A Dynamic Access Control Model Using Authorising Workfow and Task Role-based Access Control

Access control is fundamental and prerequisite to govern and safeguard information assets within an organisation. Organisations generally use Web enabled remote access coupled with applications access distributed across various networks. These networks face various challenges including increase operational burden and monitoring issues due to the dynamic and complex nature of security policies for access control. The increasingly dynamic nature of collaborations means that in one context a user should have access to sensitive information, whilst not being allowed access in other contexts. The current access control models are static and lack Dynamic Segregation of Duties (SoD), Task instance level of Segregation, and decision making in real time. This thesis addresses these limitations describes tools to support access management in borderless network environments with dynamic SoD capability and real time access control decision making and policy enforcement. This thesis makes three contributions: i) Defining an Authorising Workflow Task Role Based Access Control (AW-TRBAC) using existing task and workflow concepts. This new workflow integrates dynamic SoD, whilst considering task instance restriction to ensure overall access governance and accountability. It enhances existing access control models such as Role Based Access Control (RBAC) by dynamically granting users access rights and providing access governance. ii) Extension of the OASIS standard of XACML policy language to support dynamic access control requirements and enforce access control rules for real time decision making. This mitigates risks relating to access control, such as escalation of privilege in broken access control, and insucient logging and monitoring. iii) The AW-TRBAC model is implemented by extending the open source XACML (Balana) policy engine to demonstrate its applicability to a real industrial use case from a financial institution. The results show that AW-TRBAC is scalable, can process relatively large numbers of complex requests, and meets the requirements of real time access control decision making, governance and mitigating broken access control risk

Dynamic User-Oriented Role Based Access Control Model (DUO-RBAC)

Most researchers use role mining to generate role-based access con- trol model from the existing user-permission assignments. User-oriented role- based access control model is a type of role-based access control model, which aims to use role mining from an end-user perspective to generate an RBAC model. This research is the first for generating a dynamic user-oriented role- based access control model for inserting a new user-permission assignments to the existing model re-generating roles, with a constraint that there are no changes in the number of role assignments for each user in the system after the insertion process, since the user will be conflicted if he has different number of roles from time to time. Also, we have developed a new algorithm, which based on user-oriented role mining to find the way to insert the new U P A to the existing model. Our experiments applied on benchmark "Access Control" real datasets to evaluate the results

Dynamic User-Oriented Role-Based Access Control Model (DUO-RBAC)

Most researchers now trend to use role mining to generate role-based access control model from the existing user-permission assignments. User-oriented role-based access control is a type of role-based access control model, which aims to use role mining from end user perspective to generate a user-oriented RBAC model, since the user almost prefer a simple and minimum role assignments. This research is the first for generating a dynamic user-oriented rolebased access control model (DUO-RBAC) for inserting a new user-permission assignments (new UPA) to the existing user-oriented RBAC model. In a quick clarification, if there is a system which has user-permission assignments, a user-oriented RBAC model can be generated which contains new roles, each one assigns to users and permissions. Then, if we have a new users with new permissions should enter the system which has the model, we will regenerate a new model with new roles assignments to include these new users. Re-generating roles will be done by our dynamic model, with three constraints. First, there are no changes in the number of role assignments for each user in the system after the inserting process, since the user will be conflicted if he has different number of roles from time to time. Second, the permissions that each user has before the inserting process must be the same after generating the new model. Last one, will take into account that each user assign to number of roles no more than t (maximum number of roles that each user can assign), where t is predefined in the existing user-oriented RBAC model. Also, we develop a new algorithm, which based on user-oriented role mining to find the optimal way for inserting the new user permission assignments to the existing model. Our experiments applied on benchmark “Access Control” real datasets to evaluate the results and show the effectiveness of our developed algorithm of several measures. Those measures are: optimal number of roles to make the objective function minimized, optimal number of user-role assignments and generating a new model from end user perspective (keep the new generated model suitable from end-user perspective)

Dynamic User Role Assignment in Remote Access Control

The Role-Based Access Control (RBAC) model has been widely applied to a single domain in which users are known to the administrative unit of that domain, beforehand. However, the application of the conventional RBAC model for remote access control scenarios is not straightforward. In such scenarios, the access requestor is outside of the provider domain and thus, the user population is heterogeneous and dynamic. Here, the main challenge is to automatically assign users to appropriate roles of the provider domain. Trust management has been proposed as a supporting technique to solve the problem of remote access control. The key idea is to establish a mutual trust between the requestor and provider based on credentials they exchange. However, a credential doesn't convey any information about the behavior of its holder during the time it is being used. Furthermore, in terms of privileges granted to the requestor, existing trust management systems are either too restrictive or not restrictive enough. In this paper, we propose a new dynamic user-role assignment approach for remote access control, where a stranger requests for access from a provider domain. Our approach has two advantages compared to the existing dynamic user-role assignment techniques. Firstly, it addresses the principle of least privilege without degrading the efficiency of the access control system. Secondly, it takes into account both credentials and the past behavior of the requestor in such a way that he cannot compensate for the lack of necessary credentials by having a good past behavior

