Issue No. 06 - November/December (2011 vol. 8)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2010.55
Yuqing Sun , Shandong University, Jinan
Qihua Wang , IBM Almaden Research Center, USA
Ninghui Li , Purdue University, West Lafayette
Elisa Bertino , Purdue University, West Lafayette
Mikhail (Mike) J. Atallah , Purdue University, West Lafayette
In practice, assigning access permissions to users must satisfy a variety of constraints motivated by business and security requirements. Here, we focus on Role-Based Access Control (RBAC) systems, in which access permissions are assigned to roles and roles are then assigned to users. User-role assignment is subject to role-based constraints, such as mutual exclusion constraints, prerequisite constraints, and role-cardinality constraints. Also, whether a user is qualified for a role depends on whether his/her qualification satisfies the role's requirements. In other words, a role can only be assigned to a certain set of qualified users. In this paper, we study fundamental problems related to access control constraints and user-role assignment, such as determining whether there are conflicts in a set of constraints, verifying whether a user-role assignment satisfies all constraints, and how to generate a valid user-role assignment for a system configuration. Computational complexity results and/or algorithms are given for the problems we consider.
Access control, RBAC, formal methods, computational complexity.
E. Bertino, M. (. Atallah, N. Li, Q. Wang and Y. Sun, "On the Complexity of Authorization in RBAC under Qualification and Security Constraints," in IEEE Transactions on Dependable and Secure Computing, vol. 8, no. , pp. 883-897, 2010.