Towards session-aware RBAC administration and enforcement with XACML

Authors:
Min Xu;Duminda Wijesekera;Xinwen Zhang;Deshan Cooray
Affiliations:
Department of Computer Science, George Mason University, Fairfax, VA;Department of Computer Science, George Mason University, Fairfax, VA;Computer Science Lab, Samsung Information Systems America, San Jose, CA;Department of Computer Science, George Mason University, Fairfax, VA
Venue:
POLICY'09 Proceedings of the 10th IEEE international conference on Policies for distributed systems and networks
Year:
2009

Citing 12
Cited 0

Role-Based Access Control Models

Computer
The ARBAC97 model for role-based administration of roles

ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
Proposed NIST standard for role-based access control

ACM Transactions on Information and System Security (TISSEC)
Database System Concepts

Database System Concepts
Administrative scope: A foundation for role-based administrative models

ACM Transactions on Information and System Security (TISSEC)
The UCONABC usage control model

ACM Transactions on Information and System Security (TISSEC)
Understanding and developing role-based administrative models

Proceedings of the 12th ACM conference on Computer and communications security
An effective role administration model using organization structure

ACM Transactions on Information and System Security (TISSEC)
Contest of XML lock protocols

VLDB '06 Proceedings of the 32nd international conference on Very large data bases
Administration in role-based access control

ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
Policy Administration Control and Delegation Using XACML and Delegent

GRID '05 Proceedings of the 6th IEEE/ACM International Workshop on Grid Computing
Concurrent Enforcement of Usage Control Policies

POLICY '08 Proceedings of the 2008 IEEE Workshop on Policies for Distributed Systems and Networks

Quantified Score

Hi-index	0.01

Visualization

Abstract

An administrative role-based access control (AR-BAC) moddel specifies administrative policies over a role-based access control (RBAC) system, where an administrative permission may change an RBAC policy by updating permissions assigned to roles, or assigning/revoking users to/from roles. Consequently, enforcing ARBAC policies over an active access cootroller while some users are using protected resources would result in conflicts: a policy may be in effect in the RBAC system while being updated by an ARBAC operation. Towards solving this concurrency problem, we propose a session-aware administrative model for RBAC. We show how the concurrency problem can be resolved by enhancing the eXtensible Access Control Markup Language (XACML) reference implementation. In order to do so, we de velop an XACML-ARBAC profile to specify ARBAC policies, and enforce these polices by building an ARBAC enforcement module and a session administrative module. The former synchronizes with the evaluation of access control requests. The latter revokes conflicting ongoing user sessions immediately prior to enforcing administrative operations. Experimental studies show reasonable performance characteristics of our initial enhancement to Sun's reference implementation.