More Web Proxy on the site http://driver.im/

research-article

Start Here: Engineering Scalable Access Control Systems

Authors:

Scott KnightAuthors Info & Claims

SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies

Pages 113 - 124

https://doi.org/10.1145/2914642.2914651

Published: 06 June 2016 Publication History

Abstract

Role-based Access Control (RBAC) is a popular solution for implementing information security however there is no pervasive methodology used to produce scalable access control systems for large organizations with hundreds or thousands of employees. As a result ten engineers will likely arrive at ten different solutions to the same problem where there is no right or wrong answer but there is both an immediate and long term cost. Moreover, they would have difficulty communicating the important aspects of their design implementations to each other. This is an interesting deficiency because despite their diversity, large organizations are built upon two key concepts, roles and responsibilities, where a role like Departmental Chair is identified and assigned responsibilities. In this paper, our objective is to introduce ORGODEX, a new model and practical methodology for engineering scalable RBAC systems in large organizations where employees require access to information on a need to know basis. First, we motivate the requirement for a new RBAC dichotomy, distinguishing between roles and responsibilities. Next, we introduce our new model for describing and reasoning about RBAC systems with this new dichotomy. Finally, we produce a new iterative methodology for engineering scalable access control systems.

References

[1]

I. Berdrow. King among kings: Understanding the role and responsibilities of the department chair in higher education. Educational Management Administration & Leadership, 38(4):499--514, 2010.

[2]

K. Beznosov, P. Inglesant, J. Lobo, R. Reeder, and M. Zurko. Usability meets access control: challenges and research opportunities. pages 3--4, 2009.

[3]

A. Colantonio, R. Di Pietro, and A. Ocello. A cost-driven approach to role engineering. Proceedings of the 2008 ACM symposium on Applied computing - SAC '08, page 2129, 2008.

Digital Library

[4]

E. J. Coyne. Role engineering. Proceedings of the first ACM Workshop on Rolebased access control RBAC 95, (4):4--es, 1996.

Digital Library

[5]

J. Crampton and G. Loizou. Administrative scope. ACM Transactions on Information and System Security, 6(2):201--231, may 2003.

Digital Library

[6]

R. Crook, D. Ince, and B. Nuseibeh. Modelling access policies using roles in requirements engineering. Information and Software Technology, 45(14):979--991, nov 2003.

[7]

A. Elliott and S. Knight. Towards Managed Role Explosion. In Proceedings of the New Security Paradigms Workshop, number 1, pages 100--111, New York, New York, USA, 2015. ACM Press.

Digital Library

[8]

C. Feltus, M. Petit, and M. Sloman. Enhancement of Business IT Alignment by Including Responsibility Components in RBAC. Proceedings of the CAiSE 2010 Workshop Business/IT Alignment and Interoperability, pages 61--75, 2010.

[9]

D. F. Ferraiolo and R. Kuhn. Role-based access controls. Proc. of 15th NIST-NSA National Computer Security Conference, 1992.

[10]

M. Goold, A. Strategic, M. Centre, A. Campbell, A. Strategic, and M. Centre. Work: Creating Clarity on Unit Roles and Responsibility. 21(3):351--363, 2003.

[11]

V. C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller, and K. Scarfone. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. Technical report, National Institute of Standards and Technology, Gaithersburg, MD, jan 2014.

[12]

E. Humphreys. Information security management standards: Compliance, governance and risk management. Information Security Technical Report, 13(4):247--255, 2008.

Digital Library

[13]

P. Jaferian and K. Beznosov. Poster : Helping users review and make sense of access policies in organizations. In SOUPS '14: Proceedings of the Tenth Symposium On Usable Privacy and Security, pages 301--320, 2014.

[14]

X. Jin, R. Sandhu, and R. Krishnan. RABAC: Role-centric attribute-based access control. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7531 LNCS:84--96, 2012.

Digital Library

[15]

L. Katz and R. Margo. Technical Change and the Relative Demand for Skilled Labor: The United States in Historical Perspective. Technical Report January, National Bureau of Economic Research, Cambridge, MA, feb 2013.

[16]

A. Kern, A. Schaad, and J. Moffett. An administration concept for the enterprise role-based access control model. Proceedings of the eighth ACM symposium on Access control models and technologies - SACMAT '03, page 3, 2003.

