Role mining with ORCA.

ABSTRACT With continuously growing numbers of applications, enterprises face the problem of efficiently managing the assignment of access permissions to their users. On the one hand, security demands a tight regime on permissions; on the other hand, users need permissions to perform their tasks. Rolebased access control (RBAC) has proven to be a solution to this problem but relies on a well-defined set of role definitions, a role concept for the enterprise in question. The definition of a role concept (role engineering) is a difficult task traditionally performed via interviews and workshops. However, often users already have the permissions that they need to do their jobs, and roles can be derived from these permission assignments using data mining technology, thus giving the process of role concept definition a head-start. In this paper, we present the ORCA role mining tool and its algorithm. The algorithm performs a cluster analysis on permission assignments to build a hierarchy of permission clusters and presents the results to the user in graphical form. It allows the user to interactively add expert knowledge to guide the clustering algorithm. The tool provides valuable insights into the permission structures of an enterprise and delivers an initial role hierarchy for the definition of an enterprise role concept using a bottom-up approach

An application of Hierarchical Temporal Memory (HTM)

Includes abstract.Includes bibliograpical references (leaves 76-82).While a number of neuromorphic studies have been based on understanding and building the brain in software and hardware, a recent theory has been presented from a high level, top down approach, with the view of understanding how the human brain performs higher reasoning, and then designing software infrastructure based on that theory - namely Hierarchical Temporal Memory (HTM). Current opinion raises question marks as to whether this theory is sound, feasible, coherent, logical and correct. This thesis aims to, if not answer some of those questions, at least get closer to understanding the brain and therefore implementing HTM theory in software for further use in an embedded environment. This paper begins by reviewing the discovery of the sensory input and chemical makeup of the signals in the brain, and then introduces mathematical abstraction to form a software program node

Context-aware access control in ubiquitous computing (CRAAC)

Ubiquitous computing (UbiComp) envisions a new computing environment, where computing devices and related technology are widespread (i.e. everywhere) and services are provided at anytime. The technology is embedded discreetly in the environment to raise users' awareness. UbiComp environments support the proliferation of heterogeneous devices such as embedded computing devices, personal digital assistants (PDAs), wearable computers, mobile phones, laptops, office desktops (PCs), and hardware sensors. These devices may be interconnected by common networks (e.g. wired, wireless), and may have different levels of capabilities (i.e. computational power, storage, power consumption, etc). They are seamlessly integrated and interoperated to provide smart services (i.e. adaptive services). A UbiComp environment provides smart services to users based on the users' and/or system's current contexts. It provides the services to users unobtrusively and in turn the user's interactions with the environment should be as non-intrusive and as transparent as possible. Access to such smart services and devices must be controlled by an effective access control system that adapts its decisions based on the changes in the surrounding contextual information. This thesis aims at designing an adaptive fine-grained access control solution that seamlessly fits into UbiComp environments. The solution should be flexible in supporting the use of different contextual information and efficient, in terms of access delays, in controlling access to resources with divergent levels of sensitivity. The main contribution of this thesis is the proposal of the Context-Risk-Aware Access Control (CRAAC) model. CRAAC achieves fine-grained access control based upon the risk level in the underlying access environment and/or the sensitivity level of the requested resource object. CRAAC makes new contributions to the access control field, those include 1) introducing the concept of level of assurance based access control, 2) providing a method to convert the contextual attributes values into the corresponding level of assurance, 3) Proposing two methods to aggregate the set of level of assurance into one requester level of assurance, 4) supporting four modes of working each suits a different application context and/or access control requirements, 5) a comprehensive access control architecture that supports the CRAAC four modes of working, and 6) an evaluation of the CRAAC performance at runtime.EThOS - Electronic Theses Online Serviceral Centre and Educational BureauCairo UniversityGBUnited Kingdo

