Authorization recycling in RBAC systems

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Authorization recycling in RBAC systems

Full text

Pdf (473 KB)

Source

Symposium on Access Control Models and Technologies archive
Proceedings of the 13th ACM symposium on Access control models and technologies table of contents

Estes Park, CO, USA

SESSION: Role based access control table of contents

Pages 63-72

Year of Publication: 2008

ISBN:978-1-60558-129-3

Authors

Qiang Wei	University of British Columbia
Jason Crampton	Royal Holloway, University of London
Konstantin Beznosov	University of British Columbia
Matei Ripeanu	University of British Columbia

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 15, Downloads (12 Months): 139, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1377836.1377848 What is a DOI?

ABSTRACT

As distributed applications increase in size and complexity, traditional authorization mechanisms based on a single policy decision point are increasingly fragile because this decision point represents a single point of failure and a performance bottleneck. Authorization recycling is one technique that has been used to address these challenges.

This paper introduces and evaluates the mechanisms for authorization recycling in RBAC enterprise systems. The algorithms that support these mechanisms allow precise and approximate authorization decisions to be made, thereby masking possible failures of the policy decision point and reducing its load. We evaluate these algorithms analytically and using a prototype implementation. Our evaluation results demonstrate that authorization recycling can improve the performance of distributed access control mechanisms.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	ANSI. ANSI INCITS 359-2004 for role based access control, 2004.
	2	Lujo Bauer , Scott Garriss , Michael K. Reiter, Distributed Proving in Access-Control Systems, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.81-95, May 08-11, 2005 [doi>10.1109/SP.2005.9]
	3	BELL, D., AND LAPADULA, L. Secure computer systems: A mathematical model. Tech. Rep. MTR-2547, Volume II, Mitre Corporation, Bedford, Massachusetts, 1973.
	4	BELL, D., AND LAPADULA, L. Secure computer systems: Mathematical foundations. Tech. Rep. MTR-2547, Volume I, Mitre Corporation, Bedford, Massachusetts, 1973.
	5	Konstantin (Kosta) Beznosov, Flooding and recycling authorizations, Proceedings of the 2005 workshop on New security paradigms, September 20-23, 2005, Lake Arrowhead, California [doi>10.1145/1146269.1146285]
	6	Kevin Borders , Xin Zhao , Atul Prakash, CPOL: high-performance policy evaluation, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA [doi>10.1145/1102120.1102142]
	7	BRESLAU, L., CAO, P., FAN, L., PHILLIPS, G., AND SHENKER, S. Web caching and Zipf-like distributions: Evidence and implications. In Proceedings of the Conference on Computer Communications (INFOCOM) (1999), pp. 126--134.
	8	Jason Crampton , Wing Leung , Konstantin Beznosov, The secondary and approximate authorization model and its application to Bell-LaPadula policies, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA [doi>10.1145/1133058.1133075]
	9	DEMICHIEL, L. G., YALÇINALP, L. Ü., AND KRISHNAN, S. Enterprise JavaBeans Specification, Version 2.0. Sun Microsystems, 2001.
	10	ENTRUST. GetAccess design and administration guide. Tech. rep., Entrust, September 20 1999.
	11	FERRAIOLO, D., AND KUHN, R. Role-based access controls. In Proceedings of the 15th NIST-NCSC National Computer Security Conference (Baltimore, MD, USA, 1992), National Institute of Standards and Technology/National Computer Security Center, pp. 554--563.
	12	Barry W. Johnson, An introduction to the design and analysis of fault-tolerant systems, Fault-tolerant computer system design, Prentice-Hall, Inc., Upper Saddle River, NJ, 1996
	13	Zbigniew Kalbarczyk , Ravishankar K. Iyer , Long Wang, Application Fault Tolerance with Armor Middleware, IEEE Internet Computing, v.9 n.2, p.28-37, March 2005 [doi>10.1109/MIC.2005.31]
	14	Günter Karjoth, Access control with IBM Tivoli access manager, ACM Transactions on Information and System Security (TISSEC), v.6 n.2, p.232-257, May 2003 [doi>10.1145/762476.762479]
	15	MARKOFF, J., AND HANSELL, S. Google's not-so-very-secret weapon, 2006.
	16	Amihai Motro, An Access Authorization Model for Relational Databases Based on Algebraic Manipulation of View Definitions, Proceedings of the Fifth International Conference on Data Engineering, p.339-347, February 06-10, 1989
	17	NETEGRITY. Siteminder concepts guide. Tech. rep., Netegrity, 2000.
	18	V. Nicomette , Y. Deswarte, An Authorization Scheme For Distributed Object Systems, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.21, May 04-07, 1997
	19	OMG. Common object services specification, security service specification v1.8, 2002.
	20	Shariq Rizvi , Alberto Mendelzon , S. Sudarshan , Prasan Roy, Extending query rewriting techniques for fine-grained access control, Proceedings of the 2004 ACM SIGMOD international conference on Management of data, June 13-18, 2004, Paris, France [doi>10.1145/1007568.1007631]
	21	Arnon Rosenthal , Edward Sciore, Administering permissions for distributed data: factoring and automated inference, Proceedings of the fifteenth annual working conference on Database and application security, p.91-104, July 15-18, 2001, Niagara, Ontario, Canada
	22	SALTZER, J., AND SCHROEDER, M. The protection of information in computer systems. Proceedings of the IEEE 63, 6 (1975), 1278--1308.
	23	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996 [doi>10.1109/2.485845]
	24	Andreas Schaad , Jonathan Moffett , Jeremy Jacob, The role-based access control system of a European bank: a case study and discussion, Proceedings of the sixth ACM symposium on Access control models and technologies, p.3-9, May 2001, Chantilly, Virginia, United States [doi>10.1145/373256.373257]
	25	SECURANT. Unified access management: A model for integrated web security. Tech. rep., Securant Technologies, June 25 1999.
	26	Ray Spencer , Stephen Smalley , Peter Loscocco , Mike Hibler , David Andersen , Jay Lepreau, The flask security architecture: system support for diverse security policies, Proceedings of the 8th conference on USENIX Security Symposium, p.11-11, August 23-26, 1999, Washington, D.C.
	27	STRONG, P. How Ebay scales with networks and the challenges. In the 16th IEEE International Symposium on High-Performance Distributed Computing (Monterey, CA, USA, 2007). Invited talk.
	28	Jaideep Vaidya , Vijayalakshmi Atluri , Qi Guo, The role mining problem: finding a minimal descriptive set of roles, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France [doi>10.1145/1266840.1266870]
	29	VOGELS, W. How wrong can you be? Getting lost on the road to massive scalability. In the 5th International Middleware Conference (Toronto, Canada, October 20 2004). Keynote address.
	30	Qiang Wei , Matei Ripeanu , Konstantin Beznosov, Cooperative secondary authorization recycling, Proceedings of the 16th international symposium on High performance distributed computing, June 25-29, 2007, Monterey, California, USA [doi>10.1145/1272366.1272375]