Security Policy Management for Systems Employing Role Based Access Control Model

Huang, Chao; Sun, Jun; Wang, Xinyu; Si, Yuanjie

doi:10.3923/itj.2009.726.734

Cited by 12 publications

(9 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Most of related works treat the notion of validating access control policies only during the specification or after the implementation. Their main objectives are to check the exactitude of the specification before proceeding to the implementation [4], [10], [15], [26], [27], [29], [37] or to verify the correctness of the implementation regarding the defined constraints [6], [14]. The aspect of checking the correspondence between the security planning and its real imp lementation, especially in terms of access control, according to our knowledge is not treated enough and needs more attention.…”

Section: B Discussionmentioning

confidence: 99%

“…Authors adopt a finite model checking to verify that an RBAC implementation conforms to its security constraints. (2) Detection of redundancy and inconsistency anomalies in the expression of a security policy [6]. By adopting the graph of roles, authors identify redundancy by the coexistence of direct and indirect privilege assignments (by transitivity) of the same privilege.…”

Section: A Related Workmentioning

confidence: 99%

See 1 more Smart Citation

An Approach to Formally Validate and Verify the Compliance of Low Level Access Control Policies

Jaidi¹,

Ayachi²

2014

2014 IEEE 17th International Conference on Computational Science and Engineering

View full text Add to dashboard Cite

Our research works are in the context of the integrity verification and optimization of access control policies in relational database management systems (RDBMS s). Indeed, resources in charge of administrating access control policies, like DBMSs, can easily permit the following malfunctions. (1) The record of illegal updates leading to a non-compliance of the policy regarding its original specification. This can occur after an intrusion attempt or an illegal delegation of rights. (2) The implementation of more than a unique access control model such as RBAC, DAC, etc. This situation can lead to redundancy, inconsistency or contradiction in the expression of the policy. (3)The exposure of the database to inner threats relative to illegal updates or access paradoxically made by authorized users. These vulnerabilities joined with challenges in the management of the policy, related to the evolution of access control models to fine grained access control, can easily corrupt the compliance of the policy. Hence, an important aspect is to help security architects verifying the correspondence and establishing the equivalence between the security planning and its real implementation. In this paper, we introduce our approach to address this problem. We transform the high level and the low level policies in a logiclike formalism that offers a solid environment to verify and validate properties of access control policies.

show abstract

Section: B Discussionmentioning

confidence: 99%

Section: A Related Workmentioning

confidence: 99%

An Approach to Formally Validate and Verify the Compliance of Low Level Access Control Policies

Jaidi¹,

Ayachi²

2014

2014 IEEE 17th International Conference on Computational Science and Engineering

View full text Add to dashboard Cite

show abstract

“…Bottom-Up Approach that starts with already existing access right patterns in production IT-systems: this approach is not intuitive and relies among other techniques on mathematical and graph optimization algorithms [38]. Policy management includes redundancy and inconsistency checking between rules [20]. Access control redundancy means the existence of two or more rules specifying the same access control and inconsistency means there are access control rules conflicting with each other in the policy.…”

Section: Role Engineering For Role-based Access Controlmentioning

confidence: 99%

The problem of integrity in RBAC-based policies within relational databases

Jaidi¹,

Ayachi²

2015

Proceedings of the 9th International Conference on Ubiquitous Information Management and Communication

View full text Add to dashboard Cite

The large deployment of the NIST RBAC model has initiated popular research topics such as administration, risk awareness, inner threats detection, etc. Our research works are in the context of integrity verification and optimization of role based access control policies. In this paper, we introduce a synthesis of the problem of access control policy integrity within relational databases. We address three vulnerabilities that can corrupt an access control policy. (1) The evolution of extensions of RBAC model to a finer granularity makes the management of the policy more difficult. (2) The exposure of the policy at the RDBM S level to illegal updates or paradoxically access made by authorized users.(3) The decorrelation of the policy, once implemented in the DBM S from its initial specification that allows any updating of the policy without the ability to control its evolution. M ore, the paper defines a framework for organizing thinking about validating the compliance of low level access control policies.

show abstract

“…(1) Validation of the implemented policy regarding the security constraints defined around that policy [4] using a finite model checking. (2) Detection of redundancy and inconsistency anomalies in the expression of a security policy [5] by adopting the formalism of graph of roles. The main objective of those works is to verify the correctness of the implemented policy regarding the defined constraints.…”

Section: Related Workmentioning

confidence: 99%

A Formal Approach Based on Verification and Validation Techniques for Enhancing the Integrity of Concrete Role Based Access Control Policies

Jaidi¹,

Ayachi²

2015

Advances in Intelligent Systems and Computing

View full text Add to dashboard Cite

Our research works are in the context of verifying the integrity of access control policies in relational database management systems. This paper addresses the following question: In terms of security and particularly access control, does an information system actually do what was planned for it to do? Thus, an important aspect is to help security architects verifying the correspondence between the security planning and its real implementation. We present a synthesis of the problem of access control policy integrity within relational databases. Then, we introduce our proposal for addressing this issue. We especially focus on the verification and validation of the conformity of concrete role based access control policies in a formal environment. Finally, we illustrate the relevance of our contribution through a case of study.

show abstract

Security Policy Management for Systems Employing Role Based Access Control Model

Cited by 12 publications

References 2 publications

An Approach to Formally Validate and Verify the Compliance of Low Level Access Control Policies

An Approach to Formally Validate and Verify the Compliance of Low Level Access Control Policies

The problem of integrity in RBAC-based policies within relational databases

A Formal Approach Based on Verification and Validation Techniques for Enhancing the Integrity of Concrete Role Based Access Control Policies

Contact Info

Product

Resources

About