article

X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control

Authors:

Rafae Bhatti,

Arif Ghafoor,

Elisa Bertino,

James B. D. JoshiAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 8, Issue 2

Pages 187 - 227

https://doi.org/10.1145/1065545.1065547

Published: 01 May 2005 Publication History

Get Access

Abstract

Modern day enterprises exhibit a growing trend toward adoption of enterprise computing services for efficient resource utilization, scalability, and flexibility. These environments are characterized by heterogeneous, distributed computing systems exchanging enormous volumes of time-critical data with varying levels of access control in a dynamic business environment. The enterprises are thus faced with significant challenges as they endeavor to achieve their primary goals, and simultaneously ensure enterprise-wide secure interoperation among the various collaborating entities. Key among these challenges are providing effective mechanism for enforcement of enterprise policy across distributed domains, ensuring secure content-based access to enterprise resources at all user levels, and allowing the specification of temporal and nontemporal context conditions to support fine-grained dynamic access control. In this paper, we investigate these challenges, and present X-GTRBAC, an XML-based GTRBAC policy specification language and its implementation for enforcing enterprise-wide access control. Our specification language is based on the GTRBAC model that incorporates the content- and context-aware dynamic access control requirements of an enterprise. An X-GTRBAC system has been implemented as a Java application. We discuss the salient features of the specification language, and present the software architecture of our system. A comprehensive example is included to discuss and motivate the applicability of the X-GTRBAC framework to a generic enterprise environment. An application level interface for implementing the policy in the X-GTRBAC system is also provided to consolidate the ideas presented in the paper.

References

[1]

Bacon, J., Moody, K., and Yao, W. 2002. A model of OASIS role-based access control and its support for active security. ACM Transactions on Information and System Security, 5, 4 (Nov.).

Crossref

Google Scholar

[2]

Bertino, E., Bettini, C., Ferrari, E., and Samarati, P. 1998. An access control model supporting periodicity constraints and temporal reasoning. ACM Transactions on Database Systems 23, 3 (Sept).

Crossref

Google Scholar

[3]

Bertino, E., Bonatti, P., and Ferrari, E. 2001. TRBAC: A temporal role-based access control model. ACM Transactions on Information and System Security 4, 3 (Aug.).

Crossref

Google Scholar

[4]

Bertino, E., Castano, S., and Ferrari, E. 2001. Securing XML documents with author X. IEEE Internet Computing 5, 3 (May-June).

Crossref

Google Scholar

[5]

Bertino, E., Castano, S., Ferrari, E., and Mesiti, M. 1999a. Controlled access and dissemination of XML documents. In Workshop on Web Information and Data Management, Kansas City, MI, Nov. 2--6.

Crossref

Google Scholar

[6]

Bertino, E., Ferrari, E., and Atluri, V. 1999b. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2, 1 (Feb.).

Crossref

Google Scholar

[7]

Bhatti, R. 2003. X-GTRBAC: An XML-based policy specification framework and architecture for enterprise-wide access control. Masters Thesis, Purdue University. Available as CERIAS Technical Report 2003-27.

Google Scholar

[8]

Bhatti, R., Bertino, E., and Ghafoor, A. 2004a. Towards Improved Federated Identity and Privilege Management in Open Systems. CERIAS Technical Report 2004-32.

Google Scholar

[9]

Bhatti, R., Joshi, J. B. D., Bertino, E., and Ghafoor, A. 2004b. XML-based RBAC policy specification for secure Web-services. IEEE Computer 37, 4 (Apr.).

Crossref

Google Scholar

[10]

Bhatti, R., Joshi, J. B. D., Bertino, E., and Ghafoor, A. 2004c. X-GTRBAC admin: A decentralized adminstration model for enterprise wide access control. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, Yorktown, Heights, NY, June 2--4.

Crossref

Google Scholar

[11]

Ferraiolo, D. F., Barkley, J. F., and Kuhn, D. R. 1999. A role based access control model and reference implementation within a corporate Intranet. ACM Transactions on Information and System Security 2, 1 (Feb.).

Crossref

Google Scholar

[12]

Ferraiolo, D. F., Gilbert, D. M., and Lynch, N. 1993. An examination of federal and commercial access control policy needs. In Proceedings of NISTNCSC National Computer Security Conference, Baltimore, MD, Sept. 20--23.

Google Scholar

[13]

Ferraiolo, D. F., Sandhu, R., Gavrila, S., Richard Kuhn, D., and Chandramouli R. 2001. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security 4, 3 (Aug.).

Crossref

Google Scholar

[14]

Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, R., and Chandramouli, R. 2000. The NIST model for role-based access control: Towards a unified standard. In Proceedings of the 5th ACM Workshop on Role-Based Control, Berlin, Germany, July 26--28.

Crossref

Google Scholar

[15]

Gavrila, S. I. and Barkley, J. F. 1998. Formal specification for role based access control user/role and role/role relationship management. In Proceedings of the 3rd ACM Workshop on Role-Based Access Control, Fairfax, VA, Oct. 22--23.

Crossref

Google Scholar

[16]

IBM. Why XML schema beats DTDs hands-down for data. http://www-106.ibm.com/developerworks/xml/library/x-sbsch.html.

Google Scholar

[17]

IIES. Purdue reference model for computer integrated manufacturing. http://iies.www.ecn.purdue.edu/IIES/PLAIC/PERA/ReferenceModel/index.html.

Google Scholar

[18]

ISO. 1986. Standard Generalized Markup Language (SGML). ISO 8879. Information Processing---Text and Office Systems---Standard Generalized Markup Language (SGML).

Google Scholar

[19]

Java Commerce. XML tutorial. http://www.javacommerce.com/tutorial/xmlj/intro.htm.

Google Scholar

[20]

Jtenenbg. Overview of enterprise computing. http://faculty.washington.edu/jtenenbg/courses/455/s02/sessions/ec_overview.ppt.

Google Scholar

[21]

Joshi, J. B. D., Bertino, E., Latif, U., and Ghafoor, A. 2005. A generalized temporal role based access control model (GTRBAC). IEEE Transaction on Knowledge and Data Engineering 17, 1 (Jan.). Also available as CERIAS Technical Report 2001-47.

Crossref

Google Scholar

[22]

Joshi, J. B. D., Ghafoor, A., Aref, W., and Spafford, E. H. 2001. Digital government security infrastructure design challenges. IEEE Computer 34, 2 (Feb.).

Crossref

Google Scholar

[23]

Kern, A. 2002. Advanced features for enterprise-wide role-based access control. In Annual Computer Security Applications Conference, Las Vegas, NV, Dec. 9--13.

Crossref

Google Scholar

[24]

Niezette, M. and Stevenne, J. 1992. An efficient symbolic representation of periodic time. In Proceedings of 1st International Conference on Information and Knowledge Management, Baltimore, MD, Nov. 8--11.

Google Scholar

[25]

Osborn, S. L., Sandhu, R., and Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security 3, 2 (Feb.).

Crossref

Google Scholar

[26]

Sandhu, R., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role based access control models. IEEE Computer 29, 2 (Feb.).

Crossref

Google Scholar

[27]

Vuong, N. N., Smith, G. S., and Deng, Y. 2001. Managing security policies in a distributed environment using eXtensible markup language (XML). In Symposium on Applied Computing, Las Vegas, NV, Mar. 11--14.

Crossref

Google Scholar

[28]

W3SOAP. Simple object access protocol (SOAP) 1.1. http://www.w3.org/TR/SOAP/.

Google Scholar

[29]

W3. W3C XML schema. www.w3.org/XML/Schema.

Google Scholar

[30]

Web Reference. Web services XML's role. http://www.webreference.com/js/tips/011028.html.

Google Scholar

[31]

XML. 2000. eXtensible Markup Language (XML) 1.0 (Second). W3C Recommendation 6 October 2000. http://www.w3.org/TR/REC-xml.

Google Scholar

[32]

XML Coverpages. 2003a. XACML 1.0 specification. http://xml.coverpages.org/ni2003-02-11-a.html.

Google Scholar

[33]

XML Coverpages. 2003b. SAML 1.0 specification. http://xml.coverpages.org/ni2003-05-27-b.html.

