The role graph model and conflict of interest

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

The role graph model and conflict of interest

Full text

Pdf (218 KB)

Source

ACM Transactions on Information and System Security (TISSEC) archive
Volume 2 , Issue 1 (February 1999) table of contents
Special issue on role-based access control

Pages: 3 - 33

Year of Publication: 1999

ISSN:1094-9224

Authors

Matunda Nyanchama	Univ. of Western Ontario, Mississauga, Ont., Canada
Sylvia Osborn	Univ. of Western Ontario, Mississauga, Ont., Canada

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 10, Downloads (12 Months): 121, Citation Count: 65

Additional Information:

abstract references cited by index terms review collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/300830.300832 What is a DOI?

ABSTRACT

We describe in more detail than before the reference model for role-based access control introduced by Nyanchama and Osborn, and the role-graph model with its accompanying algorithms, which is one way of implementing role-role relationships. An alternative role insertion algorithm is added, and it is shown how the role creation policies of Fernandez et al. correspond to role addition algorithms in our model. We then use our reference model to provide a taxonomy for kinds of conflict. We then go on to consider in some detail privilege-privilege and and role-role conflicts in conjunction with the role graph model. We show how role-role conflicts lead to a partitioning of the role graph into nonconflicting collections that can together be safely authorized to a given user. Finally, in an appendix, we present the role graph algorithms with additional logic to disallow roles that contain conflicting privileges.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	AHO, A. V., GAREY, M. R., AND ULLMAN, J. D. 1972. The transitive reduction of a directed graph. SIAM J. Comput. 1, 2 (June), 131-137.
	2	BALDWIN, R. 1990. Naming and grouping privileges to simplify security management in large databases. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 116-132.
	3	Elisa Bertino , Elena Ferrari , Vijayalakshmi Atluri, A flexible model supporting the specification and enforcement of role-based authorization in workflow management systems, Proceedings of the second ACM workshop on Role-based access control, p.1-12, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266746]
	4	John Adrian Bondy, Graph Theory With Applications, Elsevier Science Ltd, 1976
	5	Eduardo B. Fernández , Jie Wu , Minjie H. Fernandez, User Group Structures in Object-Oriented Database Authorization, Proceedings of the IFIP WG11.3 Working Conference on Database Security VII, p.57-76, August 23-26, 1994
	6	FERRAIOLO, D., CUGINI, g., AND KUHN, D. R. 1995. Role based access control: Features and motivations. In Proceedings of the 11th Annual Conference on Computer Security Applications. IEEE Computer Society Press, Los Alamitos, CA, 241-248.
	7	Michael A. Harrison , Walter L. Ruzzo , Jeffrey D. Ullman, Protection in operating systems, Communications of the ACM, v.19 n.8, p.461-471, Aug. 1976 [doi>10.1145/360303.360333]
	8	M.-Y. Hu , Steven A. Demurjian , T. C. Ting, Unifying Structural and Security Modeling and Analyses in the ADAM Object-Oriented Design Environment, Proceedings of the IFIP WG11.3 Working Conference on Database Security VII, p.77-94, August 23-26, 1994
	9	D. Richard Kuhn, Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems, Proceedings of the second ACM workshop on Role-based access control, p.23-30, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266749]
