The Experts below are selected from a list of 215988 Experts worldwide ranked by ideXlab platform
Vijay Karamcheti - One of the best experts on this subject based on the ideXlab platform.
-
dRBAC: Distributed Role-Based Access Control for Dynamic Coalition Environments
2008Co-Authors: Edward Keenan, Vijay KaramchetiAbstract:Distributed Role-Based Access Control (dRBAC) is a scalable, decentralized trust-management and AccessControl mechanism for systems that span multiple administrative domains. dRBAC utilizes PKI identities to define trust domains, roles to define Controlled activities, and role delegation across domains to represent permissions to these activities. The mapping of Controlled actions to roles enables their namespaces to serve as policy roots. dRBAC distinguishes itself from previous approaches by providing three features: (1) third-party delegation of roles from outside a domain’s namespace, relying upon an explicit delegation of assignment; (2) modulation of transferred permissions using scalar valued attributes associated with roles; and (3) continuous monitoring of trust relationships over long-lived interactions. This paper describes the dRBAC model and its scalable implementation using a graph approach to credential discovery and validation. 1
-
drbac distributed role based Access Control for dynamic coalition environments
International Conference on Distributed Computing Systems, 2002Co-Authors: Eric Freudenthal, Tracy Pesin, Lawrence Port, Edward Keenan, Vijay KaramchetiAbstract:distributed Role-Based Access Control (dRBAC) is a scalable, decentralized trust-management and Access-Control mechanism for systems that span multiple administrative domains. dRBAC utilizes PKI identities to define trust domains, roles to define Controlled activities, and role delegation across domains to represent permissions to these activities. The mapping of Controlled actions to roles enables their namespaces to serve as policy roots. dRBAC distinguishes itself from previous approaches by providing three features: (1) third-party delegation of roles from outside a domain's namespace, relying upon an explicit delegation of assignment; (2) modulation of transferred permissions using scalar valued attributes associated with roles; and (3) continuous monitoring of trust relationships over long-lived interactions. The paper describes the dRBAC model and its scalable implementation using a graph approach to credential discovery and validation.
Mahesh V Tripunitara - One of the best experts on this subject based on the ideXlab platform.
-
mitigating the intractability of the user authorization query problem in role based Access Control rbac
Network and System Security, 2012Co-Authors: Nima Mousavi, Mahesh V TripunitaraAbstract:We address the User Authorization Query problem (UAQ) in Role-Based Access Control (RBAC) which relates to sessions that a user creates to exercise permissions. Prior work has shown that UAQ is intractable ( NP -hard). We give a precise formulation of UAQ as a joint optimization problem, and observe that in general, UAQ remains in NP . We then investigate two techniques to mitigate its intractability. (1) We efficiently reduce UAQ to boolean satisfiability in conjunctive normal form, a well-known NP -complete problem for which solvers exist that are efficient for large classes of instances. We point out that a prior attempt is not a reduction, is inefficient, and provides only limited support for joint optimization. (2) We show that UAQ is fixed-parameter polynomial in the upper-bound set of permissions under reasonable assumptions. We discuss an open-source implementation of (1) and (2), based on which we have conducted an empirical assessment.
-
an empirical assessment of approaches to distributed enforcement in role based Access Control rbac
Conference on Data and Application Security and Privacy, 2011Co-Authors: Marko Komlenovic, Mahesh V Tripunitara, Toufik ZitouniAbstract:We consider the distributed Access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC's increasing adoption, and the proliferation of data that needs to be protected. We assess six approaches, each of which has either been proposed in the literature, or is a natural candidate for Access enforcement. The approaches are: directed graph, Access matrix, authorization recycling, cpol, Bloom filter and cascade Bloom filter. We consider encodings of RBAC sessions in each, and propose and justify a benchmark for the assessment. We present our results from an empirical assessment of time, space and administrative efficiency based on the benchmark. We conclude with inferences we can make regarding the best approach to Access enforcement for particular RBAC deployments based on our assessment.
