formal Authorization Allocation Approaches for Role-Based Access Control Based on Relational Algebra Operations. In: The 3rd International Conference on Web Information Systems Engineering (WISE 2002), Singapore, December 3-6, 2002, pp. 301–310 (2002)
Zurko, M., Simon, R., Sanlippo, T.: A user-centered modular authorization service built on an rbac foundation. In: Proceedings of IEEE Symposium on Research in Security and Privacy, Oak-land, CA, pp. 57–71 (May 1999)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Li, M., Wang, H., Plank, A., Yong, J. (2008). Advanced Permission-Role Relationship in Role-Based Access Control. In: Mu, Y., Susilo, W., Seberry, J. (eds) Information Security and Privacy. ACISP 2008. Lecture Notes in Computer Science, vol 5107. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70500-0_29
Download citation
DOI: https://doi.org/10.1007/978-3-540-70500-0_29
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69971-2
Online ISBN: 978-3-540-70500-0
eBook Packages: Computer ScienceComputer Science (R0)