Digital Library

[17]

D. R. Kuhn, E. J. Coyne, and T. R. Weil. Adding attributes to role-based access control. Computer, 43(6):79--81, 2010.

Digital Library

[18]

W. Kuijper and V. Ermolaev. Sorting out role based access control. Proceedings of the 19th ACM symposium on Access control models and technologies - SACMAT '14, pages 63--74, 2014.

Digital Library

[19]

N. Li and Z. Mao. Administration in role-based access control. Proceedings of the 2nd ACM symposium on Information, computer and communications security - ASIACCS '07, page 127, 2007.

Digital Library

[20]

B. Mitra, S. Sural, J. Vaidya, and V. Atluri. A Survey of Role Mining. ACM Computing Surveys, 48(4):1--37, 2016.

Digital Library

[21]

M. Nyanchama and S. Osborn. The role graph model and conflict of interest. ACM Transactions on Information and System Security, 2(1):3--33, feb 1999.

Digital Library

[22]

A. O'Connor and R. Loomis. 2010 Economic Analysis of Role-Based Access Control. Technical Report 0211876, NIST, 2010.

[23]

S. Oh and S. Park. Task-role based access control (T-RBAC): An improved access control model for enterprise environment. Database and Expert Systems Applications, pages 264--273, 2000.

Digital Library

[24]

S. Oh and R. Sandhu. A model for role administration using organization structure. Proceedings of the seventh ACM symposium on Access control models and technologies - SACMAT '02, page 155, 2002.

Digital Library

[25]

S. Peisert and M. Bishop. Dynamic, Flexible, and Optimistic Access Control. Technical report, UC Davis CS Technical Report CSE-2013-76, 2013.

[26]

R. Sandhu, V. Bhamidipati, and Q. Munawer. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security, 2(1):105--135, feb 1999.

Digital Library

[27]

R. Sandhu and Q. Munawer. The ARBAC99 model for administration of roles. In Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99), pages 229--238. IEEE Comput. Soc, 1999.

Digital Library

[28]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. Computer, 29(2):38--47, 1996.

Digital Library

[29]

A. Schaad, J. Moffett, and J. Jacob. The role-based access control system of a European bank. In Proceedings of the sixth ACM symposium on Access control models and technologies - SACMAT '01, pages 3--9, New York, New York, USA, 2001. ACM Press.

Digital Library

[30]

M. V. Tripunitara and N. Li. Comparing the expressive power of access control models. ACM Conference on Computer and Communications Security, pages 62--71, 2004.

Digital Library

[31]

J. Vaidya, V. Atluri, J. Warner, and Q. Guo. Role engineering via prioritized subset enumeration. IEEE Transactions on Dependable and Secure Computing, 7(3):300--314, 2010.

Digital Library

Cited By

George GJayashree L(2022)Ethereum Blockchain-Based Authentication Approach for Data Sharing in Cloud Storage ModelCybernetics and Systems10.1080/01969722.2022.211254454:6(961-984)Online publication date: 22-Sep-2022
https://doi.org/10.1080/01969722.2022.2112544
Chiquito ABodin USchelen O(2021)Fine-grained Access Control for Time-Series Databases using NGAC2021 IEEE 19th International Conference on Industrial Informatics (INDIN)10.1109/INDIN45523.2021.9557414(1-8)Online publication date: 21-Jul-2021
https://doi.org/10.1109/INDIN45523.2021.9557414
Jameel RKaur HAfshar Alam M(2021)A Blockchain-Based Multi-layer Infrastructure for Securing Healthcare Data on CloudCongress on Intelligent Systems10.1007/978-981-33-6984-9_31(383-395)Online publication date: 2-Jun-2021
https://doi.org/10.1007/978-981-33-6984-9_31
Show More Cited By

Index Terms

Start Here: Engineering Scalable Access Control Systems
1. Security and privacy
  1. Formal methods and theory of security
    1. Formal security models
    2. Security requirements
  2. Software and application security
    1. Software security engineering

Recommendations

Towards Managed Role Explosion
NSPW '15: Proceedings of the 2015 New Security Paradigms Workshop

