Learn More
We propose the role-and-relation-based access control (R<sup>2</sup>BAC) model for workflow authorization systems. In R<sup>2</sup>BAC, in addition to a user&#8217;s role memberships, the user&#8217;s relationships with other users help determine whether the user is allowed to perform a certain step in a workflow. For example, a constraint may require that(More)
Databases are increasingly being used to store information covered by heterogeneous policies, which require support for access control with great flexibility. This has led to increasing interest in using fine-grained access control, where different cells in a relation may be governed by different access control rules. Although several proposals have been(More)
With the growing adoption of Role-Based Access Control (RBAC) in commercial security and identity management products, how to facilitate the process of migrating a non-RBAC system to an RBAC system has become a problem with significant business impact. Researchers have proposed to use data mining techniques to discover roles to complement the costly(More)
Many access control policy languages, e.g., XACML, allow a policy to contain multiple sub-policies, and the result of the policy on a request is determined by combining the results of the sub-policies according to some policy combining algorithms (PCAs). Existing access control policy languages, however, do not provide a formal language for specifying PCAs.(More)
— Specifying and managing access control policies is a challenging problem. We propose to develop formal verification techniques for access control policies to improve the current state of the art of policy specification and management. In this paper, we formalize classes of security analysis problems in the context of Role-Based Access Control. We show(More)
We introduce the notion of resiliency policies in the context of access control systems. Such policies require an access control system to be resilient to the absence of users. An example resiliency policy requires that upon removal of any <i>s</i> users, there should still exist <i>d</i> disjoint sets of users such that the users in each set together(More)
Delegation is a mechanism that allows a user A to act on another user B's behalf by making B's access rights available to A. It is well recognized as an important mechanism to provide resiliency and flexibility in access control systems, and has gained popularity in the research community. However, most existing literature focuses on modeling and managing(More)