This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
An Analysis of Expressiveness and Design Issues for the Generalized Temporal Role-Based Access Control Model
April-June 2005 (vol. 2 no. 2)
pp. 157-175
The Generalized Temporal Role-Based Access Control (GTRBAC) model provides a comprehensive set of temporal constraint expressions which can facilitate the specification of fine-grained time-based access control policies. However, the issue of the expressiveness and usability of this model has not been previously investigated. In this paper, we present an analysis of the expressiveness of the constructs provided by this model and illustrate that its constraints-set is not minimal. We show that there is a subset of GTRBAC constraints that is sufficient to express all the access constraints that can be expressed using the full set. We also illustrate that a nonminimal GTRBAC constraint set can provide better flexibility and lower complexity of constraint representation. Based on our analysis, a set of design guidelines for the development of GTRBAC-based security administration is presented.

[1] G. Ahn and R. Sandhu, “Role-Based Authorization Constraints Specification,” ACM Trans. Information and System Security, vol. 3, no. 4, Nov. 2000.
[2] V. Atluri and A. Gal, “An Authorization Model for Temporal and Derived Data: Securing Information Portals,” ACM Trans. Information and System Security, vol. 5, no. 1, pp. 62-94, Feb. 2002.
[3] J. Barkley, A. Cincotta, D. Ferraiolo, S. Gavrila, and D.R. Kuhn, “Role Based Access Control for the World Wide Web,” Proc. 20th Nat'l Information System Security Conf. (NIST/NSA), 1997.
[4] E. Bertino, C. Bettini, E. Ferrari, and P. Samarati, “An Access Control Model Supporting Periodicity Constraints and Temporal Reasoning,” ACM Trans. Database Systems, vol. 23, no. 3, pp. 231-285, Sept. 1998.
[5] E. Bertino, P.A. Bonatti, and E. Ferrari, “TRBAC: A Temporal Role-Based Access Control Model,” ACM Trans. Information and System Security, vol. 4, no. 4, 2001.
[6] E. Bertino, E. Ferrari, and V. Atluri, “The Specification and Enforcement of Authorization Constraints in Workflow Management Systems,” ACM Trans. Information and System Security, vol. 2, no. 1, pp. 65-104, 1999.
[7] R. Bhatti, J.B.D. Joshi, E. Bertino, and A. Ghafoor, “XML-Based Specification for Web-Services Document Security,” Computer, vol. 37, no. 4, Apr. 2004.
[8] R. Bhatti, B. Shafiq, J.B. D. Joshi, E. Bertino, and A. Ghafoor, “X-GTRBAC Admin: A Decentralized Administration Model for Enterprise Wide Access Control,” ACM Trans. Information and System Security, to appear.
[9] M.J. Covington, W. Long, S. Srinivasan, A.K. Dey, M. Ahamad, and G.D. Abowd, “Securing Context-Aware Application Using Environment Roles,” Proc. ACM Symp. Access Control Models and Technologies, May 2001.
[10] D.F. Ferraiolo, D.M. Gilbert, and N. Lynch, “An Examination of Federal and Commercial Access Control Policy Needs,” Proc. NISTNCSC Nat'l Computer Security Conf., pp. 107-116, Sept. 1993.
[11] E. Ferrari and B. Thuraisingham, “Security and Privacy for Web Databases and Services,” Proc. Int'l Conf. Extending Database Technology, pp. 17-28, 2004.
[12] L. Giuri, “Role-Based Access Control: A Natural Approach,” Proc. First ACM Workshop Role-Based Access Control, 1997.
[13] J.B.D. Joshi, W.G. Aref, A. Ghafoor, and E.H. Spafford, “Security Models for Web-Based Applications,” Comm. ACM, vol. 44, no. 2, pp. 38-72, Feb. 2001.
[14] J.B.D. Joshi, R. Bhatti, E. Bertino, and A. Ghafoor, “An Access Control Language for Multidomain Environments,” IEEE Internet Computing, pp. 40-50, Nov.-Dec. 2004.
[15] J.B.D. Joshi, A. Ghafoor, W. Aref, and E.H. Spafford, “Digital Government Security Infrastructure Design Challenges,” Computer, vol. 34, no. 2, pp. 66-72, Feb. 2001.
[16] J.B.D. Joshi, E. Bertino, and A. Ghafoor, “Temporal Hierarchy and Inheritance Semantics for GTRBAC,” Proc. Seventh ACM Symp. Access Control Models and Technologies, June 2002.
[17] J. Joshi, E. Bertino, U. Latif, and A. Ghafoor, “Generalized Temporal Role Based Access Control Model,” IEEE Trans. Knowledge and Data Eng., vol. 17, no. 1, pp. 4-23, Jan. 2005.
[18] A. Kumar, N. Karnik, and G. Chafle, “Context Sensitivity in Role-Based Access Control,” ACM SIGOPS Operating Systems Rev., vol. 36, no. 3, pp. 53-66, July 2002.
[19] G. Neumann and M. Strembeck, “An Approach to Engineer and Enforce Context Constraints in an RBAC Environment,” Proc. Eighth ACM Symp. Access Control Models and Technologies, pp. 65-79, 2003.
[20] M. Niezette and J. Stevenne, “An Efficient Symbolic Representation of Periodic Time,” Proc. First Int'l Conf. Information and Knowledge Management, 1992.
[21] M. Nyanchama and S. Osborn, “The Role Graph Model and Conflict of Interest,” ACM Trans. Information and System Security, vol. 2, no. 1, pp. 3-33, 1999.
[22] S. Osborn, R. Sandhu, and Q. Munawer, “Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies,” ACM Trans. Information and System Security, vol. 3, no. 2, pp. 85-106, May 2000.
[23] J.S. Park, R. Sandhu, and G.J. Ahn, “Role-Based Access Control on the Web,” ACM Trans. Information and System Security (TISSEC), vol. 4, no. 1, pp. 37-71, Feb. 2001.
[24] R. Sandhu, “Role Activation Hierarchies,” Proc. Second ACM Workshop Role-Based Access Control, Oct. 1998.
[25] R. Sandhu, “Separation of Duties in Computerized Information Systems,” Database Security IV: Status and Prospects, pp. 179-189, 1991.
[26] R. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, “Role-Based Access Control Models,” Computer, vol. 29, no. 2, pp. 38-47, Feb. 1996.
[27] R. Simon and M.E. Zurko, “Separation of Duty in Role-Based Environments,” Proc. 10th IEEE Computer Security Foundations Workshop, June 1997.
[28] B.M. Thuraisingham, C. Clifton, A. Gupta, E. Bertino, and E. Ferrari, “Directions for Web and E-Commerce Applications Security,” Proc. Int'l Workshops Enabling Technologies: Infrastructures for Collaborative Enterprises, pp. 200-204, 2001.

Index Terms:
Index Terms- Role-based access control, temporal constraint, expressiveness analysis, minimality.
Citation:
James B.D. Joshi, Elisa Bertino, Arif Ghafoor, "An Analysis of Expressiveness and Design Issues for the Generalized Temporal Role-Based Access Control Model," IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 2, pp. 157-175, April-June 2005, doi:10.1109/TDSC.2005.18
Usage of this product signifies your acceptance of the Terms of Use.