	10	F. H. Lochovsky , C. C. Woo, Role-based security in data base management systems, on Database Security: Status and Prospects, p.209-222, September 1988, Annapolis, Maryland, United States
	11	Imtiaz Mohammed , David M. Dilts, Design for dynamic user-role-based security, Computers and Security, v.13 n.9, p.661-671, Oct. 1994 [doi>10.1016/0167-4048(94)90048-5]
	12	Matunda Nyanchama, Commercial integrity, roles and object orientation, University of Western Ontario, Ont., Canada, 1996
	13	Matunda Nyanchama , Sylvia Osborn, Role-based security, object oriented databases and separation of duty, ACM SIGMOD Record, v.22 n.4, p.45-51, Dec. 1993 [doi>10.1145/166635.166652]
	14	Matunda Nyanchama , Sylvia L. Osborn, Access Rights Administration in Role-Based Security Systems, Proceedings of the IFIP WG11.3 Working Conference on Database Security VII, p.37-56, August 23-26, 1994
	15	Matunda Nyanchama , Sylvia Osborn, Modeling mandatory access control in role-based security systems, Proceedings of the ninth annual IFIP TC11 WG11.3 working conference on Database security IX : status and prospects: status and prospects, p.129-144, January 1996, Rennselaerville, New York, United States
	16	Sylvia Osborn, Mandatory access control and role-based access control revisited, Proceedings of the second ACM workshop on Role-based access control, p.31-40, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266751]
	17	Sylvia L. Osborn , Laura K. Reid , Gregory J. Wesson, On the interaction between role-based access control and relational databases, Proceedings of the tenth annual IFIP TC11/WG11.3 international conference on Database security: volume X : status and prospects: status and prospects, p.275-287, January 1997, Como, Italy
	18	Fausto Rabitti , Elisa Bertino , Won Kim , Darrell Woelk, A model of authorization for next-generation database systems, ACM Transactions on Database Systems (TODS), v.16 n.1, p.88-131, March 1991 [doi>10.1145/103140.103144]
	19	Ravi S. Sandhu, Role Hierarchies and Constraints for Lattice-Based Access Controls, Proceedings of the 4th European Symposium on Research in Computer Security: Computer Security, p.65-79, September 25-27, 1996
	20	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996 [doi>10.1109/2.485845]
	21	SANDHU, R. S. 1988. Transaction control expressions for separation of duties. In Proceedings of the 4th Annual Conference on Computer Security Application (Orlando, FL, Dec.). 282-286.
	22	Richard Simon , Mary Ellen Zurko, Separation of Duty in Role-based Environments, Proceedings of the 10th Computer Security Foundations Workshop (CSFW '97), p.183, June 10-12, 1997
	23	Roshan K. Thomas , Ravi S. Sandhu, Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management, Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI: Status and Prospects, p.166-181, August 10-13, 1997
	24	THOMSEN, D. 1991. Role-based application design and enforcement. In Database Security IV, Status and Prospects, S. Jajodia and C. Landwehr, Eds. Elsevier North-Holland, Inc., New York, NY, 151-168.
	25	T. C. Ting, A user-role based data security approach, on Database Security: Status and Prospects, p.187-208, September 1988, Annapolis, Maryland, United States
	26	T. C. Ting , Steven A. Demurjian , M.-Y. Hu, Requirements, Capabilities, and Functionalities of User-Role Based Security for an Object-Oriented Design Model, Results of the IFIP WG 11.3 Workshop on Database Security V: Status and Prospects, p.275-296, November 01, 1991
	27	S. H. von Solms , Isak van der Merwe, The management of computer security profiles using a role-oriented approach, Computers and Security, v.13 n.9, p.673-680, Oct. 1994 [doi>10.1016/0167-4048(94)90049-3]

CITED BY 65

	Sylvia Osborn , Ravi Sandhu , Qamar Munawer, Configuring role-based access control to enforce mandatory and discretionary access control policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.2, p.85-106, May 2000
	Jonathon E. Tidswell , Trent Jaeger, An access control model for simplifying constraint expression, Proceedings of the 7th ACM conference on Computer and communications security, p.154-163, November 01-04, 2000, Athens, Greece
	Manuel Koch , Luigi V. Mancini , Francesco Parisi-Presicce, A graph-based formalism for RBAC, ACM Transactions on Information and System Security (TISSEC), v.5 n.3, p.332-365, August 2002
	Patrick C. K. Hung , Kamalakar Karlapalem, A secure workflow model, Proceedings of the Australasian information security workshop conference on ACSW frontiers 2003, p.33-41, February 01, 2003, Adelaide, Australia
	Tanvir Ahmed , Anand R. Tripathi, Static verification of security requirements in role based CSCW systems, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Sejong Oh , Ravi Sandhu, A model for role administration using organization structure, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
	Jonathon E. Tidswell , Trent Jaeger, Integrated constraints and inheritance in DTAC, Proceedings of the fifth ACM workshop on Role-based access control, p.93-102, July 26-28, 2000, Berlin, Germany
	Jason Crampton, Administrative scope and role hierarchy operations, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
	David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001
	Andreas Schaad , Jonathan Moffett , Jeremy Jacob, The role-based access control system of a European bank: a case study and discussion, Proceedings of the sixth ACM symposium on Access control models and technologies, p.3-9, May 2001, Chantilly, Virginia, United States
	James B D Joshi , Elisa Bertino , Arif Ghafoor, Temporal hierarchies and inheritance semantics for GTRBAC, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
	Elisa Bertino , Piero Andrea Bonatti , Elena Ferrari, TRBAC: A temporal role-based access control model, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.191-233, August 2001
	Jonathon E. Tidswell , John M. Potter, A graphical definition of authorization schema in the DTAC model, Proceedings of the sixth ACM symposium on Access control models and technologies, p.109-120, May 2001, Chantilly, Virginia, United States
	Ravi Sandhu , Venkata Bhamidipati , Qamar Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.105-135, Feb. 1999
	Sylvia Osborn , Yuxia Guo, Modeling users in role-based access control, Proceedings of the fifth ACM workshop on Role-based access control, p.31-37, July 26-28, 2000, Berlin, Germany
	Ravi Sandhu, Engineering authority and trust in cyberspace: the OM-AM and RBAC way, Proceedings of the fifth ACM workshop on Role-based access control, p.111-119, July 26-28, 2000, Berlin, Germany
	Trent Jaeger , Jonathon E. Tidswell, Practical safety in flexible access control models, ACM Transactions on Information and System Security (TISSEC), v.4 n.2, p.158-190, May 2001
	John A. Hine , Walt Yao , Jean Bacon , Ken Moody, An architecture for distributed OASIS services, IFIP/ACM International Conference on Distributed systems platforms, p.104-120, April 03-07, 2000, New York, New York, United States
	Jean Bacon , Ken Moody , Walt Yao, Access control and trust in the use of widely distributed services, Software—Practice & Experience, v.33 n.4, p.375-394, 10 April 2003
	Jean Bacon , Ken Moody , Walt Yao, A model of OASIS role-based access control and its support for active security, ACM Transactions on Information and System Security (TISSEC), v.5 n.4, p.492-540, November 2002
	David F. Ferraiolo , R. Chandramouli , Gail-Joon Ahn , Serban I. Gavrila, The role control center: features and case studies, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Gail-Joon Ahn , Ravi Sandhu, The RSL99 language for role-based separation of duty constraints, Proceedings of the fourth ACM workshop on Role-based access control, p.43-54, October 28-29, 1999, Fairfax, Virginia, United States
	Sylvia Osborn, Integrating role graphs: a tool for security integration, Data & Knowledge Engineering, v.43 n.3, p.317-333, December 2002
	Sylvia L. Osborn , Yan Han , Jun Liu, A methodology for managing roles in legacy systems, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Martin Kuhlmann , Dalia Shohat , Gerhard Schimpf, Role mining - revealing business roles for security administration using data mining technology, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Merwyn Taylor, Hierarchical data security in a query-by-example interface for a shared database, Journal of Biomedical Informatics, v.35 n.3, p.171-177, June 2002
	Jason Crampton, On permissions, inheritance and role hierarchies, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
	W. M. P. van der Aalst , Akhil Kumar , H. M. W. Verbeek, Organizational modeling in UML and XML in the context of workflow systems, Proceedings of the 2003 ACM symposium on Applied computing, March 09-12, 2003, Melbourne, Florida
	Giorgio Zanin , Luigi Vincenzo Mancini, Towards a formal model for security policies specification and validation in the selinux system, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
	Shih-Chien Chou, Embedding role-based access control model in object-oriented systems to protect privacy, Journal of Systems and Software, v.71 n.1-2, p.143-161, April 2004
	Trent Jaeger , Xiaolan Zhang , Fidel Cacheda, Policy management using access control spaces, ACM Transactions on Information and System Security (TISSEC), v.6 n.3, p.327-364, August 2003
	Jingzhu Wang , Sylvia L. Osborn, A role-based approach to access control for XML databases, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
	Walt Yao , Ken Moody , Jean Bacon, A model of OASIS role-based access control and its support for active security, Proceedings of the sixth ACM symposium on Access control models and technologies, p.171-181, May 2001, Chantilly, Virginia, United States
	Ravi Sandhu , David Ferraiolo , Richard Kuhn, The NIST model for role-based access control: towards a unified standard, Proceedings of the fifth ACM workshop on Role-based access control, p.47-63, July 26-28, 2000, Berlin, Germany
	Jason Crampton, Specifying and enforcing constraints in role-based access control, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Indrakshi Ray , Na Li , Robert France , Dae-Kyoo Kim, Using uml to visualize role-based access control constraints, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
	M. Koch , L. V. Mancini , F. Parisi-Presicce, Administrative scope in the graph-based framework, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
	Shih-Chien Chou, Providing flexible access control to an information flow control model, Journal of Systems and Software, v.73 n.3, p.425-439, November-December 2004
	Reinhardt A. Botha , Jan H. P. Eloff, Separation of duties for access control enforcement in workflow environments, IBM Systems Journal, v.40 n.3, p.666-682, March 2001
	James B. D. Joshi , Elisa Bertino , Usman Latif , Arif Ghafoor, A Generalized Temporal Role-Based Access Control Model, IEEE Transactions on Knowledge and Data Engineering, v.17 n.1, p.4-23, January 2005
	Eunjee Song , Raghu Reddy , Robert France , Indrakshi Ray , Geri Georg , Roger Alexander, Verifiable composition of access control and application features, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden
	Jason Crampton, Understanding and developing role-based administrative models, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
	Sylvia L. Osborn, Information flow analysis of an RBAC system, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
	James B. D. Joshi , Elisa Bertino , Arif Ghafoor, An Analysis of Expressiveness and Design Issues for the Generalized Temporal Role-Based Access Control Model, IEEE Transactions on Dependable and Secure Computing, v.2 n.2, p.157-175, April 2005
	Jason Crampton , George Loizou, Administrative scope: A foundation for role-based administrative models, ACM Transactions on Information and System Security (TISSEC), v.6 n.2, p.201-231, May 2003
	Akhil Kumar , Wil M. P. Van Der Aalst , Eric M. W. Verbeek, Dynamic Work Distribution in Workflow Management Systems: How to Balance Quality and Performance, Journal of Management Information Systems, v.18 n.3, p.157-193, Number 3/Winter 2001/02
	Liang Chen , Jason Crampton, On spatio-temporal constraints and inheritance in role-based access control, Proceedings of the 2008 ACM symposium on Information, computer and communications security, March 18-20, 2008, Tokyo, Japan
	Timothy Fraser , David Ferraiolo , Mikel L. Matthews , Casey Schaufler , Stephen Smalley , Robert Watson, Panel: which access control technique will provide the greatest overall benefit, Proceedings of the sixth ACM symposium on Access control models and technologies, p.141-149, May 2001, Chantilly, Virginia, United States
	He Wang , Sylvia L. Osborn, Delegation in the role graph model, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA
	Sejong Oh , Ravi Sandhu , Xinwen Zhang, An effective role administration model using organization structure, ACM Transactions on Information and System Security (TISSEC), v.9 n.2, p.113-137, May 2006
	Andreas Schaad , Volkmar Lotz , Karsten Sohr, A model-checking approach to analysing organisational controls in a loan origination process, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA
	Chaoyi Pang , David Hansen , Anthony Maeder, Managing RBAC states with transitive relations, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore
	Ninghui Li , Ziqing Mao, Administration in role-based access control, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore
	He Wang , Sylvia L. Osborn, Discretionary access control with the administrative role graph model, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
	JuHum Kwon , Chang-Joo Moon, Visual modeling and formal specification of constraints of RBAC using semantic web technology, Knowledge-Based Systems, v.20 n.4, p.350-356, May, 2007
	Tanvir Ahmed , Anand R. Tripathi, Specification and verification of security requirements in a programming model for decentralized CSCW systems, ACM Transactions on Information and System Security (TISSEC), v.10 n.2, p.7-es, May 2007
	H. Ragab Hassen , A. Bouabdallah , H. Bettahar , Y. Challal, Key management for content access control in a hierarchy, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.11, p.3197-3219, August, 2007
	Halvard Skogsrud , Boualem Benatallah , Fabio Casati , Farouk Toumani, Managing Impacts of Security Protocol Changes in Service-Oriented Applications, Proceedings of the 29th International Conference on Software Engineering, p.468-477, May 20-26, 2007
	Trent Jeager, Managing access control complexity using metrices, Proceedings of the sixth ACM symposium on Access control models and technologies, p.131-139, May 2001, Chantilly, Virginia, United States
	David F. Ferraiolo, An argument for the role-based access control model, Proceedings of the sixth ACM symposium on Access control models and technologies, p.142-143, May 2001, Chantilly, Virginia, United States
	Susannah Soon , Adrian Pearce , Max Noble, Adaptive Teamwork Coordination Using Graph Matching over Hierarchical Intentional Structures, Proceedings of the Third International Joint Conference on Autonomous Agents and Multiagent Systems, p.294-301, July 19-23, 2004, New York, New York
	M. L. Damiani , E. Bertino , P. Perlasca, Data security in location-aware applications: an approach based on RBAC, International Journal of Information and Computer Security, v.1 n.1/2, p.5-38, January 2007
	James B. D. Joshi , Elisa Bertino , Arif Ghafoor , Yue Zhang, Formal foundations for hybrid hierarchies in GTRBAC, ACM Transactions on Information and System Security (TISSEC), v.10 n.4, p.1-39, January 2008
	Andrea Kienle , Carsten Ritterskamp, Facilitating asynchronous discussions in learning communities: the impact of moderation strategies, Behaviour & Information Technology, v.26 n.1, p.73-80, January 2007
	Jean Bacon , Ken Moody , Walt Yao, Access Control and Trust in the Use of Widely Distributed Services, Proceedings of the IFIP/ACM International Conference on Distributed Systems Platforms Heidelberg, p.295-310, November 12-16, 2001

INDEX TERMS

Primary Classification:
D. Software
D.4 OPERATING SYSTEMS
D.4.6 Security and Protection
Subjects: Access controls

Additional Classification:
G. Mathematics of Computing
G.2 DISCRETE MATHEMATICS
G.2.2 Graph Theory
Subjects: Graph algorithms

K. Computing Milieux
K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS

General Terms:
Algorithms, Management, Security

Keywords:
conflict of interest, role graphs, role-based security

REVIEW

"Jonathan K. Millen : Reviewer"

A role graph is a straightforward, economical presentation of policies for the assignment of data access privileges to users in an enterprise. A role is just a set of privileges, and a privilege represents some particular mode of a more...

Collaborative Colleagues:

Matunda Nyanchama: colleagues

Sylvia Osborn: colleagues

Adobe Acrobat

QuickTime

Windows Media Player

Real Player