On the formal definition of separation-of-duty policies and their composition

Gligor, Virgil D.; Gavrila, Serban I.; Ferraiolo, David F.

doi:10.1109/secpri.1998.674833

Cited by 158 publications

(135 citation statements)

References 6 publications

Supporting

Mentioning

130

Contrasting

Unclassified

Order By: Relevance

“…Authorization constraints may need to be imposed on the RBAC functions and relations in order to prevent the information misuse and fraudulent activities. In the literature, several kinds of authorization constraints have been identified such as various types of static and dynamic SOD constraints [7,8,9]; constraints on delegation [10]; cardinality constraints [3]; context constraints [10,11].…”

Section: Rbac and Authorization Constraintsmentioning

confidence: 99%

“…Specifically, advanced RBAC concepts like role-based authorization constraints are a powerful means for laying out higher-level organizational rules [7]. Hence, we define an RBAC policy as hierarchical RBAC in the sense of the RBAC standard [14] plus a set of organizational rules where each rule corresponds to a rolebased authorization constraint, such as separation of duty (SOD) constraints [7,8,9], cardinality constraints [3], and context constraints [10,11].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Enforcing Role-Based Access Control Policies in Web Services with UML and OCL

Sohr

Mustafa

Bao

et al. 2008

2008 Annual Computer Security Applications Conference (ACSAC)

View full text Add to dashboard Cite

Role-based access control (RBAC) is a powerful means for laying out and developing higher-level organizational policies such as separation of duty, and for simplifying the security management process. One of the important aspects of RBAC is authorization constraints that express such organizational policies. While RBAC has generated a great interest in the security community, organizations still seek a flexible and effective approach to impose role-based authorization constraints in their security-critical applications. In this paper, we present a Web Services-based authorization framework that can be employed to enforce organization-wide authorization constraints. We describe a generic authorization engine, which supports organization-wide authorization constraints and acts as a central policy decision point within the authorization framework. This authorization engine is implemented by means of the USE system, a validation tool for UML models and OCL constraints. Using this system, we also demonstrate how the authorization constraints can be specified in OCL and then be implemented by USE.

show abstract

Section: Rbac and Authorization Constraintsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Enforcing Role-Based Access Control Policies in Web Services with UML and OCL

Sohr

Mustafa

Bao

et al. 2008

2008 Annual Computer Security Applications Conference (ACSAC)

View full text Add to dashboard Cite

show abstract

“…However, due to the fact that we consider here only one snapshot of the system, we have no notion of time. Hence, authorisation constraints that consider the execution history such as history-based or object-based dynamic SoD [10] cannot be adequately expressed.…”

Section: History-based Constraintsmentioning

confidence: 99%

“…Dynamic object-based SoD roughly speaking means that a user must not act upon an object that the same user has previously acted upon. Other dynamic SoD constraints enumerated in [10] can clearly be expressed in TOCL, too.…”

Section: History-based Constraintsmentioning

confidence: 99%

Specification and Validation of Authorisation Constraints Using UML and OCL

Sohr

Ahn

Gogolla

et al. 2005

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Authorisation constraints can help the policy architect design and express higher-level security policies for organisations such as financial institutes or governmental agencies. Although the importance of constraints has been addressed in the literature, there does not exist a systematic way to validate and test authorisation constraints. In this paper, we attempt to specify non-temporal constraints and historybased constraints in Object Constraint Language (OCL) which is a constraint specification language of Unified Modeling Language (UML) and describe how we can facilitate the USE tool to validate and test such policies. We also discuss the issues of identification of conflicting constraints and missing constraints.

show abstract

“…Role-based access control (RBAC) is a flexible and policy-neutral access control technology and is a promising access control technology for the modern computing environment [1,3,6,16]. In RBAC, permissions(each permission is a pair of objects and operations) are associated with roles and users are assigned to appropriate roles thereby acquiring the roles' permissions.…”

Section: Introductionmentioning

confidence: 99%

Advanced Permission-Role Relationship in Role-Based Access Control

Wang

Plank

et al.

Information Security and Privacy

View full text Add to dashboard Cite

Abstract. Permission-role assignment is an important issue in rolebased access control (RBAC). There are two types of problems that may arise in permission-role assignment. One is related to authorization granting process. Conflicting permissions may be granted to a role, and as a result, users with the role may have or derive a high level of authority. The other is related to authorization revocation. When a permission is revoked from a role, the role may still have the permission from other roles. In this paper, we discuss granting and revocation models related to mobile and immobile memberships between permissions and roles, then provide proposed authorization granting algorithm to check conflicts and help allocate the permissions without compromising the security. To our best knowledge, the new revocation models, local and global revocation, have not been studied before. The local and global revocation algorithms based on relational algebra and operations provide a rich variety. We also apply the new algorithms to an anonymity scalable payment scheme.

show abstract

On the formal definition of separation-of-duty policies and their composition

Cited by 158 publications

References 6 publications

Enforcing Role-Based Access Control Policies in Web Services with UML and OCL

Enforcing Role-Based Access Control Policies in Web Services with UML and OCL

Specification and Validation of Authorisation Constraints Using UML and OCL

Advanced Permission-Role Relationship in Role-Based Access Control

Contact Info

Product

Resources

About