The Community for Technology Leaders
RSS Icon
Issue No.06 - November/December (2011 vol.8)
pp: 883-897
Yuqing Sun , Shandong University, Jinan
Qihua Wang , IBM Almaden Research Center, USA
Ninghui Li , Purdue University, West Lafayette
Elisa Bertino , Purdue University, West Lafayette
Mikhail (Mike) J. Atallah , Purdue University, West Lafayette
In practice, assigning access permissions to users must satisfy a variety of constraints motivated by business and security requirements. Here, we focus on Role-Based Access Control (RBAC) systems, in which access permissions are assigned to roles and roles are then assigned to users. User-role assignment is subject to role-based constraints, such as mutual exclusion constraints, prerequisite constraints, and role-cardinality constraints. Also, whether a user is qualified for a role depends on whether his/her qualification satisfies the role's requirements. In other words, a role can only be assigned to a certain set of qualified users. In this paper, we study fundamental problems related to access control constraints and user-role assignment, such as determining whether there are conflicts in a set of constraints, verifying whether a user-role assignment satisfies all constraints, and how to generate a valid user-role assignment for a system configuration. Computational complexity results and/or algorithms are given for the problems we consider.
Access control, RBAC, formal methods, computational complexity.
Yuqing Sun, Qihua Wang, Ninghui Li, Elisa Bertino, Mikhail (Mike) J. Atallah, "On the Complexity of Authorization in RBAC under Qualification and Security Constraints", IEEE Transactions on Dependable and Secure Computing, vol.8, no. 6, pp. 883-897, November/December 2011, doi:10.1109/TDSC.2010.55
[1] G.-J. Ahn and R.S. Sandhu, “The RSL99 Language for Role-Based Separation of Duty Constraints,” Proc. Fourth Workshop Role-Based Access Control, pp. 43-54, 1999.
[2] G.-J. Ahn and R.S. Sandhu, “Role-Based Authorization Constraints Specification,” ACM Trans. Information and System Security, vol. 3, no. 4, pp. 207-226, Nov. 2000.
[3] ANSI, American National Standard for Information Technology—Role Based Access Control, p. 359, ANSI Int'l Committee for Information Technology Standards, Feb. 2004.
[4] E. Bertino, E. Ferrari, and V. Atluri, “The Specification and Enforcement of Authorization Constraints in Workflow Management Systems,” ACM Trans. Information and System Security, vol. 2, no. 1, pp. 65-104, Feb. 1999.
[5] H. Chen and N. Li, “Constraint Generation for Separation of Duty,” Proc. Ninth ACM Symp. Access Control Models and Technologies (SACMAT), pp. 130-138, June 2006.
[6] T.H. Cormen, C.E. Leiserson, R.L. Rivest, and C. Stein, Introduction to Algorithms. MIT Press, 2002.
[7] J. Crampton, “Specifying and Enforcing Constraints in Role-Based Access Control,” Proc. ACM Symp. Access Control Models and Technologies (SACMAT), pp. 43-50, June 2003.
[8] J. Crampton, “A Reference Monitor for Workflow Systems with Constrained Task Execution,” Proc. ACM Symp. Access Control Models and Technologies (SACMAT), pp. 38-47, June 2005.
[9] V.D. Gligor, S.I. Gavrila, and D.F. Ferraiolo, “On the Formal Definition of Separation-of-Duty Policies and Their Composition,” Proc. IEEE Symp. Research in Security and Privacy, pp. 172-183, May 1998.
[10] IBM Tivoli Identity Manager 5.1. tivihelp/v2r1/index.jsp?topic=/ cptcpt_ic_release_oview_whatsnew.html , 2009.
[11] T. Jaeger, “On the Increasing Importance of Constraints,” Proc. ACM Workshop Role-Based Access Control (RBAC), pp. 33-42, 1999.
[12] T. Jaeger and J.E. Tidswell, “Practical Safety in Flexible Access Control Models,” ACM Trans. Information and System Security, vol. 4, no. 2, pp. 158-190, May 2001.
[13] N. Li, M.V. Tripunitara, and Z. Bizri, “On Mutually Exclusive Roles and Separation of Duty,” ACM Trans. Information and System Security, vol. 10, no. 2, May 2007.
[14] N. Li, M.V. Tripunitara, and Q. Wang, “Resiliency Policies in Access Control,” Proc. ACM Conf. Computer and Comm. Security (CCS), Nov. 2006.
[15] D.L.B. (Project Leader) “Sat4j: A Satisfiability Library for Java,” URL http:/, Jan. 2006.
[16] R.S. Sandhu, V. Bhamidipati, and Q. Munawer, “The ARBAC97 Model for Role-Based Aministration of Roles,” ACM Trans. Information and Systems Security, vol. 2, no. 1, pp. 105-135, Feb. 1999.
[17] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, “Role-Based Access Control Models,” Computer, vol. 29, no. 2, pp. 38-47, Feb. 1996.
[18] T.T. Simon and M.E. Zurko, “Separation of Duty in Role-Based Environments,” Proc. 10th Computer Security Foundations Workshop, pp. 183-194, June 1997.
[19] J. Tidswell and T. Jaeger, “An Access Control Model for Simplifying Constraint Expression,” Proc. ACM Conf. Computer and Comm. Security, pp. 154-163, 2000.
[20] Q. Wang and N. Li, “Satisfiability and Resiliency in Workflow Systems,” Proc. European Symp. Research in Computer Security (ESORICS), Sept. 2007.
19 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool