More Web Proxy on the site http://driver.im/

research-article

Towards Managed Role Explosion

Authors:

Scott KnightAuthors Info & Claims

NSPW '15: Proceedings of the 2015 New Security Paradigms Workshop

Pages 100 - 111

https://doi.org/10.1145/2841113.2841121

Published: 08 September 2015 Publication History

Abstract

Role-based access control (RBAC) is a popular framework for securing information systems in medium to large organizations with hundreds or thousands of employees. However, very few descriptions of existing RBAC systems can be found in the literature. In this paper, we challenge the belief, notion or sense that the number of subjects far exceeds the roles found in enterprise systems. First, we analyze the RBAC system found at ACME University, comparing it to a recently introduced fragment of RBAC called bi-sorted role-based access control (RBÄC). Then we investigate how ACME performs access management, using our new hierarchical graphing model to better visualize the subject-permission mappings. Next, we present our results and introduce a new role-centric methodology for dynamically constraining access to information. Finally, we describe how organizational scalability is enhanced at ACME University by decoupling subject and permission management at the expense of managed role explosion.

References

[1]

E. J. Coyne and T. R. Weil. ABAC and RBAC: Scalable, flexible, and auditable access management. IT Professional, 15(3):14--16, 2013.

Digital Library

[2]

J. Crampton and G. Loizou. Administrative scope. ACM Transactions on Information and System Security, 6(2):201--231, may 2003.

Digital Library

[3]

EmpowerID. Best Practices in Enterprise Authorization : The RBAC/ABAC Hybrid Approach. Technical report, EmpowerID, 2013.

[4]

G. S. Graham and P. J. Denning. Protection. In Proceedings of the November 16-18, 1971, fall joint computer conference on - AFIPS '71 (Fall), page 417, New York, New York, USA, 1971. ACM Press.

[5]

V. C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller, and K. Scarfone. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. Technical report, National Institute of Standards and Technology, Gaithersburg, MD, jan 2014.

[6]

P. Jaferian and K. Beznosov. Poster : Helping users review and make sense of access policies in organizations. In SOUPS '14: Proceedings of the Tenth Symposium On Usable Privacy and Security, pages 301--320, 2014.

[7]

X. Jin, R. Sandhu, and R. Krishnan. RABAC: Role-centric attribute-based access control. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7531 LNCS:84--96, 2012.

Digital Library

[8]

L. Katz and R. Margo. Technical Change and the Relative Demand for Skilled Labor: The United States in Historical Perspective. Technical Report January, National Bureau of Economic Research, Cambridge, MA, feb 2013.

[9]

A. Kern, A. Schaad, and J. Moffett. An administration concept for the enterprise role-based access control model. Proceedings of the eighth ACM symposium on Access control models and technologies - SACMAT '03, page 3, 2003.

Digital Library

[10]

W. Kuijper and V. Ermolaev. Sorting out role based access control. Proceedings of the 19th ACM symposium on Access control models and technologies - SACMAT '14, pages 63--74, 2014.

Digital Library

[11]

B. W. Lampson. Protection. ACM SIGOPS Operating Systems Review, 8(1):18--24, jan 1974.

Digital Library

[12]

M. Nyanchama and S. Osborn. The role graph model and conflict of interest. ACM Transactions on Information and System Security, 2(1):3--33, feb 1999.

Digital Library

[13]

S. Oh and S. Park. Task-role based access control (T-RBAC): An improved access control model for enterprise environment. Database and Expert Systems Applications, pages 264--273, 2000.

Digital Library

[14]

S. Oh and R. Sandhu. A model for role administration using organization structure. Proceedings of the seventh ACM symposium on Access control models and technologies - SACMAT '02, page 155, 2002.

Digital Library

[15]

R. Sandhu, V. Bhamidipati, and Q. Munawer. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security, 2(1):105--135, feb 1999.

Digital Library

[16]

R. Sandhu and Q. Munawer. The ARBAC99 model for administration of roles. In Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99), pages 229--238. IEEE Comput. Soc, 1999.

Digital Library

[17]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. Computer, 29(2):38--47, 1996.