Role-based access control (RBAC) is a popular framework for securing information systems in medium to large organizations with hundreds or thousands of employees. However, very few descriptions of existing RBAC systems can be found in the literature. In ...
The role-based access control system of a European bank: a case study and discussion
SACMAT '01: Proceedings of the sixth ACM symposium on Access control models and technologies

Research in the area of role-based access control has made fast progress over the last few years. However, little has been done to identify and describe existing role-based access control systems within large organisations. This paper describes the ...
Configuring role-based access control to enforce mandatory and discretionary access control policies

Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies

June 2016

248 pages

ISBN:9781450338028

DOI:10.1145/2914642

General Chair:
X. Sean Wang
Fudan University, China
,
Program Chairs:
Lujo Bauer
Carnegie Mellon University, USA
,
Florian Kerschbaum
SAP, Germany

Copyright © 2016 ACM.

© 2016 Association for Computing Machinery, Inc. ACM acknowledges that this contribution was co-authored by an affiliate of the Canadian National Government. As such, the Crown in Right of Canada retains an equal interest in the copyright. Reprint requests should be forwarded to ACM, and reprints must include clear attribution to ACM and National Research Council Canada -NRC.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 June 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT 2016

Sponsor:

SIGSAC

SACMAT 2016: The 21st ACM Symposium on Access Control Models and Technologies

June 6 - 8, 2016

Shanghai, China

Acceptance Rates

SACMAT '16 Paper Acceptance Rate 18 of 55 submissions, 33%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
211
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

George GJayashree L(2022)Ethereum Blockchain-Based Authentication Approach for Data Sharing in Cloud Storage ModelCybernetics and Systems10.1080/01969722.2022.211254454:6(961-984)Online publication date: 22-Sep-2022
https://doi.org/10.1080/01969722.2022.2112544
Chiquito ABodin USchelen O(2021)Fine-grained Access Control for Time-Series Databases using NGAC2021 IEEE 19th International Conference on Industrial Informatics (INDIN)10.1109/INDIN45523.2021.9557414(1-8)Online publication date: 21-Jul-2021
https://doi.org/10.1109/INDIN45523.2021.9557414
Jameel RKaur HAfshar Alam M(2021)A Blockchain-Based Multi-layer Infrastructure for Securing Healthcare Data on CloudCongress on Intelligent Systems10.1007/978-981-33-6984-9_31(383-395)Online publication date: 2-Jun-2021
https://doi.org/10.1007/978-981-33-6984-9_31
Pallavi KRavi Kumar V(2020)Authentication-based Access Control and Data Exchanging Mechanism of IoT Devices in Fog Computing EnvironmentWireless Personal Communications10.1007/s11277-020-07834-wOnline publication date: 14-Oct-2020
https://doi.org/10.1007/s11277-020-07834-w
Steiner Sde Leon DJillepalli A(2018)Hardening web applications using a least privilege DBMS access modelProceedings of the Fifth Cybersecurity Symposium10.1145/3212687.3212863(1-6)Online publication date: 9-Apr-2018
https://dl.acm.org/doi/10.1145/3212687.3212863
Elliott AKnight S(2018)ORGODEX: Authorization as a service (AaaS)2018 Annual IEEE International Systems Conference (SysCon)10.1109/SYSCON.2018.8369532(1-8)Online publication date: Apr-2018
https://doi.org/10.1109/SYSCON.2018.8369532
Elliott AKnight S(2018)ORGODEX: Service Portfolios for the Cloud2018 IEEE 11th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD.2018.00128(887-890)Online publication date: Jul-2018
https://doi.org/10.1109/CLOUD.2018.00128
Das SMitra BAtluri VVaidya JSural S(2018)Policy Engineering in RBAC and ABACFrom Database to Cyber Security10.1007/978-3-030-04834-1_2(24-54)Online publication date: 30-Nov-2018
https://doi.org/10.1007/978-3-030-04834-1_2
Xia QSifah ESmahi AAmofa SZhang X(2017)BBDS: Blockchain-Based Data Sharing for Electronic Medical Records in Cloud EnvironmentsInformation10.3390/info80200448:2(44)Online publication date: 17-Apr-2017
https://doi.org/10.3390/info8020044

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents