Efficient policy analysis for administrative role based access control

Abstract: Abstract

“…Such a technical problem seems to be the most useful security question for ARBAC systems. Indeed, almost all interesting security questions can be reduced to the above problem (see [10,22,4]). Unfortunately, it is very hard to verify security of ARBAC policies precisely.…”

“…If the number of users is very small, this can be achieved in practice using model-checking techniques that use symbolic representations of state-spaces (like BDDs), but any realistic scenario would involve thousands of users, making this completely intractable. For those reasons researchers have turned to consider either restricted scenarios or abstraction techniques [22,9,4].…”

“…One crucial assumption that has been used to tackle the above problem is that of separate administration [22]. This essentially assumes that administrative roles and regular roles are disjoint so that administrative operations only affect regular roles and assignment/revocation of administrative permissions are not considered.…”

“…Such a restriction greatly simplifies the analysis since is then sufficient to consider only the evolution of a single user (at a time) as opposed to tracking all users. On the other hand, the separate administration restriction severely limits the expressiveness of the model [22] and precludes the use of frameworks such as SARBAC [5], UARBAC [13] and Oracle which do not assume such a limitation. In particular, the separate administration restriction is increasingly inappropriate in a world where administration is getting more and more distributed.…”

“…Static pruning techniques have been previously proposed [10,22,4] in order to reduce the state space to explore. The basic idea behind those techniques is that of removing roles and administrative rules from the policies that are immaterial to the reachability of role goal.…”

Policy Analysis for Self-administrated Role-Based Access Control

“…Such a technical problem seems to be the most useful security question for ARBAC systems. Indeed, almost all interesting security questions can be reduced to the above problem (see [10,22,4]). Unfortunately, it is very hard to verify security of ARBAC policies precisely.…”

“…If the number of users is very small, this can be achieved in practice using model-checking techniques that use symbolic representations of state-spaces (like BDDs), but any realistic scenario would involve thousands of users, making this completely intractable. For those reasons researchers have turned to consider either restricted scenarios or abstraction techniques [22,9,4].…”

“…One crucial assumption that has been used to tackle the above problem is that of separate administration [22]. This essentially assumes that administrative roles and regular roles are disjoint so that administrative operations only affect regular roles and assignment/revocation of administrative permissions are not considered.…”

“…Such a restriction greatly simplifies the analysis since is then sufficient to consider only the evolution of a single user (at a time) as opposed to tracking all users. On the other hand, the separate administration restriction severely limits the expressiveness of the model [22] and precludes the use of frameworks such as SARBAC [5], UARBAC [13] and Oracle which do not assume such a limitation. In particular, the separate administration restriction is increasingly inappropriate in a world where administration is getting more and more distributed.…”

“…Static pruning techniques have been previously proposed [10,22,4] in order to reduce the state space to explore. The basic idea behind those techniques is that of removing roles and administrative rules from the policies that are immaterial to the reachability of role goal.…”

Policy Analysis for Self-administrated Role-Based Access Control

Removing Problems in Rule-Based Policies

Adventures in the Analysis of Access Control Policies