Google Scholar

[34]

XML Coverpages. 2004. OASIS RBAC announcement. http://xml.coverpages.org/ni2004-04-05-a.html.

Google Scholar

[35]

XPath. 2002. XML Path Language (XPath) 2.0. Working Draft 16 August 2002. http://www.w3.org/TR/xpath20/.

Google Scholar

Cited By

View all

Campi A(2024)Roles in SQLEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_685-2(1-4)Online publication date: 1-Sep-2024
https://doi.org/10.1007/978-3-642-27739-9_685-2
Schlegel M(2023)Trusted Implementation and Enforcement of Application Security PoliciesE-Business and Telecommunications10.1007/978-3-031-36840-0_16(362-388)Online publication date: 22-Jul-2023
https://doi.org/10.1007/978-3-031-36840-0_16
Abid ACheikhrouhou SKallel STari ZJmaiel M(2022)A Smart Contract-Based Access Control Framework For Smart Healthcare SystemsThe Computer Journal10.1093/comjnl/bxac183Online publication date: 30-Dec-2022
https://doi.org/10.1093/comjnl/bxac183
Show More Cited By

Index Terms

X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control

Recommendations

X-gtrbac admin: A decentralized administration model for enterprise-wide access control

The modern enterprise spans several functional units or administrative domains with diverse authorization requirements. Access control policies in an enterprise environment typically express these requirements as authorization constraints. While ...
Flexible access control policy specification with constraint logic programming

We show how a range of role-based access control (RBAC) models may be usefully represented as constraint logic programs, executable logical specifications. The RBAC models that we define extend the "standard" RBAC models that are described by Sandhu et ...
X-GTRBAC admin: a decentralized administration model for enterprise wide access control
SACMAT '04: Proceedings of the ninth ACM symposium on Access control models and technologies

Access control in enterprises is a key research area in the realm of Computer Security because of the unique needs of the target enterprise. As the enterprise typically has large user and resource pools, administering the access control based on any ...

Reviews

Reviewer: George Dimitoglou

The title of this paper alone is enough to raise questions about whether this is an old solution to an old problem with an Extensible Markup Language (XML) twist, particularly after a simple search in The Collection of Computer Science Bibliographies for the terms "access control" and "framework" yields 94,693 results. Cynicism aside, the work by the authors is excellent. The focus of this paper is on presenting a secure content-based access framework for enterprise resources supporting fine-grained dynamic access control. It is obvious that the authors have done a lot of good work on the topic, and this shows in every aspect of the paper: its structure, the complete examples, and the clarity with which they express their ideas. The introduction provides enough information to set the stage for the rest of the material relating to access control. It stays at a high level, and gently ushers the reader into the operational environment by describing the basic premises and interactions between policies, resources, and methods of their control. The title of the second section ("Preliminaries") is as true to advertising as it can be. An introduction to XML, with examples, along with a similar examination of the role-based access control (RBAC) model, provides enough information for even the uninitiated to follow. For other readers, the XML introduction can be skipped. The "Motivation and Goals" section explains the reasons behind using XML, and the adaptation of the generalized temporal role-based access control (GTRBAC) model. The description of the capabilities that GTRBAC affords, content-based context-aware access and heterogeneity of subjects and objects, is sufficient to justify the selection of the particular model. The outline of the formal specification of the GTRBAC model, immediately after this section, covers all necessary aspects of the model that could be useful when deploying such a RBAC infrastructure. The fifth section is the central part of the paper, where the X-GTRBAC specification language is described in detail. The specification seems to be extensive, and flexible enough to accommodate any enterprise resource access control environment. Clearly, one way to test the specification is to build a system and run examples, which is precisely what the authors do in the following sections. The implementation part of the system is prefaced by the system architecture, with a number of diagrams and explanations of the different system interrelations. Multiple examples, with snippets of XML documents, illustrating the definitions of triggers, users, and constraints are provided, making the flow of the paper very smooth, and the content easy to follow. The "Related Work" section provides a thorough investigation of prior relevant work, and shows that the material is based on solid scholarly foundations. The "Conclusions" sections summarizes the work, and provides some ideas for future directions. Overall, this is a very thorough and extensive piece of work, and the existence of much similar work in the area does not discount its contribution in any way. Some of the sections of the paper could have been shortened or omitted altogether, simply because many of the technologies (for example, XML) are an inseparable part of the current computing landscape, and do not need such detailed coverage. Beyond this superficial observation, the material is well supported, and the examples are succinct and appropriate, and enable the reader to follow the material with great ease. Hopefully, the authors will continue their work, and be able to address the challenges and opportunities they outlined for distributed inter-enterprise environments and the efficient administration and management of global-level policies. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

