Access Control for Web Service Applications

2011 ◽  
pp. 244-265
Author(s):  
Timon C. Du ◽  
Richard Hwang ◽  
Charles Ling-yu Chou
Keyword(s):  
Access Control ◽  
Web Service ◽  
Information Technologies ◽  
New Paradigm ◽  
Team Members ◽  
External Auditors ◽  
Access Control Policies ◽  
Access Controls ◽  
Role Based ◽  
Access Privileges

Given the rapid changes in the information technologies, the issue of information securities and company’s internal controls has become very critical to both internal and external auditors. Recently, external auditors are under pressure to provide real-time assurance. Movement of this kind has complicated as to when and how to grant the access privileges to external auditors. In addition, when there is a high degree of collaborative relationship among organizations, the collaborators need to establish policies of auditors’ access controls and set up conditions and constraints for security and confidentiality reasons. Since auditors among the collaborators have different seniority, the access privileges should be granted based on the seniority of the auditors in the collaborative team members. In contrast, the growth of Web service becomes a new paradigm to provide collaborative auditing service via Web. The access control issue is a crucial issue for the future collaboration. In this study, we propose a role-based Chinese Wall model, which organizes the corporate data into four different types of control groups with different access control policies, for the auditors to access the data among collaborating enterprises. Using the vendor-managed inventories (VMI) example, the study discusses how auditing tasks can be performed under the proposed access control environment. To ensure the functionality of the proposed framework, the study uses Oracle software to demonstrate the feasibility of the model.

Access Control Framework for Cloud Computing

2019 ◽  
pp. 698-711
Author(s):  
Kashif Munir ◽  
Lawan A. Mohammed
Keyword(s):  
Cloud Computing ◽  
Access Control ◽  
Role Based Access Control ◽  
Discretionary Access Control ◽  
Job Functions ◽  
Access Control Models ◽  
Control Models ◽  
Control Framework ◽  
Role Based ◽  
Access Privileges

Access control is generally a rule or procedure that allows, denies, restricts or limit access to system's resources. It may, as well, monitor and record all attempts made to access a system. Access Control may also identify users attempting to access unauthorized resources. It is a mechanism which is very much important for protection in computer security. Various access control models are in use, including the most common Mandatory Access Control (MAC), Discretionary Access Control (DAC) and Role Based Access Control (RBAC). All these models are known as identity based access control models. In all these access control models, user (subjects) and resources (objects) are identified by unique names. Identification may be done directly or through roles assigned to the subjects. These access control methods are effective in unchangeable distributed system, where there are only a set of Users with a known set of services. For this reason, we propose a framework which is well suited to many situations in cloud computing where users or applications can be clearly separated according to their job functions. In this chapter, we proposes a role based access control framework with various features including security of sensitive data, authorization policy and secure data from hackers. Our proposed role based access control algorithm provides tailored and fine level of user access control services without adding complexity, and supports access privileges updates dynamically when a user's role is added or updated.

Modelling the Impact of Administrative Access Controls on Technical Access Control Measures

2017 ◽  
Vol 30 (4) ◽  
pp. 53-70
Author(s):  
Winfred Yaokumah
Keyword(s):  
Access Control ◽  
Structural Equation ◽  
Partial Least Square ◽  
Least Square ◽  
Control Measures ◽  
Control Mechanisms ◽  
Control Policies ◽  
Access Control Policies ◽  
Access Controls ◽  
The Impact

Almost all computing systems and applications in organizations include some form of access control mechanisms. Managing secure access to computing resources is an important but a challenging task, requiring both administrative and technical measures. This study examines the influence of administrative access control measures on technical access control mechanisms. Based on the four access control clauses defined by ISO/IEC27002, this study develops a model to empirically test the impact of access control policies on systems and applications control activities. The study employs Partial Least Square Structural Equation Modelling (PLS-SEM) to analyze data collected from 223 samples through a survey questionnaire. The results show that the greatest significant impact on applications and systems access control measures is through access control policies mediated by users' responsibilities and accountability and user access management activities. But the direct impact of access control policies on applications and systems access control measures is not significant.

Propagation and Delegation of Rights in Access Controls and Risk Assessment Techniques

2007 ◽  
pp. 328-337
Author(s):  
Saravanan Muthaiyah
Keyword(s):  
Risk Assessment ◽  
Access Control ◽  
Web Security ◽  
Quantitative Risk Assessment ◽  
New Paradigm ◽  
Risk Levels ◽  
Qualitative Risk Assessment ◽  
Access Controls ◽  
Assessment Techniques ◽  
Access Rights

Access control methods have been improvised over time, but one area that remains quite grey is the concept of assessing risk levels before any type of access rights are granted. This is relatively a new paradigm in the research of semantic Web security, and new methodologies for this effort are being studied. In this chapter, we will see how qualitative risk assessment (Nissanke & Khayat, 2004) and quantitative risk assessment are carried out. The purpose is to have different methods of assessment for better grant of access control rights and permissions. New examples based on the model described (Nissanke & Khayat, 2004) are used to illustrate the concept. A new quantities technique is also added to complement the qualitative techniques.

Secure Publishing using Schema-level Role-based Access Control Policies for Fragments of XML Documents

2009 ◽  
Author(s):  
Tomasz Müldner ◽  
Robin McNeill ◽  
Jan Krzysztof Miziołek
Keyword(s):  
Access Control ◽  
Fixed Number ◽  
Original Structure ◽  
Role Based Access Control ◽  
Control Policies ◽  
Xml Documents ◽  
Access Control Policies ◽  
Minimum Number ◽  
Role Based ◽  
Implementation Tool

Popularity of social networks is growing rapidly and secure publishing is an important implementation tool for these networks. At the same time, recent implementations of access control policies (ACPs) for sharing fragments of XML documents have moved from distributing to users numerous sanitized sub-documents to disseminating a single document multi-encrypted with multiple cryptographic keys, in such a way that the stated ACPs are enforced. Any application that uses this implementation of ACPs will incur a high cost of generating keys separately for each document. However, most such applications, such as secure publishing, use similar documents, i.e. documents based on a selected schema. This paper describes RBAC defined at the schema level, (SRBAC), and generation of the minimum number of keys at the schema level. The main advantage of our approach is that for any application that uses a fixed number of schemas, keys can be generated (or even pre-generated) only once, and then reused in all documents valid for the given schema. While in general, key generation at the schema level has to be pessimistic, our approach tries to minimize the number of generated keys. Incoming XML documents are efficiently encrypted using single-pass SAX parsing in such a way that the original structure of these documents is completely hidden. We also describe distributing to each user only keys needed for decrypting accessible nodes, and for applying the minimal number of encryption operations to an XML document required to satisfy the protection requirements of the policy.

Sign in / Sign up

Export Citation Format

Share Document