research-article

An empirical assessment of approaches to distributed enforcement in role-based access control (RBAC)

Authors:

Marko Komlenovic,

Mahesh Tripunitara,

Toufik ZitouniAuthors Info & Claims

CODASPY '11: Proceedings of the first ACM conference on Data and application security and privacy

Pages 121 - 132

https://doi.org/10.1145/1943513.1943530

Published: 21 February 2011 Publication History

Abstract

We consider the distributed access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC's increasing adoption, and the proliferation of data that needs to be protected. We assess six approaches, each of which has either been proposed in the literature, or is a natural candidate for access enforcement. The approaches are: directed graph, access matrix, authorization recycling, cpol, Bloom filter and cascade Bloom filter. We consider encodings of RBAC sessions in each, and propose and justify a benchmark for the assessment. We present our results from an empirical assessment of time, space and administrative efficiency based on the benchmark. We conclude with inferences we can make regarding the best approach to access enforcement for particular RBAC deployments based on our assessment.

References

[1]

Personal Communication, Open Text Corporation, Aug. 2010.

[2]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, "Role-based access control models," IEEE Computer, vol. 29, pp. 38--47, February 1996.

Digital Library

[3]

D. F. Ferraiolo, D. R. Kuhn, and R. Chandramouli, Role-Based Access Control. Artech House, Apr. 2003.

Digital Library

[4]

Q. Wei, J. Crampton, K. Beznosov, and M. Ripeanu, "Authorization Recycling in RBAC Systems," in Proceedings of the 13th ACM Symposium on Access Control, Models and Technologies (SACMAT'08), pp. 63--72, 2008.

Digital Library

[5]

M. Tripunitara and B. Carbunar, "Efficient Access Enforcement in Distributed Role-Based Access Control (RBAC) Deployments," in Proceedings of the 14th ACM Symposium on Access Control, Models and Technologies (SACMAT'09), pp. 155--164, 2009.

Digital Library

[6]

K. Borders, X. Zhao, and A. Prakash, "Cpol: High-performance policy evaluation," in Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS'05), pp. 147--157, 2005.

Digital Library

[7]

S. Wilson and J. Kesselman, Java Platform Performance: Strategies and Tactics. Prentice Hall, May 2000.

Digital Library

[8]

Y. Liu, C. Wang, M. Gorbovitski, T. Rothamel, Y. Cheng, Y. Zhao, and J. Zhang., "Core role-based access control: efficient implementations by transformations," PEPM'06: Proceedings of the 2006 ACM SIGPLAN symposium on Partial Evaluation and semantics-based Program Manipulation, pp. 112--120, May 2006.

Digital Library

[9]

G. S. Graham and P. J. Denning, "Protection -- principles and practice," in Proceedings of the AFIPS Spring Joint Computer Conference, vol. 40, pp. 417--429, AFIPS Press, May 16-18 1972.

Digital Library

[10]

M. A. Harrison, W. L. Ruzzo, and J. D. Ullman, "Protection in operating systems," Communications of the ACM, vol. 19, pp. 461--471, Aug. 1976.

Digital Library

[11]

T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein, Introduction to Algorithms. The MIT Press, 3 ed., Sept. 2009.

Digital Library

[12]

B. Bloom, "Space/time trade-offs in hash coding with allowable errors," Communications of the ACM, vol. 13, no. 7, pp. 422--426, 1970.

Digital Library

[13]

L. Fan, P. Cao, J. Almeida, and A. Broder, "Summary cache: A scalable wide-area web cache sharing protocol," IEEE/ACM Transactions on Networking, vol. 8, no. 3, pp. 281--293, 2000.

Digital Library

[14]

Marko Komlenovic, Mahesh Tripunitara and Toufik Zitouni, "A platform forassessing approaches to distributed Role-Based Access Control (RBAC) enforcement," 2010. Available from http://code.google.com/p/dist-rbac-eval/.

[15]

A. Kern, M. Kuhlmann, A. Schaad, and J. Moffett, "Observations on the role life-cycle in the context of enterprise security management," 7th ACM Symposium on Access Control Models and Technologies, June 2002.

Digital Library

[16]

A. Schaad, J. Moffett, and J. Jacob., "The role-based access control system of a european bank: A case study and discussion," proceedings of ACM Symposisum on Access Control Models and Technologies, pp. 3--9, May 2001.

Digital Library

[17]

A. Kern, "Advanced features for enterprise-wide role-based access control," Proceedings of the 18th Annual Computer Security Applications Conference, pp. 333--343, December 2002.

Digital Library

[18]

D. Zhang, K. Ramamohanarao, S. Versteeg, and R. Zhang., "Rolevat: Visual assessment of practical need for role based access control," ACSAC, pp. 13--22, 2009.

Digital Library

[19]

J. Vaidya, V. Atluri, and J. Warner, "Roleminer: mining roles using subset enumeration," Proceedings of the 13th ACM conference on Computer and communications security (CCS'06), pp. 144--153, 2006.

Digital Library

[20]

D. Zhang, K. Ramamohanarao, T. Ebringer, and T. Yann, "Permission set mining: Discovering practical and useful roles," ACSAC'08: Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 247--256, 2008.

Digital Library

[21]

I. Molloy, N. Li, T. Li, Z. Mao, Q. Wang, and J. Lobo, "Evaluating role mining algorithms," Proc. ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 95--104, 2009.

Digital Library

[22]

C. Blundo and S. Cimato, "A simple role mining algorithm," Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1958--1962, 2010.

Digital Library

[23]

M. Frank, A. Streich, D. Basin, and J. Buhmann, "A probabilistic approach to hybrid role mining," Proc. 16th ACM conference on Computer and Communications Security (CCS), pp. 101--111, 2009.

