Policy-Engineering Optimization with Visual Representation and Separation-of-Duty Constraints in Attribute-Based Access Control

Recently, attribute-based access control (ABAC) has received increasingly more attention and has emerged as the desired access control mechanism for many organizations because of its flexibility and scalability for authorization management, as well as its security policies, such as separation-of-duty constraints and mutually exclusive constraints. Policy-engineering technology is an effective approach for the construction of ABAC systems. However, most conventional methods lack interpretability, and their constructing processes are complex. Furthermore, they do not consider the separation-of-duty constraints. To address these issues in ABAC, this paper proposes a novel method called policy engineering optimization with visual representation and separation of duty constraints (PEO_VR&SOD). First, to enhance interpretability while mining a minimal set of rules, we use the visual technique with Hamming distance to reduce the policy mining scale and present a policy mining algorithm. Second, to verify whether the separation of duty constraints can be satisfied in a constructed policy engineering system, we use the method of SAT-based model counting to reduce the constraints and construct mutually exclusive constraints to implicitly enforce the given separation of duty constraints. The experiments demonstrate the efficiency and effectiveness of the proposed method and show encouraging results.

Download Full-text

Role-Engineering Optimization with Cardinality Constraints and User-Oriented Mutually Exclusive Constraints

Information ◽

10.3390/info10110342 ◽

2019 ◽

Vol 10 (11) ◽

pp. 342 ◽

Cited By ~ 1

Author(s):

Wei Sun ◽

Hui Su ◽

Hongbing Liu

Keyword(s):

Access Control ◽

Optimization Problems ◽

Engineering System ◽

Role Based Access Control ◽

Control Mechanisms ◽

Engineering Optimization ◽

Cardinality Constraint ◽

Cardinality Constraints ◽

Role Mining ◽

Clustering Problem

Role-based access control (RBAC) is one of the most popular access-control mechanisms because of its convenience for management and various security policies, such as cardinality constraints, mutually exclusive constraints, and user-capability constraints. Role-engineering technology is an effective method to construct RBAC systems. However, mining scales are very large, and there are redundancies in the mining results. Furthermore, conventional role-engineering methods not only do not consider more than one cardinality constraint, but also cannot ensure authorization security. To address these issues, this paper proposes a novel method called role-engineering optimization with cardinality constraints and user-oriented mutually exclusive constraints (REO_CCUMEC). First, we convert the basic role mining into a clustering problem, based on the similarities between users and use-partitioning and compression technologies, in order to eliminate redundancies, while maintaining its usability for mining roles. Second, we present three role-optimization problems and the corresponding algorithms for satisfying single or double cardinality constraints. Third, in order to evaluate the performance of authorizations in a role-engineering system, the maximal role assignments are implemented, while satisfying multiple security constraints. The theoretical analyses and experiments demonstrate the accuracy, effectiveness, and efficiency of the proposed method.

Download Full-text

Specification and Verification of Separation of Duty Constraints in Attribute-Based Access Control

IEEE Transactions on Information Forensics and Security ◽

10.1109/tifs.2017.2771492 ◽

2018 ◽

Vol 13 (4) ◽

pp. 897-911 ◽

Cited By ~ 11

Author(s):

Sadhana Jha ◽

Shamik Sural ◽

Vijayalakshmi Atluri ◽

Jaideep Vaidya

Keyword(s):

Access Control ◽

Separation Of Duty ◽

Specification And Verification ◽

Attribute Based Access Control

Download Full-text

Permission-Based Separation of Duty in Dynamic Role-Based Access Control Model

Symmetry ◽

10.3390/sym11050669 ◽

2019 ◽

Vol 11 (5) ◽

pp. 669 ◽

Cited By ~ 4

Author(s):

Muhammad Umar Aftab ◽

Zhiguang Qin ◽

Negalign Wake Hundera ◽

Oluwasanmi Ariyo ◽

Zakria ◽

...

Keyword(s):

Access Control ◽

Dominant Role ◽

Control Model ◽

Role Based Access Control ◽

Access Control Model ◽

Least Privilege ◽

Major Development ◽

Separation Of Duty ◽

Attribute Based Access Control ◽

Role Based

A major development in the field of access control is the dominant role-based access control (RBAC) scheme. The fascination of RBAC lies in its enhanced security along with the concept of roles. In addition, attribute-based access control (ABAC) is added to the access control models, which is famous for its dynamic behavior. Separation of duty (SOD) is used for enforcing least privilege concept in RBAC and ABAC. Moreover, SOD is a powerful tool that is used to protect an organization from internal security attacks and threats. Different problems have been found in the implementation of SOD at the role level. This paper discusses that the implementation of SOD on the level of roles is not a good option. Therefore, this paper proposes a hybrid access control model to implement SOD on the basis of permissions. The first part of the proposed model is based on the addition of attributes with dynamic characteristics in the RBAC model, whereas the second part of the model implements the permission-based SOD in dynamic RBAC model. Moreover, in comparison with previous models, performance and feature analysis are performed to show the strength of dynamic RBAC model. This model improves the performance of the RBAC model in terms of time, dynamicity, and automatic permissions and roles assignment. At the same time, this model also reduces the administrator’s load and provides a flexible, dynamic, and secure access control model.

Download Full-text