ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Modular authorization and administration
Full text PdfPdf (987 KB)
Source ACM Transactions on Information and System Security (TISSEC) archive
Volume 7 ,  Issue 3  (August 2004) table of contents
Pages: 363 - 391  
Year of Publication: 2004
ISSN:1094-9224
Authors
Horst F. Wedde  University of Dortmund, Dortmund, Germany
Mario Lischka  University of Dortmund, Dortmund, Germany
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 8,   Downloads (12 Months): 68,   Citation Count: 1
Additional Information:

abstract   references   cited by   index terms   review   collaborative colleagues   peer to peer  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1015040.1015042
What is a DOI?

ABSTRACT

In large organizations the administration of access privileges (such as the assignment of access rights to a user in a particular role) is handled cooperatively through distributed administrators in various different capacities. A quorum may be necessary, or a veto may be possible for such a decision. In this paper, we present two major contributions: We develop a role-based access control (RBAC) approach for specifying distributed administration requirements, and procedures between administrators, or administration teams, extending earlier work on distributed (modular) authorization. While a comprehensive specification in such a language is conceivable it would be quite tedious to evaluate, or analyze, their operational aspects and properties in practice. For this reason we create a new class of extended Petri Nets called Administration Nets (Adm-Nets) such that any RBAC specification of (cooperative) administration requirements (given in terms of predicate logic formulas) can be embedded into an Adm-Net. This net behaves within the constraints specified by the logical formulas, and at the same time, it explicitly exhibits all needed operational details such as allowing for an efficient and comprehensive formal analysis of administrative behavior. We introduce the new concepts and illustrate their use in several examples. While Adm-Nets are much more refined and (behaviorally) explicit than workflow systems our work provides for a constructive step towards novel workflow management tools as well. We demonstrate the usefulness of Adm-Nets by modeling typical examples of administration processes concerned with sets of distributed authorization rules.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Aalst, W. 1998. The application of petri nets to workflow management. J. Circ. Syst. Comput. 8, 1, 21--66.
2
David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001  [doi>10.1145/501978.501980]
 
3
Hartmann J. Genrich , Kurt Lautenbach, The Analysis of Distributed Systems by Means of Predicate ? Transition-Nets, Proceedings of the International Sympoisum on Semantics of Concurrent Computation, p.123-147, July 02-04, 1979
 
4
Carlo Ghezzi , Dino Mandrioli , Sandro Morasca , Mauro Pezzè, A Unified High-Level Petri Net Formalism for Time-Critical Systems, IEEE Transactions on Software Engineering, v.17 n.2, p.160-172, February 1991  [doi>10.1109/32.67597]
 
5
Sushil Jajodia , Pierangela Samarati , V. S. Subrahmanian, A Logical Language for Expressing Authorizations, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.31, May 04-07, 1997
6
Sushil Jajodia , Pierangela Samarati , V. S. Subrahmanian , Eliza Bertino, A unified framework for enforcing multiple access control policies, Proceedings of the 1997 ACM SIGMOD international conference on Management of data, p.474-485, May 11-15, 1997, Tucson, Arizona, United States
7
Martin Kuhlmann , Dalia Shohat , Gerhard Schimpf, Role mining - revealing business roles for security administration using data mining technology, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy  [doi>10.1145/775412.775435]
 
8
Matunda Nyanchama , Sylvia L. Osborn, Access Rights Administration in Role-Based Security Systems, Proceedings of the IFIP WG11.3 Working Conference on Database Security VII, p.37-56, August 23-26, 1994
9
Sejong Oh , Ravi Sandhu, A model for role administration using organization structure, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA  [doi>10.1145/507711.507737]
10
Sylvia Osborn , Yuxia Guo, Modeling users in role-based access control, Proceedings of the fifth ACM workshop on Role-based access control, p.31-37, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344299]
11
Ravi Sandhu , Venkata Bhamidipati , Qamar Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.105-135, Feb. 1999  [doi>10.1145/300830.300839]
 
12
Ravi Sandhu , Qamar Munawer, The ARBAC99 Model for Administration of Roles, Proceedings of the 15th Annual Computer Security Applications Conference, p.229, December 06-10, 1999
 
13
Schiffers, M. and Wedde, H. 1978. Analyzing program solutions of coordination problems by cp-nets. In Proceedings of the 7th Symposium on Mathematical Foundations of Computer Science, A. Mazurkiewicz, ed. Lecture Notes in Computer Science, vol. 64. Springer Verlag, Zakopane, Poland, 416--422.
 
14
Valk, R. 1983. Infinitive behaviour of petri nets. Theo. Comput. Sci. 25, 311--341.
15
Horst F. Wedde , Mario Lischka, Modular authorization, Proceedings of the sixth ACM symposium on Access control models and technologies, p.97-105, May 2001, Chantilly, Virginia, United States  [doi>10.1145/373256.373274]
 
16
Wedde, H. F. and Lischka, M. 2003a. Composing heterogenous access policies between organizations. In Proceedings of the IADIS International Conference e-Society 2003. International Association for Development of the Information Society, Lisbon/Portuagal.
17
Horst F. Wedde , Mario Lischka, Cooperative role-based administration, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy  [doi>10.1145/775412.775416]
18
H. F. Wedde , Mario Lischka, Role-based access control in ambient and remote space, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA  [doi>10.1145/990036.990040]

CITED BY
Ninghui Li , Ziqing Mao, Administration in role-based access control, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection

Additional Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)


General Terms:
Management, Security


Keywords:
Modularity, Petri-Nets, composability, work-flow


REVIEW

"Gabriel Mateescu : Reviewer"

This paper addresses the topic of modeling the administration of access privileges to resources, for users belonging to a large organization, whereby the users access resources belonging to multiple units of the organization.

Wedde and Lisch  more...

Collaborative Colleagues:
Horst F. Wedde: colleagues
Mario Lischka: colleagues

Peer to Peer - Readers of this Article have also read:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player