Digital Library

[24]

I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, and J. Lobo, "Mining roles with semantic meanings," Proc. ACM Symposium on Access Control Models and Technologies (SACMAT), 2008.

Digital Library

[25]

M. Jafari, A. Chinaei, K. Barker, and M. Fathian, "Role mining in access history logs," Journal of Information Assurance and Security, 2009.

[26]

J. Crampton, "On permissions, inheritance and role hierarchies," in Proceedings of the Tenth ACM Conference on Computer and Communications Security (CCS-10), pp. 27--31, ACM Press, Oct. 2003.

Digital Library

[27]

"Global 500." Fortune Magazine, 2010. Available from http://money.cnn.com/magazines/fortune/global500/2010/.

[28]

Q. Yao, A. An, E. Terzi, and X. Huang, "Finding and analyzing database user sessions," Proceedings of the 10th International Conference on Database Systems for Advanced Applications (DASFAA), 2005.

Digital Library

[29]

T. Mytkowicz, A. Diwan, M. Hauswirth, and P. F. Sweeney, "Producing wrong data without doing anything obviously wrong!," in Proceeding of the 14th international conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'09), pp. 265--276, 2009.

Digital Library

[30]

A. Georges, D. Buytaert, and L. Eeckhout, "Statistically rigorous java performance evaluation," Proceedings of OOPSLA'07, pp. 57--76, May 2007.

Digital Library

[31]

F. I. P. Standards, "Secure hash standard," 2002. Available from http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf.

Cited By

BenMarak ONaanaa AElasmi S(2024)A Security Evaluation of Chaos Attribute-Based Access Control (ABAC) for Cloud ComputingAdvanced Information Networking and Applications10.1007/978-3-031-57870-0_37(415-425)Online publication date: 10-Apr-2024
https://doi.org/10.1007/978-3-031-57870-0_37
Seaton JHounsinou SWood TXu SBrown PBloom GDietrich SChowdhury OTakabi D(2022)Poster: Toward Zero-Trust Path-Aware Access ControlProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535036(267-269)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535036
Mounica BSuraj Sujay M(2022)Image Processing based RTO Number Plate Recognizer2022 International Conference on Electronics and Renewable Systems (ICEARS)10.1109/ICEARS53579.2022.9752124(1037-1041)Online publication date: 16-Mar-2022
https://doi.org/10.1109/ICEARS53579.2022.9752124
Show More Cited By

Index Terms

An empirical assessment of approaches to distributed enforcement in role-based access control (RBAC)

Recommendations

Efficient access enforcement in distributed role-based access control (RBAC) deployments
SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies

We address the distributed setting for enforcement of a centralized Role-Based Access Control (RBAC) protection state. We present a new approach for time- and space-efficient access enforcement. Underlying our approach is a data structure that we call a ...
Delegation in role-based access control

User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Configuring role-based access control to enforce mandatory and discretionary access control policies

Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '11: Proceedings of the first ACM conference on Data and application security and privacy

February 2011

294 pages

ISBN:9781450304665

DOI:10.1145/1943513

General Chair:
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Elisa Bertino
Purdue University, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 February 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY '11

Sponsor:

SIGSAC

CODASPY '11: First ACM Conference on Data and Application Security and Privacy

February 21 - 23, 2011

TX, San Antonio, USA

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
302
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

BenMarak ONaanaa AElasmi S(2024)A Security Evaluation of Chaos Attribute-Based Access Control (ABAC) for Cloud ComputingAdvanced Information Networking and Applications10.1007/978-3-031-57870-0_37(415-425)Online publication date: 10-Apr-2024
Seaton JHounsinou SWood TXu SBrown PBloom GDietrich SChowdhury OTakabi D(2022)Poster: Toward Zero-Trust Path-Aware Access ControlProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535036(267-269)Online publication date: 7-Jun-2022
Mounica BSuraj Sujay M(2022)Image Processing based RTO Number Plate Recognizer2022 International Conference on Electronics and Renewable Systems (ICEARS)10.1109/ICEARS53579.2022.9752124(1037-1041)Online publication date: 16-Mar-2022
Mounica BAkshatha MKumar A(2022)A Survey of Real-time Health Care Tracking System for Post Covid Patients2022 Second International Conference on Artificial Intelligence and Smart Energy (ICAIS)10.1109/ICAIS53314.2022.9743105(1105-1112)Online publication date: 23-Feb-2022
Liu MYang CLi HZhang Y(2020)An Efficient Attribute-Based Access Control (ABAC) Policy Retrieval Method Based on Attribute and Value Levels in Multimedia NetworksSensors10.3390/s2006174120:6(1741)Online publication date: 20-Mar-2020
Hang IKerschbaum FDamiani ESellis TDavidson SIves Z(2015)ENKIProceedings of the 2015 ACM SIGMOD International Conference on Management of Data10.1145/2723372.2749439(183-196)Online publication date: 27-May-2015
Sellis TDavidson SIves Z(2015)Proceedings of the 2015 ACM SIGMOD International Conference on Management of DataundefinedOnline publication date: 27-May-2015
Bloom GSimha ROsborn STripunitara MMolloy I(2014)Hardware-enhanced distributed access enforcement for role-based access controlProceedings of the 19th ACM symposium on Access control models and technologies10.1145/2613087.2613096(5-16)Online publication date: 25-Jun-2014
Pereira ORegateiro DAguiar R(2014)Role-Based Access control mechanisms2014 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC.2014.6912546(1-7)Online publication date: Jun-2014
Armando ARanise STurkmen FCrispo BBertino ESandhu R(2012)Efficient run-time solving of RBAC user authorization queriesProceedings of the second ACM conference on Data and Application Security and Privacy10.1145/2133601.2133631(241-248)Online publication date: 7-Feb-2012
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents