This paper examines the concept of role-based protection and, in particular, role organization. From basic role relationships, a model for role organization is developed. The role graph model, its operator semantics based on graph theory and algorithms for role administration are proposed. The role graph model, in our view, presents a very generalized form of role organization for access rights administration. It is shown how the model simulates other organizational structures such as hierarchies [TDH92] and privilege graphs [Bal90].

... This paper provides an introduction to computer security modeling in general, the Bell and LaPadula model in particular, and the limitations of the model. Many of the issues raised are of interest not simply to the security community, but for the software specification community as a whole. We then construct a framework for security models that address these limitations. The result is a model that not only better addresses government security policies, but nongovernment security policies as well.

Despite the best efforts of security researchers, sometimes the static nature of authorisation can cause unexpected risks for users working in a dynamically changing environment. Disasters, medical emergencies or time-critical events can all lead to situations where the ability to relax normal access rules can become critically important. This paper presents an optimistic access control scheme where enforcement of rules is retrospective. The system administrator is relied on to ensure that the system is not misused, and compensating transactions are used to ensure that the system integrity can be recovered in the case of a breach. It is argued that providing an optimistic scheme alongside a traditional access control mechanism can provide a useful means for users to exceed their normal privileges on the rare occasion that the situation warrants it.

In this paper we describe conceptual foundations to address integrity issues in computerized information systems from the enterprise perspective. Our motivation for this effort stems from the recognition that existing models are formulated at too low a level of abstraction, to be useful for modeling organizational requirements, policy aspects, and internal controls, pertaining to maintenance of integrity in information systems. In particular, these models are primarily concerned with the integrity of internal data components within computer systems, and thus lack the constructs necessary to model enterprise level integrity principles. The starting point in our investigation is the notion of authorization functions and tasks associated with business activities carried out in the enterprise. These functions identify the authorization requirements while the authorization tasks embody the concepts required to carry out such authorizations. We believe a model of task-based autho...

This paper discusses the realization of mandatory access control in role-based protection systems. Starting from the basic definitions of roles, their application in security and the basics of the concept of mandatory access control, we develop a scheme of role-based protection that realizes mandatory access control. The basis of this formulation develops from the recognition that roles can be seen as facilitating access to some given information context. By handling each of the role contexts as independent security levels of information, we simulate mandatory access by imposing the requirements of mandatory access control. Among the key considerations, we propose a means of taming Trojan horses by imposing acyclic information flow among contexts in role-based protection systems. The acyclic information flows and suitable access rules incorporate secrecy which is an essential component of mandatory access control. Keywords Security level, information flow, mandatory access control, r...

Role-based access control is a powerful and policy-neutral concept for enforcing access control. Many extensions have been proposed, the most significant of which are the decentralised administration of role-based systems and the enforcement of constraints. However, the simultaneous integration of these extensions can cause conflicts in a later system implementation. We demonstrate how we use the Alloy language for the specification of a conflict-free rolebased system. This specification provides us at the same time with a suitable basis for further analysis by the Alloy constraint analyser.

Role-Based Access Control (RBAC) is a widely used model for expressing access control policies. In large organizations, the RBAC policy may be collectively managed by many administrators. Administrative RBAC (ARBAC) is a model for expressing the authority of administrators, thereby specifying how an organization’s RBAC policy may change. Changes by one administrator may interact in unintended ways with changes by other administrators. Consequently, the effect of an ARBAC policy is hard to understand by simple inspection. In this paper, we consider the problem of analyzing ARBAC policies, in particular to determine reachability properties (e.g., whether a user can eventually be assigned to a role by a group of administrators) and availability properties (e.g., whether a user cannot be removed from a role by a group of administrators) implied by a policy. We first establish the connection between security policy analysis and planning in Artificial Intelligence. Based partly on this connection, we show that reachability analysis for ARBAC is PSPACE-complete. We also give algorithms and complexity results for reachability and related analysis problems for several categories of AR-BAC policies, defined by simple restrictions on the policy language. 1.

Security-Enhanced Linux (SELinux) extends Linux with a flexible mandatory access control mechanism that enforces security policies expressed in SELinux’s policy language. Determining whether a given policy meets a site’s high-level security goals can be difficult, due to the low-level nature of the policy language and the size and complexity of SELinux policies. We propose a logic-programming-based approach to analysis of SELinux policies. The approach is implemented in a tool that helps users determine whether a policy meets its goals. 1

Trusting a computer for a security-sensitive task (such as checking email or banking online) requires the user to know something about the computer’s state. We examine research on securely capturing a computer’s state, and consider the utility of this information both for improving security on the local computer (e.g., to convince the user that her computer is not infected with malware) and for communicating a remote computer’s state (e.g., to enable the user to check that a web server will adequately protect her data). Although the recent “Trusted Computing ” initiative has drawn both positive and negative attention to this area, we consider the older and broader topic of bootstrapping trust in a computer. We cover issues ranging from the wide collection of secure hardware that can serve as a foundation for trust, to the usability issues that arise when trying to convey computer state information to humans. This approach unifies disparate research efforts and highlights opportunities for additional work that can guide real-world improvements in computer security. 1

In this paper we introduce a series of reference models for Secure Role-Based Workflow systems. We build our models over the well-known RBAC96 framework. The RBAC96 model supports the notion of abstract permissions. The nature of permissions is highly dependent upon the implementation details of the system, so we interpret the permissions for a Workflow system in terms of its components such as tasks, instances of the tasks and operations on them like execute, commit, abort etc. With this interpretation, we show that most of the components of RBAC96 still remain intact. The only components that change are the nature of permissions and their assignment to roles. The models are developed using the recently introduced four-layer OM-AM framework (comprising objective, model, architecture and mechanism layers). In this paper, we focus on the top two layers of OM-AM. We systematically describe our security objectives and construct our models to address these objectives. We also formally describe the models in terms of their components and their interactions. The main purpose for proposing these models is to articulate requirements for building Secure Role-Based Workflow Systems.