Securing Controls Middleware of the Large Hadron Collider

The distributed control system of the Large Hadron Collider (LHC) presents many challenges due to its inherent heterogeneity and highly dynamic nature. One critical challenge is providing access control guarantees within the middleware. Role-based access control (RBAC) is a good candidate to provide access control. However, in an equipment control system transactions are often dependent on user context and device context. Unfortunately, classic RBAC cannot be used to handle the above requirements. In this paper we present an extended role-based access control model called CMW-RBAC. This new model incorporates the advantages of role-based permission administration together with a fine-grained control of dynamic context attributes. We also propose a new technique called dynamic authorization that allows phased introduction of access control in large distributed systems. This paper also describes motivation of the project, requirements, and overview of its main components: authentication and authorization

A COLLABORATIVE MODEL FOR VIRTUAL ENTERPRISE

Collaborative process characteristics have three dimensions: actors, activities and action’s logic. The aim of this paper is to present a virtual portal’s model that helps managing consortiums. Our model based on dynamic e-collaboration and it has a modular structure, multilayer approach. System’s functionality of virtual enterprise is collaborative model is concern on users’ login, based on role and access control, searching and providing distributed resources, accessibility, metadata management and improved information’s management. Our proposal for developing solution offers a functional architecture of a virtual enterprise using dynamic e-collaboration and shared space.dynamic e-collaboration, multilayer solution, modular approach

A Dynamic Access Control Model Using Authorising Workflow and Task-Role-Based Access Control

Access control is fundamental and prerequisite to govern and safeguard information assets within an organisation. Organisations generally use web enabled remote access coupled with applications access distributed on the various networks facing various challenges including increase operation burden, monitoring issues due to the dynamic and complex nature of security policies for access control. The increasingly dynamic nature of collaborations means that in one context a user should have access to sensitive information and not applicable for another context. The current access control models are static and lack of Dynamic Segregation of Duties (SoD), Task instance level of Segregation and decision making in real time. This paper addresses the limitations and supports access management in borderless network environment with dynamic SoD capability at real time access control decision making and policy enforcement. This research makes three contributions: i) Defining an Authorising Workflow Task Role Based Access Control using the existing task and workflow concepts. It integrates the dynamic SoD considering the task instance restriction to ensure overall access governance and accountability. It enhances the existing access control models such as RBAC by dynamically granting users access right and providing Access governance. ii) Extended the OASIS standard of XACML policy language to support the dynamic access control requirements and enforce the access control rules for real time decision making to mitigate risk relating to access control such as escalation of privilege in broken access control and insufficient logging and monitoring iii) The model is implemented using open source Balana policy engine to demonstrate its applicability to a real industrial use case from a financial institution. The results show that, AW-TRBAC is scalable consuming relatively large number of complex request and able to meet the requirements of dynamic access control characteristics

Security Provisioning in Cloud Environments using Dynamic Expiration Enabled Role based Access Control Model

In cloud environment the role based access control (RBAC) system model has come up with certain promising facilities for security communities. This system has established itself as highly robust, powerful and generalized framework for providing access control for security management. There are numerous practical applications and circumstances where the users might be prohibited to consider respective roles only at certain defined time periods. Additionally, these roles can be invoked only on after pre-defined time intervals which depend on the permission of certain action or event. In order to incarcerate this kind of dynamic aspects of a role, numerous models like temporal RBAC (TRBAC) was proposed, then while this approach could not deliver anything else except the constraints of role enabling. Here in this paper, we have proposed robust and an optimum scheme called Dynamic expiration enabled role based access control (DEERBAC) model which is efficient for expressing a broad range of temporal constraints. Specifically, in this approach we permit the expressions periodically as well as at certain defined time constraints on roles, user-role assignments as well as assignment of role-permission. According to DEERBAC model, in certain time duration the roles can be further restricted as a consequence of numerous activation constraints and highest possible active duration constraints. The dominant contributions of DEERBAC model can the extension and optimization in the existing TRBAC framework and its event and triggering expressions. The predominant uniqueness of this model is that this system inherits the expression of role hierarchies and Separation of Duty (SoD) constraints that specifies the fine-grained temporal semantics. The results obtained illustrates that the DEERBAC system provides optimum solution for efficient user-creation, role assignment and security management framework in cloud environment with higher user count and the simultaneous rolepermission,