Symbolic reachability analysis for parameterized administrative role based access control

Scott D. Stoller; Ping Yang; Mikhail Gofman; C. R. Ramakrishnan

doi:10.1145/1542207.1542233

Symbolic reachability analysis for parameterized administrative role based access control

Scott D. Stoller
, Ping Yang
, Mikhail Gofman
, C. R. Ramakrishnan

Computer Science

State University of New York Binghamton University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

9 Scopus citations

Abstract

Role based access control (RBAC) is a widely used access control paradigm. In large organizations, the RBAC policy is managed by multiple administrators. An administrative role based access control (ARBAC) policy specifies how each administrator may change the RBAC policy. It is often difficult to fully understand the effect of an ARBAC policy by simple inspection, because sequences of changes by different administrators may interact in unexpected ways. ARBAC policy analysis algorithms can help by answering questions, such as user-role reachability, which asks whether a given user can be assigned to given roles by given administrators. Allowing roles and permissions to have parameters significantly enhances the scalability, flexibility, and expressiveness of ARBAC policies. This paper defines PARBAC, which extends the classic ARBAC97 model to support parameters, and presents an analysis algorithm for PARBAC. To the best of our knowledge, this is the first analysis algorithm specifically for parameterized ARBAC policies. We evaluate its efficiency by analyzing its parameterized complexity and benchmarking it on case studies and synthetic policies.

Original language	English
Title of host publication	SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies
Publisher	Association for Computing Machinery
Pages	165-174
Number of pages	10
ISBN (Print)	9781605585376
DOIs	https://doi.org/10.1145/1542207.1542233
State	Published - 2009
Event	14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009 - Stresa, Italy Duration: Jun 3 2009 → Jun 5 2009

Publication series

Name	Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Conference

Conference	14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009
Country/Territory	Italy
City	Stresa
Period	06/3/09 → 06/5/09

Keywords

Security
Verification

Access to Document

10.1145/1542207.1542233

Cite this

Stoller, S. D., Yang, P., Gofman, M., & Ramakrishnan, C. R. (2009). Symbolic reachability analysis for parameterized administrative role based access control. In SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (pp. 165-174). (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT). Association for Computing Machinery. https://doi.org/10.1145/1542207.1542233

Stoller, Scott D. ; Yang, Ping ; Gofman, Mikhail et al. / Symbolic reachability analysis for parameterized administrative role based access control. SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery, 2009. pp. 165-174 (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT).

@inproceedings{00ec4e8dfdca45c7a4ec3a5bfea4556e,

title = "Symbolic reachability analysis for parameterized administrative role based access control",

abstract = "Role based access control (RBAC) is a widely used access control paradigm. In large organizations, the RBAC policy is managed by multiple administrators. An administrative role based access control (ARBAC) policy specifies how each administrator may change the RBAC policy. It is often difficult to fully understand the effect of an ARBAC policy by simple inspection, because sequences of changes by different administrators may interact in unexpected ways. ARBAC policy analysis algorithms can help by answering questions, such as user-role reachability, which asks whether a given user can be assigned to given roles by given administrators. Allowing roles and permissions to have parameters significantly enhances the scalability, flexibility, and expressiveness of ARBAC policies. This paper defines PARBAC, which extends the classic ARBAC97 model to support parameters, and presents an analysis algorithm for PARBAC. To the best of our knowledge, this is the first analysis algorithm specifically for parameterized ARBAC policies. We evaluate its efficiency by analyzing its parameterized complexity and benchmarking it on case studies and synthetic policies.",

keywords = "Security, Verification",

author = "Stoller, \{Scott D.\} and Ping Yang and Mikhail Gofman and Ramakrishnan, \{C. R.\}",

year = "2009",

doi = "10.1145/1542207.1542233",

language = "English",

isbn = "9781605585376",

series = "Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT",

publisher = "Association for Computing Machinery",

pages = "165--174",

booktitle = "SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies",

note = "14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009 ; Conference date: 03-06-2009 Through 05-06-2009",

}

Stoller, SD, Yang, P, Gofman, M & Ramakrishnan, CR 2009, Symbolic reachability analysis for parameterized administrative role based access control. in SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, Association for Computing Machinery, pp. 165-174, 14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009, Stresa, Italy, 06/3/09. https://doi.org/10.1145/1542207.1542233

Symbolic reachability analysis for parameterized administrative role based access control. / Stoller, Scott D.; Yang, Ping; Gofman, Mikhail et al.
SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery, 2009. p. 165-174 (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Symbolic reachability analysis for parameterized administrative role based access control

AU - Stoller, Scott D.

AU - Yang, Ping

AU - Gofman, Mikhail

AU - Ramakrishnan, C. R.

PY - 2009

Y1 - 2009

N2 - Role based access control (RBAC) is a widely used access control paradigm. In large organizations, the RBAC policy is managed by multiple administrators. An administrative role based access control (ARBAC) policy specifies how each administrator may change the RBAC policy. It is often difficult to fully understand the effect of an ARBAC policy by simple inspection, because sequences of changes by different administrators may interact in unexpected ways. ARBAC policy analysis algorithms can help by answering questions, such as user-role reachability, which asks whether a given user can be assigned to given roles by given administrators. Allowing roles and permissions to have parameters significantly enhances the scalability, flexibility, and expressiveness of ARBAC policies. This paper defines PARBAC, which extends the classic ARBAC97 model to support parameters, and presents an analysis algorithm for PARBAC. To the best of our knowledge, this is the first analysis algorithm specifically for parameterized ARBAC policies. We evaluate its efficiency by analyzing its parameterized complexity and benchmarking it on case studies and synthetic policies.

AB - Role based access control (RBAC) is a widely used access control paradigm. In large organizations, the RBAC policy is managed by multiple administrators. An administrative role based access control (ARBAC) policy specifies how each administrator may change the RBAC policy. It is often difficult to fully understand the effect of an ARBAC policy by simple inspection, because sequences of changes by different administrators may interact in unexpected ways. ARBAC policy analysis algorithms can help by answering questions, such as user-role reachability, which asks whether a given user can be assigned to given roles by given administrators. Allowing roles and permissions to have parameters significantly enhances the scalability, flexibility, and expressiveness of ARBAC policies. This paper defines PARBAC, which extends the classic ARBAC97 model to support parameters, and presents an analysis algorithm for PARBAC. To the best of our knowledge, this is the first analysis algorithm specifically for parameterized ARBAC policies. We evaluate its efficiency by analyzing its parameterized complexity and benchmarking it on case studies and synthetic policies.

KW - Security

KW - Verification

UR - https://www.scopus.com/pages/publications/70450255116

U2 - 10.1145/1542207.1542233

DO - 10.1145/1542207.1542233

M3 - Conference contribution

AN - SCOPUS:70450255116

SN - 9781605585376

T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

SP - 165

EP - 174

BT - SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies

PB - Association for Computing Machinery

T2 - 14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009

Y2 - 3 June 2009 through 5 June 2009

ER -

Stoller SD, Yang P, Gofman M, Ramakrishnan CR. Symbolic reachability analysis for parameterized administrative role based access control. In SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery. 2009. p. 165-174. (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT). doi: 10.1145/1542207.1542233

Symbolic reachability analysis for parameterized administrative role based access control

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this