Management of Exceptions on Access Control Policies

Alfaro, Joaquin Garcia; Cuppens, Frédéric; Cuppens-Boulahia, Nora

doi:10.1007/978-0-387-72367-9_9

Cited by 8 publications

(6 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Since one of the target scenarios of our system is healthcare, we believe it is interesting to see how our proposal differs from the many existing access control models proposed for this domain (e.g., [5], [4], [2]). The main difference is that these models do not support emergency descriptions and the use of CEP for emergency detection.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A System for Timely and Controlled Information Sharing in Emergency Situations

Carminati

Ferrari

Guglielmi

2013

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

During natural disasters or emergency situations, an essential requirement for an effective emergency management is the information sharing. In this paper, we present an access control model to enforce controlled information sharing in emergency situations. An in-depth analysis of the model is discussed throughout the paper, and administration policies are introduced to enhance the model flexibility during emergencies. Moreover, a prototype implementation and experiments results are provided showing the efficiency and scalability of the system

show abstract

Section: Related Workmentioning

confidence: 99%

“…In this case, the arrival of a tuple t such that t:temp ¼ 38 results in the simultaneous creation and deletion of the corresponding emergency and tacp instances. 2 We formally define this problem by showing also the correctness and enforcement in the following sections.…”

Section: Emergency Policy Correctnessmentioning

confidence: 99%

A System for Timely and Controlled Information Sharing in Emergency Situations

Carminati

Ferrari

Guglielmi

2013

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

show abstract

“…We distinguish the set of subjects S (the who), the set of permissions P (the what), and the access relation SP ⊆ S × P (who gets to do what). In Figure 1a this situation is depicted using an entity relationship diagram 1 This very limited conceptual framework suffices in practice only as long as S and P are relatively small sets. If the cardinalities of S and P are too large there are too many pairs in S × P to consider.…”

Section: Access Controlmentioning

confidence: 99%

“…For practitioners this typically means, that, when an exception arises, instead of exercising in transformations of logical expressions and consequent rewriting of existing AC rules, security officers can generalise the exception, and cleanly and compositionally adapt the previous AC specification touching far fewer rules (for very practical examples see [1]). For that matter we shall give an extensive example on how and why negative objects of indirection could work in practice.…”

Section: Introductionmentioning

confidence: 99%

Sorting out role based access control

Kuijper

Ermolaev

2014

Proceedings of the 19th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

Role-based access control (RBAC) is a popular framework for modelling access control rules. In this paper we identify a fragment of RBAC called bi-sorted role based access control (RBÄC). We start from the observation that "classic" RBAC blends together subject management aspects and permission management aspects into a single object of indirection: a role. We posit there is merit in distinguishing these administrative perspectives and consequently introducing two distinct objects of indirection: the proper role (which applies solely to subjects) and the demarcation (which applies solely to permissions). We then identify a third administrative perspective called access management where the two are linked up. In this way we enhance organisational scalability by decoupling the tasks of maintaining abstractions over the set of subjects (assignment of subjects into proper roles), maintaining abstractions over the set of permissions (assignment of permissions into demarcations), and maintaining abstract access control policy (granting proper roles access to demarcations). Moreover, the latter conceptual refinement naturally leads us to the introduction of negative roles (and, dually, negative demarcations). The relevance of the four-sorted extension called polarized, bi-sorted role based access control (R ± BÄC), in a semantic sense, is further supported by the existence of Galois connections between sets of subjects and permissions and between positive and negative roles.

show abstract

“…For example, MS-Windows firewalls exclusively specify exceptions, since the basic default effect is deny. Optimizing the specification of exceptions has been addressed in [11]. However, in a language with the capability to express complex conditions with multiple ranges in a single rule, the full extensions to language expressiveness that they propose would not be necessary.…”

Section: Expressiveness Of Languagesmentioning

confidence: 99%

Strategies for Reducing Risks of Inconsistencies in Access Control Policies

Stepien

Matwin

Felty

2010

2010 International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Abstract-Managing access control policies is a complex task. We argue that much of the complexity is unnecessary and mostly due to historical reasons. There are number of legacy policy specification languages that all have limitations of some kind. These limitations have forced policy implementers to use certain styles of writing policies, often resulting in inconsistencies. The detection and resolution of these inconsistencies has been widely researched and many solutions have been found. This paper highlights new possibilities for avoiding inconsistencies, drawing on the expressive power allowed in the condition field of rules in modern languages such as XACML. In particular, we show that making use of this expressive power has many advantages-it allows organizations to considerably reduce the number of policies and rules required to protect company assets; it provides improved views and summaries of related policies; and it allows increased scalability of analysis tools, such as tools that detect inconsistencies and tools that perform audits to verify compliance to regulations.Such tools are increasingly important in the current environment where the number of regulations governing company security continues to grow. In addition, we show how our user-friendly representation for the XACML language facilitates the use of complex conditions by increasing their readability. This increased readability has the additional benefit of allowing non-technical users to better understand the implementation of their policies. These factors all contribute to a lower risk of inconsistencies in policies.

show abstract

Management of Exceptions on Access Control Policies

Cited by 8 publications

References 10 publications

A System for Timely and Controlled Information Sharing in Emergency Situations

A System for Timely and Controlled Information Sharing in Emergency Situations

Sorting out role based access control

Strategies for Reducing Risks of Inconsistencies in Access Control Policies

Contact Info

Product

Resources

About