This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
A Generalized Temporal Role-Based Access Control Model
January 2005 (vol. 17 no. 1)
pp. 4-23
Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. In many practical scenarios, users may be restricted to assume roles only at predefined time periods. Furthermore, roles may only be invoked on prespecified intervals of time depending upon when certain actions are permitted. To capture such dynamic aspects of a role, a temporal RBAC (TRBAC) model has been recently proposed. However, the TRBAC model addresses the role enabling constraints only. In this paper, we propose a Generalized Temporal Role-Based Access Control (GTRBAC) model capable of expressing a wider range of temporal constraints. In particular, the model allows expressing periodic as well as duration constraints on roles, user-role assignments, and role-permission assignments. In an interval, activation of a role can further be restricted as a result of numerous activation constraints including cardinality constraints and maximum active duration constraints. The GTRBAC model extends the syntactic structure of the TRBAC model and its event and trigger expressions subsume those of TRBAC. Furthermore, GTRBAC allows expressing role hierarchies and separation of duty (SoD) constraints for specifying fine-grained temporal semantics.

[1] G. Ahn and R. Sandhu, “Role-Based Authorization Constraints Specification,” ACM Trans. Information and System Security, vol. 3, no. 4, Nov. 2000.
[2] J.F. Allen, “Maintaining Knowledge about Temporal Intervals,” Comm. ACM, vol. 26, no. 11, pp. 832-843, Nov. 1983.
[3] V. Atluri and A. Gal, “An Authorization Model for Temporal and Derived Data: Securing Information Portals,” ACM Trans. Information and System Security, vol. 5, no. 1, pp. 62-94, Feb. 2002.
[4] J. Bacon, K. Moody, and W. Yao, “A Model of OASIS Role-Based Access Control and Its Support for Active Security,” ACM Trans. Information and System Security, vol. 5, no. 4, Nov. 2002.
[5] E. Bertino, C. Bettini, E. Ferrari, and P. Samarati, “An Access Control Model Supporting Periodicity Constraints and Temporal Reasoning,” ACM Trans. Database Systems, vol. 23, no. 3, pp. 231-285, Sept. 1998.
[6] E. Bertino, E. Ferrari, and V. Atluri, “The Specification and Enforcement of Authorization Constraints in Workflow Management Systems,” ACM Trans. Information and System Security, vol. 2, no. 1, pp. 65-104, Feb. 1999.
[7] E. Bertino, P.A. Bonatti, and E. Ferrari, “TRBAC: A Temporal Role-Based Access Control Model,” ACM Trans. Information and System Security, vol. 4, no. 3, pp. 191-233, Aug. 2001.
[8] D. Ferrariolo, J.F. Barkley, and D.R. Kuhn, A Role-Based Access“ Control Model and Reference Implementation within a Corporate Intranet,” ACM Trans. Information and System Security, vol. 2, no. 1, pp. 34-64, 1999.
[9] D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, and R. Chandramouli, “Proposed NIST Standard for Role-Based Access Control,” ACM Trans. Information and System Security, vol. 4, no. 3, pp. 224-274, Aug. 2001.
[10] J.B.D. Joshi, “A Generalized Temporal Role Based Access Control Model for Developing Secure Systems,” PhD thesis, CERIAS TR 2003-23, Purdue Univ., 2003.
[11] D.R. Kuhn, “Mutual Exclusion of Roles as a Means of Implementing Separation of Duties in a Role-Based Access Control System,” ACM Trans. Information and System Security, vol. 2, no. 2, pp. 177-228, 1999.
[12] M. Niezette and J. Stevenne, “An Efficient Symbolic Representation of Periodic Time,” Proc. First Int'l Conf. Information and Knowledge Management, 1992.
[13] M. Nyanchama and S. Osborn, “The Role Graph Model and Conflict of Interest,” ACM Trans. Information and System Security, vol. 2, no. 1, pp. 3-33, 1999.
[14] S.L. Osborn, R. Sandhu, and Q. Munawer, “Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies,” ACM Trans. Information and System Security, vol. 3, no. 2, Feb. 2000.
[15] R. Sandhu, “Separation of Duties in Computerized Information Systems,” Database Security IV: Status and Prospects, pp. 179-189, North Holland, 1991.
[16] R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, “Role-Based Access Control Models,” Computer, vol. 29, no. 2, Feb. 1996.
[17] R. Sandhu, “Role Activation Hierarchies,” Proc. Second ACM Workshop Role-Based Access Control, 1998.
[18] R. Simon and M.E. Zurko, “Separation of Duty in Role-Based Environments,” Proc. 10th IEEE Computer Security Foundations Workshop, June 1997.

Index Terms:
Access control, role-based, temporal constraints, role hierarchy, separation of duty.
Citation:
James B.D. Joshi, Elisa Bertino, Usman Latif, Arif Ghafoor, "A Generalized Temporal Role-Based Access Control Model," IEEE Transactions on Knowledge and Data Engineering, vol. 17, no. 1, pp. 4-23, Jan. 2005, doi:10.1109/TKDE.2005.1
Usage of this product signifies your acceptance of the Terms of Use.