Authorization recycling in RBAC systems

Wei, Qiang; Crampton, Jason; Beznosov, Konstantin; Ripeanu, Matei

doi:10.1145/1377836.1377848

Cited by 20 publications

(37 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We are not the first to consider such a setting for RBAC; indeed, our work can be seen as a follow-up to the work of Wei et al [26]. We adopt the setting they propose that we reproduce in Figure 1.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient access enforcement in distributed role-based access control (RBAC) deployments

Tripunitara

Cărbunar

2009

Proceedings of the 14th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

We address the distributed setting for enforcement of a centralized Role-Based Access Control (RBAC) protection state. We present a new approach for time-and space-efficient access enforcement. Underlying our approach is a data structure that we call a cascade Bloom filter. We describe our approach, provide details about the cascade Bloom filter, its associated algorithms, soundness and completeness properties for those algorithms, and provide an empirical validation for distributed access enforcement of RBAC. We demonstrate that even in low-capability devices such as WiFi network access points, we can perform thousands of access checks in a second.

show abstract

Section: Introductionmentioning

confidence: 99%

“…We seek to also address what we consider a particular shortcoming of the approach of Wei et al [26] -the issue of "cache warmness." In their approach, a PDP does not push state to the SDP.…”

Section: Introductionmentioning

confidence: 99%

Efficient access enforcement in distributed role-based access control (RBAC) deployments

Tripunitara

Cărbunar

2009

Proceedings of the 14th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

show abstract

“…Approximate recycling predicts an authorization without consulting the PDP during an access request. Wei et al [28,29] applied the SAAM to RBAC. Good performance for authorization recycling depends heavily on cache warmness, which can be a problem especially for short duration sessions or access requests with low temporal locality.…”

Section: Related Workmentioning

confidence: 99%

“…The architecture resulting from adding an SDP to the COPS model, shown in Figure 1, distributes authorization while maintaining a centralized policy. Wei et al [28] show how to use the extended model with RBAC.…”

Section: Introductionmentioning

confidence: 99%

Hardware-enhanced distributed access enforcement for role-based access control

Bloom

Simha

2014

Proceedings of the 19th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

The protection of information in enterprise and cloud platforms is growing more important and complex with increasing numbers of users who need to access resources with distinct permissions. Role-based access control (RBAC) eases administrative complexity for large-scale access control, while a client-server model can ease performance bottlenecks by distributing access enforcement across multiple servers that consult the centralized access decision policy server as needed. In this paper, we propose a new approach to access enforcement using an existing associative array hardware data structure (HWDS) to cache authorizations in a distributed system using RBAC. This HWDS approach uses hardware that has previous been demonstrated as useful for several application domains including access control, network packet routing, and generic comparison-based integer search algorithms. We reproduce experiments from prior work on distributed access enforcement for RBAC systems, and we design and conduct new experiments to evaluate HWDS-based access enforcement. Experimental data show the HWDS cuts session initiation time by about a third compared to existing solutions, while achieving similar performance to authorize access requests. These results suggest that distributed systems using RBAC could use HWDS-based access enforcement to increase session throughput or to decrease the number of access enforcement servers without losing performance.

show abstract

“…For example, in a spatiotemporal authorization mechanism, the system should assume that the user is mobile, and may leave the authorized region. That is, CDAC designs must address the problem of continuity of usage [46,34,12,45,44]. The dynamic nature of contextual data requires that access decisions must be repeatedly evaluated even after the initial request is granted.…”

Section: Enforcement Modelsmentioning

confidence: 99%

Context-Dependent Authentication and Access Control

Kirkpatrick

Bertino

2009

iNetSec 2009 – Open Research Problems in Network Security

View full text Add to dashboard Cite

Abstract. As mobile computing continues to rise, users are increasingly able to connect to remote services from a wide range of settings. To provide this flexibility, security policies must be adaptive to the user's environment when the request is made. In our work, we define context to include the spatiotemporal aspects of the user request, in addition to quantifiable environmental factors determined by the server hosting the resource. We identify a number of key open problems in this field and propose potential solutions to some of the problems.

show abstract

Authorization recycling in RBAC systems

Cited by 20 publications

References 21 publications

Efficient access enforcement in distributed role-based access control (RBAC) deployments

Efficient access enforcement in distributed role-based access control (RBAC) deployments

Hardware-enhanced distributed access enforcement for role-based access control

Context-Dependent Authentication and Access Control

Contact Info

Product

Resources

About