ACM Transactions on Information and System Security Volume 8, Issue 2

May 2005

106 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/1065545

Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 May 2005

Published in TISSEC Volume 8, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

96
Total Citations
View Citations
2,483
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Campi A(2024)Roles in SQLEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_685-2(1-4)Online publication date: 1-Sep-2024
https://doi.org/10.1007/978-3-642-27739-9_685-2
Schlegel M(2023)Trusted Implementation and Enforcement of Application Security PoliciesE-Business and Telecommunications10.1007/978-3-031-36840-0_16(362-388)Online publication date: 22-Jul-2023
https://doi.org/10.1007/978-3-031-36840-0_16
Abid ACheikhrouhou SKallel STari ZJmaiel M(2022)A Smart Contract-Based Access Control Framework For Smart Healthcare SystemsThe Computer Journal10.1093/comjnl/bxac183Online publication date: 30-Dec-2022
https://doi.org/10.1093/comjnl/bxac183
Kayes AKalaria RSarker IIslam MWatters PNg AHammoudeh MBadsha SKumara I(2020)A Survey of Context-Aware Access Control Mechanisms for Cloud and Fog Networks: Taxonomy and Open Research IssuesSensors10.3390/s2009246420:9(2464)Online publication date: 27-Apr-2020
https://doi.org/10.3390/s20092464
Jiang HBouabdallah A(2019)A JSON-Based Fast and Expressive Access Control Policy FrameworkEmerging Technologies and Applications in Data Processing and Management10.4018/978-1-5225-8446-9.ch004(70-91)Online publication date: 2019
https://doi.org/10.4018/978-1-5225-8446-9.ch004
Cotrini CCorinzia LWeghorn TBasin DCavallaro LKinder JWang XKatz J(2019)The Next 700 Policy MinersProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3354196(95-112)Online publication date: 6-Nov-2019
https://dl.acm.org/doi/10.1145/3319535.3354196
Kayes ARahayu WDillon T(2019)Critical situation management utilizing IoT-based data resources through dynamic contextual role modeling and activationComputing10.1007/s00607-018-0654-1101:7(743-772)Online publication date: 1-Jul-2019
https://dl.acm.org/doi/10.1007/s00607-018-0654-1
Ben Fadhel ABianculli DBriand LHuchard MKästner CFraser G(2018)Model-driven run-time enforcement of complex role-based access control policiesProceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering10.1145/3238147.3238167(248-258)Online publication date: 3-Sep-2018
https://dl.acm.org/doi/10.1145/3238147.3238167
Kayes ARahayu WDillon T(2018)An Ontology-Based Approach to Dynamic Contextual Role for Pervasive Access Control2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA)10.1109/AINA.2018.00093(601-608)Online publication date: May-2018
https://doi.org/10.1109/AINA.2018.00093
Kayes AHan JRahayu WDillon TIslam MColman A(2018)A Policy Model and Framework for Context-Aware Access Control to Information Resources†The Computer Journal10.1093/comjnl/bxy065Online publication date: 18-Jul-2018
https://doi.org/10.1093/comjnl/bxy065
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

X-gtrbac admin: A decentralized administration model for enterprise-wide access control

Flexible access control policy specification with constraint logic programming

X-GTRBAC admin: a decentralized administration model for enterprise wide access control

Reviews

Access critical reviews of Computing literature here

Comments

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

X-gtrbac admin: A decentralized administration model for enterprise-wide access control

Flexible access control policy specification with constraint logic programming

X-GTRBAC admin: a decentralized administration model for enterprise wide access control

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations