The Experts below are selected from a list of 2265 Experts worldwide ranked by ideXlab platform
Sushil Jajodia - One of the best experts on this subject based on the ideXlab platform.
-
An extended Authorization model for relational databases
IEEE Transactions on Knowledge and Data Engineering, 1997Co-Authors: Elisa Bertino, Pierangela Samarati, Sushil JajodiaAbstract:We propose two extensions to the Authorization model for relational databases defined originally by P.G. Griffiths and B. Wade (1976). The first extension concerns a new type of revoke operation, called noncascading revoke operation. The original model contains a single, cascading revoke operation, meaning that when a privilege is revoked from a user, a recursive revocation takes place that deletes all Authorizations granted by this user that do not have other supporting Authorizations. The new type of revocation avoids the recursive revocation of Authorizations. The second extension concerns Negative Authorization which permits specification of explicit denial for a user to access an object under a particular mode. We also address the management of views and groups with respect to the proposed extensions.
-
Authorizations in relational database management systems
Computer and Communications Security, 1993Co-Authors: Elisa Bertino, Pierangela Samarati, Sushil JajodiaAbstract:This paper proposes two major extensions to the Authorization model for System R relational database management system. The first extension concerns the revoke operation. The revised model provides for a new type of revoke operation, called noncascading revoke, in addition to the System R cascading revoke operation. Unlike cascading revoke, noncascading revoke operation does not recursively remove privileges from users. The second extension concerns Negative Authorization. The details related to its application are specified in the paper.
-
ACM Conference on Computer and Communications Security - Authorizations in relational database management systems
Proceedings of the 1st ACM conference on Computer and communications security - CCS '93, 1993Co-Authors: Elisa Bertino, Pierangela Samarati, Sushil JajodiaAbstract:This paper proposes two major extensions to the Authorization model for System R relational database management system. The first extension concerns the revoke operation. The revised model provides for a new type of revoke operation, called noncascading revoke, in addition to the System R cascading revoke operation. Unlike cascading revoke, noncascading revoke operation does not recursively remove privileges from users. The second extension concerns Negative Authorization. The details related to its application are specified in the paper.
Yu Hai - One of the best experts on this subject based on the ideXlab platform.
-
Research on Description Logic Based Conflict Detection Methods for RB-RBAC Model
Computer Science, 2006Co-Authors: Yu HaiAbstract:RB-RBAC(Rule-Based RBAC)provides the mechanism to dynamically assign users to roles based on a finite set of Authorization rules defined by the enterprise’s security policy. These rules may have conflict due to Negative Authorization. We propose a formalization of RB-RBAC by description logic language ALC, and then represent conflict detection method based on knowledge base consistency. Some different methods are suggested to detect conflict among related rules and that among unrelated rules, and they may cooperatively work in one system to provide more efficient detecting service. We also give a simple method to rewrite conflict rules for eliminating policy conflict.
Zuoquan Lin - One of the best experts on this subject based on the ideXlab platform.
-
An OWL-based approach for RBAC with Negative Authorization
Lecture Notes in Computer Science, 2006Co-Authors: Nuermaimaiti Heilili, Yang Chen, Chen Zhao, Zhenxing Luo, Zuoquan LinAbstract:Access control is an important issue related to the security on the Semantic Web. Role-Based Access Control (RBAC) is commonly considered as a flexible and efficient model in practice. In this paper, we provide an OWL-based approach for RBAC in the Semantic Web context. First we present an extended model of RBAC with Negative Authorization, providing detailed analysis of conflicts. Then we use OWL to formalize the extended model. Additionally, we show how to use an OWL-DL reasoner to detect the potential conflicts in the extended model.
-
KSEM - An OWL-Based approach for RBAC with Negative Authorization
Knowledge Science Engineering and Management, 2006Co-Authors: Nuermaimaiti Heilili, Yang Chen, Chen Zhao, Zhenxing Luo, Zuoquan LinAbstract:Access control is an important issue related to the security on the Semantic Web. Role-Based Access Control (RBAC) is commonly considered as a flexible and efficient model in practice. In this paper, we provide an OWL-based approach for RBAC in the Semantic Web context. First we present an extended model of RBAC with Negative Authorization, providing detailed analysis of conflicts. Then we use OWL to formalize the extended model. Additionally, we show how to use an OWL-DL reasoner to detect the potential conflicts in the extended model.
Ravi Sandhu - One of the best experts on this subject based on the ideXlab platform.