-
efficient Access enforcement in distributed role based Access Control rbac deployments
Symposium on Access Control Models and Technologies, 2009Co-Authors: Mahesh V Tripunitara, Bogdan CarbunarAbstract:We address the distributed setting for enforcement of a centralized Role-Based Access Control (RBAC) protection state. We present a new approach for time- and space-efficient Access enforcement. Underlying our approach is a data structure that we call a cascade Bloom filter. We describe our approach, provide details about the cascade Bloom filter, its associated algorithms, soundness and completeness properties for those algorithms, and provide an empirical validation for distributed Access enforcement of RBAC. We demonstrate that even in low-capability devices such as WiFi network Access points, we can perform thousands of Access checks in a second.
-
security analysis in role based Access Control
ACM Transactions on Information and System Security, 2006Co-Authors: Ninghui Li, Mahesh V TripunitaraAbstract:The administration of large Role-Based Access Control (RBAC) systems is a challenging problem. In order to administer such systems, decentralization of administration tasks by the use of delegation is an effective approach. While the use of delegation greatly enhances flexibility and scalability, it may reduce the Control that an organization has over its resources, thereby diminishing a major advantage RBAC has over discretionary Access Control (DAC). We propose to use security analysis techniques to maintain desirable security properties while delegating administrative privileges. We give a precise definition of a family of security analysis problems in RBAC, which is more general than safety analysis that is studied in the literature. We show that two classes of problems in the family can be reduced to similar analysis in the RT[L∩] Role-Based trust-management language, thereby establishing an interesting relationship between RBAC and the RT framework. The reduction gives efficient algorithms for answering most kinds of queries in these two classes and establishes the complexity bounds for the intractable cases.
-
security analysis in role based Access Control
Symposium on Access Control Models and Technologies, 2004Co-Authors: Ninghui Li, Mahesh V TripunitaraAbstract:Delegation is often used in administrative models for Role-Based Access Control (RBAC) systems to decentralize administration tasks. While the use of delegation greatly enhances flexibility and scalability, it may reduce the Control that an organization has over its resources, thereby diminishing a major advantage RBAC has over Discretionary Access Control(DAC). We propose to use security analysis techniques to maintain desirable security properties while delegating administrative privileges. We give a precise definition of a family of security analysis problems in RBAC, which is more general than safety analysis that is studied in the literature. We also show that two classes of problems in the family can be reduced to similar analysis in the RT 0 trust-management language, thereby establishing an interesting relationship between RBAC and the RT (Role-Based Trust-management) framework. The reduction gives efficient algorithms for answering most kinds of queries in these two classes and establishes the complexity bounds for the intractable cases.
Tomas Cerny - One of the best experts on this subject based on the ideXlab platform.
-
on security level usage in context aware role based Access Control
ACM Symposium on Applied Computing, 2016Co-Authors: Michal Trnka, Tomas CernyAbstract:Huge contemporary trend is adding context awareness into software applications. It allows both better user experience as well as a lot useful features for application owner. Nowadays, there are various approaches enabling particular context awareness but none of them concerns security. We tackle this problem and describe it further in the paper. Our solution extends role based Access Control with certain context awareness elements. Based on already existing solutions we propose own lightweight, universal solutions, which allows instant enhancement of current RBAC even in existing applications. The uniqueness of our solution is based on using security levels, which are granted to user based on his context. Security levels represents how the users can be trusted and are determined during users login procedure. The levels are used as additional security constrain so to Access resources in application user need to have not only right permission granted through roles, but also to have corresponding level.
Elisa Bertino - One of the best experts on this subject based on the ideXlab platform.
