A Formal Structure of Separation of Duty and Trust in Modelling Delegation Policy

There are considerable number of approaches to policy specification both for security management and policy driven network management purposes as reported in [20]. This specification sort security policies into two basic types: authorization and obligation policies. Most of the researches in security policies specification over the years focus on authorization policy modelling. In this paper, we report our approach in the design and Modelling of obligation Policy as delegation in information security by considering separation of duty and trust as pre-requisite conditions for delegation. The formal structures of the Delegation models developed was adapted from the Mathematical structures of Separation of duty (both Static and Dynamic SoD) in RBAC environment as described in [8] and [16]. Three factors of Properties, Experiences and Recommendation as described in [22] were used for the Trust Modelling. Future works proposed include the development of a formal model for revocation after delegation and integration of appropriate authorization policy with the model.Facultad de Informátic

Developing an ABAC-Based Grant Proposal Workflow Management System

In the advent of the digital transformation, online business processes need to be automated and modeled as workflows. A workflow typically involves a sequence of coordinated tasks and shared data that need to be secured and protected from unauthorized access. In other words, a workflow can be described simply as the movement of documents and activities through a business process among different users. Such connected flow of information among various users with different permission level offers many benefits along with new challenges. Cyber threats are becoming more sophisticated as skilled and motivated attackers both insiders and outsiders are equipped with advanced and diverse penetration tools and techniques. So apart from standard functional requirements, security is a critical requirement for such systems. We need to have a new approach to more secure design, configuration, implementation and management of workflow systems. In this paper, we propose a new software design model when developing a workflow system that inherently decouples the system level functional requirements from the security specifications. This externalization of authorization from the code makes it more flexible to support dynamic business agility. Moreover, the proposed model is combined with contextual information to accommodate dynamic access control enforcement. The given architecture provides outstanding levels of control, security, privacy and compliance with regulatory standards by using more fine-grained static as well as dynamic Attribute Based Access Control (ABAC) policies. We also develop a viable implementation called Grant Proposal Workflow Management System (GPWFMS) that supports not only functional and security specifications of workflow but also extended complex features like Obligations and Delegation of Authority which is lacking in the much existing literature

An Attribute-Based Delegation Model and Its Extension

In existing delegation models, delegation security entirely depends on delegators and security administrators, for delegation constraint in these models is only a prerequisite condition. This paper proposes an Attribute-Based Delegation Model (ABDM) with an extended delegation constraint consisting of both delegation attribute expression (DAE) and delegation prerequisite condition (CR). In ABDM, a delegatee must satisfy delegation constraint (especially DAE) when assigned to a delegation role. With delegation constraint, a delegator can restrict the delegatee candidates more strictly. ABDM relieves delegators and security administrators of security management work in delegation. In ABDM, a delegator is not allowed to temporarily delegate permissions to a person who does not satisfy the delegation constraint. To guarantee its flexibility and security, an extension of ABDM named ABDM X is proposed. In ABDM X, a delegator can delegate some high level permissions to low level delegatee candidates temporarily, but not permanently