Security analysis in role-based access control

Ninghui Li, Mahesh V. Tripunitara
2006 ACM Transactions on Privacy and Security  
The administration of large Role-Based Access Control (RBAC) systems is a challenging problem. In order to administer such systems, decentralization of administration tasks by the use of delegation is an effective approach. While the use of delegation greatly enhances flexibility and scalability, it may reduce the control that an organization has over its resources, thereby diminishing a major advantage RBAC has over Discretionary Access Control (DAC). We propose to use security analysis
more » ... ues to maintain desirable security properties while delegating administrative privileges. We give a precise definition of a family of security analysis problems in RBAC, which is more general than safety analysis that is studied in the literature. We show that two classes of problems in the family can be reduced to similar analysis in the RT[և, ∩] role-based trust-management language, thereby establishing an interesting relationship between RBAC and the RT framework. The reduction gives efficient algorithms for answering most kinds of queries in these two classes and establishes the complexity bounds for the intractable cases. · the state γ results in the state γ 1 . An example of ψ is the following set of commands. The set of queries is not explicitly specified in [Harrison et al. 1976 ]. It is conceivable to consider other classes of queries, e.g., comparing the set of all subjects that have a given right over a given object with another set of subjects. In our framework, HRU with different classes of queries can be viewed as different schemes. Definition 2. (Security Analysis in an Abstract Setting) Given an access control scheme Γ, Q, ⊢, Ψ , a security analysis instance takes the form γ, q, ψ, Π , where γ ∈ Γ is a state, q ∈ Q is a query, ψ ∈ Ψ is a state-change rule, and Π ∈ {∃, ∀} is a quantifier. An instance γ, q, ψ, ∃ asks whether there exists γ 1 such that γ * The state of an RBAC system changes when a modification is made to a component of
doi:10.1145/1187441.1187442 fatcat:f6eqrwpz2fhtjkbdkuzmaeslxe