QUANTITATIVE ANALYSIS AND ENFORCEMENT OF THE PRINCIPLE OF LEAST PRIVILEGE IN ROLE-BASED ACCESS CONTROL

Chunren Lai, Chang N. Zhang

2006

Abstract

Role-based access control (RBAC) models ease security administration and reduce overheads by introducing roles between users and privileges. RBAC provides the possibility to enforce the principle of least privileges that a user should be assigned just enough privileges to complete his/her job in order to prevent the possible information leaking and other wrong doing. This paper defines several concepts to quantitatively measure how well a user-role assignment meets the principle of least privilege and presents algorithms to find the perfect user-role assignment (i.e., without bringing any extra privilege) and the optimal user-role assignment (i.e., limiting any extra privilege to the minimum). The proposed approach for the enforcement of the principle of least privilege is particularly useful for automatic generation of user-role assignment in large-scale RBAC systems.

References

  1. Ahn, G., and Sandhu, R., 2000. Role-based authorization constraints specification. ACM Transactions on Information and System Security, Vol. 3 No. 4, November 2000, pp 207-226.
  2. Bertino, E., Bonatti, P. A., and Ferrari,E., 2001. TRBAC: A temporal role-based access control model. ACM Transactions on Information & System Security, Vol. 4, No. 3, Aug.2001, pp 191-233.
  3. Bertino, E., Ferrari, E., and Atluri, V., 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security, Vol. 2, No. 1, 1999, pp 65-104.
  4. Ferraiolo, D. F., Gilbert, D. M., and Lynch, N., 1993. An examination of federal and commercial access control policy needs. In Proceedings of NISTNCSC National Computer Security Conference, Baltimore, MD, September 1993, pp 107-116.
  5. Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., Chandramouli, R., 2001. Proposed NIST standard for role-based access Control. ACM Transactions on Information and System Security, Vol. 4, No. 3, August 2001, pp 224-274.
  6. Giuri, L., 1997. Role-based access control: A natural approach. In Proceedings of the 1st ACM Workshop on Role-Based Access Control, ACM, 1997, Pages II, pp 33-37.
  7. Howard, M., and LeBlanc, D., 2003. Writing secure code. Microsoft Press, 2003.
  8. Osborn, S., Sandhu, R., and Munawer, Q., 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security, Vol. 3, No. 2, May 2000, pp 85-106.
  9. Sandhu, R., Coyne, E. J., Feinstein, H. L., Youman, C. E., 1996. Role-based access control models. IEEE Computer, Vol. 29, No. 2, IEEE Press, February 1996, pp 38-47.
  10. Saltzer, J. H., and Schroeder, M.D., 1975. The protection of information in computer systems. Proceedings of the IEEE, Vol. 63, No. 9, September 1975, pp 1278- 1308.
  11. Zhang, C. N. and Yang, C., 2003. Integrating objectoriented role-based access control model with mandatory access control principles. The Journal of Computer Information Systems, Vol. 43, No. 3, 2003, pp 40-49.
Download


Paper Citation


in Harvard Style

Lai C. and N. Zhang C. (2006). QUANTITATIVE ANALYSIS AND ENFORCEMENT OF THE PRINCIPLE OF LEAST PRIVILEGE IN ROLE-BASED ACCESS CONTROL . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006) ISBN 978-972-8865-63-4, pages 69-74. DOI: 10.5220/0002100500690074


in Bibtex Style

@conference{secrypt06,
author={Chunren Lai and Chang N. Zhang},
title={QUANTITATIVE ANALYSIS AND ENFORCEMENT OF THE PRINCIPLE OF LEAST PRIVILEGE IN ROLE-BASED ACCESS CONTROL},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)},
year={2006},
pages={69-74},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002100500690074},
isbn={978-972-8865-63-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)
TI - QUANTITATIVE ANALYSIS AND ENFORCEMENT OF THE PRINCIPLE OF LEAST PRIVILEGE IN ROLE-BASED ACCESS CONTROL
SN - 978-972-8865-63-4
AU - Lai C.
AU - N. Zhang C.
PY - 2006
SP - 69
EP - 74
DO - 10.5220/0002100500690074