Access Control Administration with Adjustable Decentralization

Access control is a key function of enterprises that preserve and propagate massive data. Access control enforcement and administration are two major components of the system. On one hand, enterprises are responsible for data security; thus, consistent and reliable access control enforcement is necessary although the data may be distributed. On the other hand, data often belongs to several organizational units with various access control policies and many users; therefore, decentralized administration is needed to accommodate diverse access control needs and to avoid the central bottleneck. Yet, the required degree of decentralization varies within different organizations: some organizations may require a powerful administrator in the system; whereas, some others may prefer a self-governing setting in which no central administrator exists, but users fully manage their own data. Hence, a single system with adjustable decentralization will be useful for supporting various (de)centralized models within the spectrum of access control administration. Giving individual users the ability to delegate or grant privileges is a means of decentralizing access control administration. Revocation of arbitrary privileges is a means of retaining control over data. To provide flexible administration, the ability to delegate a specific privilege and the ability to revoke it should be held independently of each other and independently of the privilege itself. Moreover, supporting arbitrary user and data hierarchies, fine-grained access control, and protection of both data (end objects) and metadata (access control data) with a single uniform model will provide the most widely deployable access control system. Conflict resolution is a major aspect of access control administration in systems. Resolving access conflicts when deriving effective privileges from explicit ones is a challenging problem in the presence of both positive and negative privileges, sophisticated data hierarchies, and diversity of conflict resolution strategies. This thesis presents a uniform access control administration model with adjustable decentralization, to protect both data and metadata. There are several contributions in this work. First, we present a novel mechanism to constrain access control administration for each object type at object creation time, as a means of adjusting the degree of decentralization for the object when the system is configured. Second, by controlling the access control metadata with the same mechanism that controls the users’ data, privileges can be granted and revoked to the extent that these actions conform to the corporation’s access control policy. Thus, this model supports a whole spectrum of access control administration, in which each model is characterized as a network of access control states, similar to a finite state automaton. The model depends on a hierarchy of access banks of authorizations which is supported by a formal semantics. Within this framework, we also introduce the self-governance property in the context of access control, and show how the model facilitates it. In particular, using this model, we introduce a conflict-free and decentralized access control administration model in which all users are able to retain complete control over their own data while they are also able to delegate any subset of their privileges to other users or user groups. We also introduce two measures to compare any two access control models in terms of the degrees of decentralization and interpretation. Finally, as the conflict resolution component of access control models, we incorporate a unified algorithm to resolve access conflicts by simultaneously supporting several combined strategies

Context Sensitive Access Control Model TI for Business Processes

Kontrola pristupa odnosno autorizacija, u širem smislu, razmatra na koji način korisnici mogu pristupiti resursima računarskog sistema i na koji način ih koristiti. Ova disertacija se bavi problemima kontrole pristupa u poslovnim sistemima. Tema disertacije je formalna specifkacija modela kontekstno zavisne kontrole pristupa u poslovnim sistemima koji je baziran na RBAC modelu kontrole pristupa. Uvođenjem kontekstno zavisne kontrole pristupa omogućeno je defnisanje složenijih prava pristupa koje u postojećim modelima kontrole pristupa za poslovne sisteme nije bilo moguće realizovati ili bi njihova realizacija bila komplikovana. Dati model primenljiv je u različitim poslovnim sistemima, a podržava defnisanje prava pristupa kako za jednostavne tako i za slo·zene poslovne tokove. Sistem je verifkovan na dva realna poslovna procesa pomoću razvijenog prototipa. Prikazana prototipska implementacija koja ispunjava ciljeve u pogledu funkcionalnosti postavljene pred sistem predstavlja potvrdu praktične vrednosti predloženog modela.Access control is concerned with the way in which users can access to resources in the computer system. This dissertation focuses on problems of access control for business processes. The subject of the dissertation is a formal specification of the RBAC-based context sensitive access control model for business processes. By using a context-sensitive access control it is possible to define more complex access control policies whose implementation in existing access control models for business processes is not possible or is very complicated. The given model is applicable in diferent business systems, and supports the definition of access control policies for both simple and complex business processes. The model's prototype is verified by two case studies on real business processes. The presented prototype implementation represents a proof of the proposed model's practical value