Digital Library

[18]

A. Schaad, J. Moffett, and J. Jacob. The role-based access control system of a European bank. In Proceedings of the sixth ACM symposium on Access control models and technologies - SACMAT '01, pages 3--9, New York, New York, USA, 2001. ACM Press.

Digital Library

Cited By

Varshith HSural SVaidya JAtluri V(2024)Efficiently Supporting Attribute-Based Access Control in LinuxIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.329942921:4(2012-2026)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3299429
Zhang AKahaer AWeber GArachchilage N(2023)SPBAC: A Semantic Policy-based Access Control for Database QueryProceedings of the 2023 5th World Symposium on Software Engineering10.1145/3631991.3632027(218-222)Online publication date: 22-Sep-2023
https://dl.acm.org/doi/10.1145/3631991.3632027
Rahman MAhmad SRudolph C(2021)Decentralized Policy Information Points for Multi-Domain Environments2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom53373.2021.00177(1286-1293)Online publication date: Oct-2021
https://doi.org/10.1109/TrustCom53373.2021.00177
Show More Cited By

Towards Managed Role Explosion
1. Security and privacy
  1. Security services
  2. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Start Here: Engineering Scalable Access Control Systems
SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies

Role-based Access Control (RBAC) is a popular solution for implementing information security however there is no pervasive methodology used to produce scalable access control systems for large organizations with hundreds or thousands of employees. As a ...
Delegation in role-based access control

User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Configuring role-based access control to enforce mandatory and discretionary access control policies

Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

NSPW '15: Proceedings of the 2015 New Security Paradigms Workshop

September 2015

163 pages

ISBN:9781450337540

DOI:10.1145/2841113

General Chair:
Anil Somayaji
Carleton University
,
Program Chairs:
Rainer Böhme
University of Muenster
,
Paul Van Oorschot
Carleton University
,
Publications Chair:
Mohammad Mannan
Concordia University

Copyright © 2015 ACM.

Publication rights licensed to ACM. ACM acknowledges that this contribution was co-authored by an affiliate of the Canadian National Government. As such, the Crown in Right of Canada retains an equal interest in the copyright. Reprint requests should be forwarded to ACM, and reprints must include clear attribution to ACM and National Research Council Canada -NRC.

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 September 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

NSPW '15

NSPW '15: New Security Paradigms Workshop

September 8 - 11, 2015

Twente, Netherlands

Acceptance Rates

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
137
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Varshith HSural SVaidya JAtluri V(2024)Efficiently Supporting Attribute-Based Access Control in LinuxIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.329942921:4(2012-2026)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3299429
Zhang AKahaer AWeber GArachchilage N(2023)SPBAC: A Semantic Policy-based Access Control for Database QueryProceedings of the 2023 5th World Symposium on Software Engineering10.1145/3631991.3632027(218-222)Online publication date: 22-Sep-2023
https://dl.acm.org/doi/10.1145/3631991.3632027
Rahman MAhmad SRudolph C(2021)Decentralized Policy Information Points for Multi-Domain Environments2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom53373.2021.00177(1286-1293)Online publication date: Oct-2021
https://doi.org/10.1109/TrustCom53373.2021.00177
Steiner Sde Leon DJillepalli A(2018)Hardening web applications using a least privilege DBMS access modelProceedings of the Fifth Cybersecurity Symposium10.1145/3212687.3212863(1-6)Online publication date: 9-Apr-2018
https://dl.acm.org/doi/10.1145/3212687.3212863
Elliott AKnight S(2018)ORGODEX: Authorization as a service (AaaS)2018 Annual IEEE International Systems Conference (SysCon)10.1109/SYSCON.2018.8369532(1-8)Online publication date: Apr-2018
https://doi.org/10.1109/SYSCON.2018.8369532
Elliott AKnight S(2018)ORGODEX: Service Portfolios for the Cloud2018 IEEE 11th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD.2018.00128(887-890)Online publication date: Jul-2018
https://doi.org/10.1109/CLOUD.2018.00128
Elliott AKnight SWang XBauer LKerschbaum F(2016)Start HereProceedings of the 21st ACM on Symposium on Access Control Models and Technologies10.1145/2914642.2914651(113-124)Online publication date: 6-Jun-2016
https://dl.acm.org/doi/10.1145/2914642.2914651

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents