An Attribute-Based-Delegation-Model and Its Extension

Chunxiao Ye, Zhongfu Wu, Yunqing Fu


In existing delegation models, delegation security entirely depends on delegators and security administrators, for delegation constraint in these models is only a prerequisite condition. This paper proposes an Attribute- Based-Delegation-Model (ABDM) with an extended delegation constraint consists of both delegation attribute expression (DAE) and delegation prerequisite condition (CR). In ABDM, A delegatee must satisfy delegation constraint (especially DAE) when assigned to a delegation role. With delegation constraint, a delegator can restrict the delegatee candidates more strictly. ABDM relieves delegators and security administrators of security management work in delegation. In ABDM, a delegator is not allowed to temporarily delegate his permissions to a person who does not satisfy the delegation constraint. To guarantee its flexibility and security, an extension of ABDM named ABDMX is proposed. In ABDMX, a delegator can delegate some high level permissions to low level delegatee candidates temporarily, but not permanently.


  1. Ravi Sandhu, Edward Coyne, Hal Feinstein, Charles Younman, 'Role-Based Access Control Models', IEEE Computer, Vol.29, 1996,pp.38-47.
  2. David F Ferraiolo, Ravi Sandhu, Serban Gavrila, 'proposed standard for role-based access control', ACM Trans on information and System Security, Vol.4, 2001, pp.224-274.
  3. Xinwen Zhang, Sejong Oh, Ravi Sandhu, 'PBDM: A Flexible Delegation Model in RBAC', Proceedings of SACMAT'03, Como, Italy, 2003, pp.149-157.
  4. Lynn Andrea Stein, 'Delegation Is Inheritance', proceedings Of Object-Priented Programming Systems, Languages, and Applications (OOPSLA'87), New York, USA, 1987, pp.138-146.
  5. J.D. Moffett, 'Delegation of authority Using Domain Based Access Rules', PhD Thesis, Dept of Computing, Imperial College, University of London, 1990.
  6. Morrie Gasser, Ellen McDermott 1990, 'An Architecture for practical Delegation in a Distributed System', Proceedings of IEEE Computer Society Symposium on Research in Security and Privacy. Oakland, USA, pp.20-30.
  7. Ezedin Barka, Ravi Sandhu, 'Framework for Role-Based Delegation Models', Proceedings of 16th Annual Computer Security Application Conference (ACSAC2000), New Orleans, USA, 2000, pp.168-175
  8. Ezedin Barka, Ravi Sandhu, 'A role-based delegation model and some extensions', Proceedings Of 23rd National Information Systems Security Conference (NISSC), Baltimore, USA, 2000, pp.101-114.
  9. Longhua Zhang, Gail-Joon Ahn, Bei-Tseng Chu, 'A rule-based framework for role-based delegation', proceedings of 6th ACM Symposium on Access Control Models and Technologies (SACMAT), Chantilly, VA, 200, pp.153-162.
  10. ZHAO Qing-Song, SUN Yu-Fang, SUN Bo, 'RPRDM: A Repeated-and-Part-Role-Based Delegation Model', Journal of Computer Research and Development, Vol. 40, 2003, pp.221-227.
  11. Ravi S Sandhu, Venkata Bhamidipati, Qamar Munawerl, 'The ARBAC97 model for rolebased administration of roles', ACM Transaction s on Information and System Securty, Vol. 2, 1999, pp. 105-135.
  12. Ravi Sandhu, Qamar Munawer, 'the ARBAC99 model for administration of roles', Proceedings of the Annual Computer Security Applications Conference, Phoenix, USA, 1999.
  13. Ravi Sandhu, Qamar Munawer, 'A Model for Role Administration Using Organization', Proceedings of the Structure, SACMAT'02, Monterey, California, USA, 2002, pp.155-162.
  14. Cheh Goh, Adrian Baldwin, 'Towards a more complete model of role', Proceedings of the third ACM workshop on Role-based access control, Fairfax, Virginia, United States, 1998, pp. 55 - 62.
  15. M. A. Al-Kahtani, R. Sandhu, 'A Model for Attribute-Based User-Role Assignment', Proceedings of the 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, USA, 2002, pp. 353-362.
  16. Mohammad Abdullah Al-Kahtani, 'A family of Models for Rule-Based User-Role Assignment', PhD Thesis. School of Information Technology and Engineering, George Mason University, 2003.
  17. YE Chun-Xiao, Fu Yun-Qing, WU Zhong-Fu, 'Research on User-Role Assignment Based on Role Restrictive Conditions', Journal of Computer Science, Vol. 31, 2004, pp. 73-76.

Paper Citation

in Harvard Style

Ye C., Wu Z. and Fu Y. (2005). An Attribute-Based-Delegation-Model and Its Extension . In Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005) ISBN 972-8865-25-2, pages 146-159. DOI: 10.5220/0002560401460159

in EndNote Style

JO - Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)
TI - An Attribute-Based-Delegation-Model and Its Extension
SN - 972-8865-25-2
AU - Ye C.
AU - Wu Z.
AU - Fu Y.
PY - 2005
SP - 146
EP - 159
DO - 10.5220/0002560401460159

in Bibtex Style

author={Chunxiao Ye and Zhongfu Wu and Yunqing Fu},
title={An Attribute-Based-Delegation-Model and Its Extension},
booktitle={Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)},