-
A family of models for rule-based user-role assignment
2003Co-Authors: Mohammad A. Al-kahtani, Ravi SandhuAbstract:Conventional role based access control (RBAC) was designed with closed-enterprise environment in mind where a security officer(s) manually assigns users to roles. However, today, an increasing number of service-providing enterprises make their services available to users via the Internet. Furthermore, many enterprises have users (i.e. workers and/or clients) whose numbers can be in the hundreds of thousands or millions. In addition, RBAC is being supported by software products designed to serve large number of clients such as popular commercial database management systems. All these factors render the manual user-to-role assignment a formidable task which is costly and error-prone. An appealing solution is to automate the assignment process. Besides eliminating the drawbacks of its manual counterpart, automatic assignment, particularly in the case of external user (i.e. clients), extends enterprise-consumers business partnership. In fact some large enterprises have already implemented systems that assign and revoke users automatically, and many of them have achieved 90–95% automation of administration. Our work lays the theoretical foundation for the implementation of the assignment process. It also serves as a benchmark for software implementations. In this dissertation, we describe a family of models called RB-RBAC that extends and modifies RBAC96, a well-known RBAC model, to allow the specification of automatic (implicit) user-role assignment. Model A allows specifying a set of Authorization rules that can be used to assign users to roles based on users' attributes. Model B extends Model A to allow specifying Negative Authorization and mutual exclusion among roles. Model C extends Model A to allow constraints specification. To show the power and usefulness of RB-RBAC, we demonstrate how it can be configured to express Mandatory Access Controls (MAC) and Discretionary Access Controls (DAC). In addition to RB-RBAC family, we developed an administrative model, ARB-RBAC, which provides the specification needed to administer users' attributes and Authorization rules. Our work demonstrates that it is possible to modify RBAC96 to allow implicit user-role assignment and, at the same time, retain the central features of RBAC96.
-
Rule-based RBAC with Negative Authorization
20th Annual Computer Security Applications Conference, 1Co-Authors: Mohammad A. Al-kahtani, Ravi SandhuAbstract:RBAC has proven to be a flexible and useful access control model in practice. Rule-Based RBAC family of models was developed based on RBAC to overcome some of its limitations. One particular model of this family, which we call RB-RBAC-ve, introduces the concept of Negative Authorization to the RBAC arena. This paper provides a more detailed analysis of RB-RBAC-ve. The analysis includes user Authorization, conflict among rules, conflict resolution polices, the impact of Negative Authorization on role hierarchies and enforcement architecture.
Elisa Bertino - One of the best experts on this subject based on the ideXlab platform.
-
An extended Authorization model for relational databases
IEEE Transactions on Knowledge and Data Engineering, 1997Co-Authors: Elisa Bertino, Pierangela Samarati, Sushil JajodiaAbstract:We propose two extensions to the Authorization model for relational databases defined originally by P.G. Griffiths and B. Wade (1976). The first extension concerns a new type of revoke operation, called noncascading revoke operation. The original model contains a single, cascading revoke operation, meaning that when a privilege is revoked from a user, a recursive revocation takes place that deletes all Authorizations granted by this user that do not have other supporting Authorizations. The new type of revocation avoids the recursive revocation of Authorizations. The second extension concerns Negative Authorization which permits specification of explicit denial for a user to access an object under a particular mode. We also address the management of views and groups with respect to the proposed extensions.
-
Authorizations in relational database management systems
Computer and Communications Security, 1993Co-Authors: Elisa Bertino, Pierangela Samarati, Sushil JajodiaAbstract:This paper proposes two major extensions to the Authorization model for System R relational database management system. The first extension concerns the revoke operation. The revised model provides for a new type of revoke operation, called noncascading revoke, in addition to the System R cascading revoke operation. Unlike cascading revoke, noncascading revoke operation does not recursively remove privileges from users. The second extension concerns Negative Authorization. The details related to its application are specified in the paper.
-
ACM Conference on Computer and Communications Security - Authorizations in relational database management systems
Proceedings of the 1st ACM conference on Computer and communications security - CCS '93, 1993Co-Authors: Elisa Bertino, Pierangela Samarati, Sushil JajodiaAbstract:This paper proposes two major extensions to the Authorization model for System R relational database management system. The first extension concerns the revoke operation. The revised model provides for a new type of revoke operation, called noncascading revoke, in addition to the System R cascading revoke operation. Unlike cascading revoke, noncascading revoke operation does not recursively remove privileges from users. The second extension concerns Negative Authorization. The details related to its application are specified in the paper.