-
a generalized temporal role based Access Control model
IEEE Transactions on Knowledge and Data Engineering, 2005Co-Authors: James Joshi, Elisa Bertino, U Latif, Arif GhafoorAbstract:Role-Based Access Control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. In many practical scenarios, users may be restricted to assume roles only at predefined time periods. Furthermore, roles may only be invoked on prespecified intervals of time depending upon when certain actions are permitted. To capture such dynamic aspects of a role, a temporal RBAC (TRBAC) model has been recently proposed. However, the TRBAC model addresses the role enabling constraints only. In This work, we propose a generalized temporal Role-Based Access Control (GTRBAC) model capable of expressing a wider range of temporal constraints. In particular, the model allows expressing periodic as well as duration constraints on roles, user-role assignments, and role-permission assignments. In an interval, activation of a role can further be restricted as a result of numerous activation constraints including cardinality constraints and maximum active duration constraints. The GTRBAC model extends the syntactic structure of the TRBAC model and its event and trigger expressions subsume those of TRBAC. Furthermore, GTRBAC allows expressing role hierarchies and separation of duty (SoD) constraints for specifying fine-grained temporal semantics.
-
trbac a temporal role based Access Control model
ACM Transactions on Information and System Security, 2001Co-Authors: Elisa Bertino, Piero A Bonatti, Elena FerrariAbstract:Role-Based Access Control (RBAC) models are receiving increasing attention as a generalized approach to Access Control. Roles may be available to users at certain time periods, and unavailable at others. Moreover, there can be temporal dependencies among roles. To tackle such dynamic aspects, we introduce Temporal-RBAC (TRBAC), an extension of the RBAC model. TRBAC supports periodic role enabling and disabling---possibly with individual exceptions for particular users---and temporal dependencies among such actions, expressed by means of role triggers. Role trigger actions may be either immediately executed, or deferred by an explicitly specified amount of time. Enabling and disabling actions may be given a priority, which is used to solve conflicting actions. A formal semantics for the specification language is provided, and a polynomial safeness check is introduced to reject ambiguous or inconsistent specifications. Finally, a system implementing TRBAC on top of a conventional DBMS is presented.
-
trbac a temporal role based Access Control model
Proceedings of the fifth ACM workshop on Role-based access control, 2000Co-Authors: Elisa Bertino, Piero A Bonatti, Elena FerrariAbstract:Role-Based Access Control (RBAC) models are receiving increasing attention as a generalized approach to Access Control. Roles can be active at certain time periods and non active at others; moreover, there can be activation dependencies among roles. To tackle such dynamic aspects, we introduce Temporal-RBAC (TRBAC), an extensions of the RBAC model. TRBAC supports both periodic activations and deactivations of roles, and temporal dependencies among such actions, expressed by means of role triggers, whose actions may be either executed immediately, or be deferred by an explicity specified amount of time. Both triggers and periodic activations/deactivations may have a priority associated with them, in order to resolve conflicting actions. A formal semantics for the specification language is provided, and a polynomial safeness check is introduced to reject ambiguous or inconsistent specifications. Finally, an implementation architecture is outlined.
Mustafa Allail - One of the best experts on this subject based on the ideXlab platform.
-
specification validation and enforcement of a generalized spatio temporal role based Access Control model
IEEE Systems Journal, 2013Co-Authors: Ramadan Abdunabi, Mustafa AllailAbstract:With the advent of wireless and mobile devices, many new applications are being developed that make use of the spatio-temporal information of a user to provide better functionality. Such applications also necessitate sophisticated authorization models where Access to a resource depends on the credentials of the user and also on the location and time of Access. Consequently, researchers have extended the traditional Access Control models, such as Role-Based Access Control, to provide spatio-temporal Access Control. We improve upon these models by providing additional features that allow us to express constraints that were not possible until now. We express our model using the unified modeling language (UML) and the object constraint language that are the de facto specification languages used by the industry. Our model has numerous features that interact in subtle ways. To this end, we show how the UML-based specification environment tool can be used to analyze the spatiotemporal Access Control model of an application. We propose an architecture for enforcing our model and provide a protocol that demonstrates how Access Control can be granted and revoked in our approach. We also develop a prototype of this architecture to demonstrate the feasibility of our approach.