Trust-based Dynamic RBAC

Tamir Lavi, Ehud Gudes

Abstract

A prominent feature of almost every computerized system is the presence of an access control module. The Role Based Access Control (RBAC) model is among the most popular in both academic research and in practice, within actual implementation of many applications and computer infrastructures. The RBAC model simplifies the way that a system administrator controls the assignment of permissions to individuals by assigning permissions to roles and roles to users. The growth in web applications which enable the access of world-wide and unknown users, expose these applications to various attacks. This led few researchers to suggest ways to incorporate trust within RBAC to achieve even better control over the assignment of users to roles, and permissions within roles, based on the user trust level. In this work, we present a new trust-based RBAC model which improves and refines the assignment of permissions to roles with awareness of the user trust and reputation. After describing the basic model, called TDRBAC for Trust-based Dynamic RBAC, we describe ways to deal with issues like privacy-preservation and delegation of roles with the consideration of user’s trust.

References

  1. Bayardo, R. J. and Agrawal, R. (2005). Data privacy through optimal k-anonymization. In Data Engineering, 2005. ICDE 2005. Proceedings. 21st International Conference on, pages 217-228. IEEE.
  2. Chakraborty, S. and Ray, I. (2006). Trustbac: integrating trust relationships into the rbac model for access control in open systems. In Proceedings of the eleventh ACM symposium on Access control models and technologies, pages 49-58. ACM.
  3. Chen, L. and Crampton, J. (2011). Risk-aware role-based access control. In Security and Trust Management - 7th International Workshop, STM 2011, Copenhagen, Denmark, June 27-28, 2011, Revised Selected Papers, pages 140-156.
  4. Colombo, P. and Ferrari, E. (2014). Enforcement of purpose based access control within relational database management systems. IEEE Trans. Knowl. Data Eng., 26(11):2703-2716.
  5. Condori-Fernández, N., Franqueira, V. N., and Wieringa, R. (2012). Report on the survey of role-based access control (rbac) in practice.
  6. Coyne, E. and Weil, T. R. (2013). Abac and rbac: Scalable, flexible, and auditable access management. IT Professional, 15(3):14-16.
  7. Crampton, J. and Khambhammettu, H. (2008). Delegation in role-based access control. Int. J. Inf. Sec., 7(2):123- 136.
  8. Deng, W. and Zhou, Z. (2012). A flexible rbac model based on trust in open system. In Intelligent Systems (GCIS), 2012 Third Global Congress on, pages 400-404.
  9. EmpowerID, w. p. (2013). Best practices in enterprise authorization: The rbac/abac hybrid approach.
  10. Ferraiolo, D. and Kuhn, R. (1992). Role-based access control. In In 15th NIST-NCSC National Computer Security Conference, pages 554-563.
  11. Jin, X., Krishnan, R., and Sandhu, R. (2012a). A role-based administration model for attributes. In Proceedings of the First International Workshop on Secure and Resilient Architectures and Systems, pages 7-12. ACM.
  12. Jin, X., Krishnan, R., and Sandhu, R. S. (2012b). A unified attribute-based access control model covering dac, mac and rbac. DBSec, 12:41-55.
  13. Kuhn, D. R., Coyne, E. J., and Weil, T. R. (2010). Adding attributes to role-based access control. Computer, 43(6):79-81.
  14. Rajpoot, Q. M., Jensen, C. D., and Krishnan, R. (2015). Integrating attributes into role-based access control. In Data and Applications Security and Privacy XXIX, pages 242-249. Springer.
  15. Ray, I. and Chakraborty, S. (2004). A vector model of trust for developing trustworthy systems. In In European Symposium on Research in Computer Security , Sophia Antipolis (France, pages 260-275. SpringerVerlag.
  16. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. (1996). Role-based access control models. Computer, 29(2):38-47.
  17. Smari, W. W., Clemente, P., and Lalande, J. (2014). An extended attribute based access control model with trust and privacy: Application to a collaborative crisis management system. Future Generation Comp. Syst., 31:147-168.
  18. Yang, N., Barringer, H., and Zhang, N. (2007). A purposebased access control model. In Proceedings of the Third International Symposium on Information Assurance and Security, IAS 2007, August 29-31, 2007, Manchester, United Kingdom, pages 143-148.
Download


Paper Citation


in Harvard Style

Lavi T. and Gudes E. (2016). Trust-based Dynamic RBAC . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 317-324. DOI: 10.5220/0005687503170324


in Bibtex Style

@conference{icissp16,
author={Tamir Lavi and Ehud Gudes},
title={Trust-based Dynamic RBAC},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={317-324},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005687503170324},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Trust-based Dynamic RBAC
SN - 978-989-758-167-0
AU - Lavi T.
AU - Gudes E.
PY - 2016
SP - 317
EP - 324
DO - 10.5220/0005687503170324