Administering Permissions for Distributed Data: Factoring and Automated Inference

Rosenthal, Arnon; Sciore, Edward

doi:10.1007/978-0-387-35587-0_7

Cited by 25 publications

(18 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For access control systems based on the Bell-LaPadula (BLP) model [4,3], SAAMBLP [8] uses the relationships between subjects and objects of previous responses to infer approximate responses. Other work [16,20,21] uses the relationships between (database) objects to infer new authorizations. In contrast, SAAMRBAC caches information derived from primary responses in order to infer relationships between sets of roles and the permissions assigned to those roles, thereby enabling the computation of approximate responses.…”

Section: Related Workmentioning

confidence: 99%

Authorization recycling in RBAC systems

Wei

Crampton

Beznosov

et al. 2008

Proceedings of the 13th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

As distributed applications increase in size and complexity, traditional authorization mechanisms based on a single policy decision point are increasingly fragile because this decision point represents a single point of failure and a performance bottleneck. Authorization recycling is one technique that has been used to address these challenges.This paper introduces and evaluates the mechanisms for authorization recycling in RBAC enterprise systems. The algorithms that support these mechanisms allow precise and approximate authorization decisions to be made, thereby masking possible failures of the policy decision point and reducing its load. We evaluate these algorithms analytically and using a prototype implementation. Our evaluation results demonstrate that authorization recycling can improve the performance of distributed access control mechanisms.

show abstract

Section: Related Workmentioning

confidence: 99%

Authorization recycling in RBAC systems

Wei

Crampton

Beznosov

et al. 2008

Proceedings of the 13th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

show abstract

“…The use of authorization inference as the basis for security in data warehouses is also proposed by Rosenthal et al [24,22,23]. In their model, a query Q is inferred to be authorized if there is an equivalent query Q which uses only authorized views; this is identical to our model of unconditional validity.…”

Section: Related Workmentioning

confidence: 87%

“…We point out its drawbacks, and then propose our alternative model, the Non-Truman model, which avoids these drawbacks (Section 4). Authorization transparent models have been previously proposed by Motro [20] and by Rosenthal et al [24,22,23]. Our model differs from these in several respects; we outline the differences in Section 7.…”

Section: Introductionmentioning

confidence: 93%

“…However, as mentioned above, authorization-transparent access control models using views have been presented earlier by Motro [20] and by Rosenthal et al [24,22,23]. They propose and motivate authorization (validity) inference, show multiple applications for validity inference, and discuss benefits and difficulties of using query processing technology to test for equivalence.…”

Section: Related Workmentioning

confidence: 98%

“…The definition of unconditional validity is essentially the same as the notions of query validity proposed by [20,24,22] and [23], except for the issue of authorization to see integrity constraints. However, the notion of conditional validity, explored next, is novel to this paper.…”

Section: Definition 41 (Unconditionally Valid Query) For Given Paramentioning

confidence: 99%

See 2 more Smart Citations

Extending query rewriting techniques for fine-grained access control

Rizvi

Mendelzon

Sudarshan

et al. 2004

Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data

250

273

View full text Add to dashboard Cite

Current day database applications, with large numbers of users, require fine-grained access control mechanisms, at the level of individual tuples, not just entire relations/views, to control which parts of the data can be accessed by each user. Fine-grained access control is often enforced in the application code, which has numerous drawbacks; these can be avoided by specifying/enforcing access control at the database level. We present a novel fine-grained access control model based on authorization views that allows "authorizationtransparent" querying; that is, user queries can be phrased in terms of the database relations, and are valid if they can be answered using only the information contained in these authorization views. We extend earlier work on authorization-transparent querying by introducing a new notion of validity, conditional validity. We give a powerful set of inference rules to check for query validity. We demonstrate the practicality of our techniques by describing how an existing query optimizer can be extended to perform access control checks by incorporating these inference rules.

show abstract

Automated Checking of SAP Security Permisisons

Höhn

Jürjens

Integrity and Internal Control in Information Systems VI

View full text Add to dashboard Cite

Abstract:Configuring user security permissions in standard business applications (such as SAP systems) is difficult and error-prone. There are many examples of wrongly configured systems that are open to misuse by unauthorized parties.To check permission files of a realistic size in a medium to large organization manually can be a daunting task which is often neglected.We present research on construction of a tool which automatically checks the SAP configuration for security policy rules (such as separation of duty). The tool uses advanced methods of automated software engineering: The permissions are given as input in an XML format through an interface from the SAP system, the business application is described ba a diagram modeled with standard UML CASE (Computer-Aided Software Engineering) -tools and output as XMI, and our tool checks the permissions against the rules using an analyzer written in Prolog. Because of its modular architecture and its standardized interfaces, the tool can be easily adapted to check security constraints in other kinds of application software (such as firewall or other access control configurations).

show abstract

Administering Permissions for Distributed Data: Factoring and Automated Inference

Cited by 25 publications

References 7 publications

Authorization recycling in RBAC systems

Authorization recycling in RBAC systems

Extending query rewriting techniques for fine-grained access control

Automated Checking of SAP Security Permisisons

Contact Info

Product

Resources

About