Author's personal copy Roles in information security e A survey and classification of the research area

Motivation The growing diffusion of information technologies within all areas of human society has increased their importance as a critical success factor in the modern world. However, information processing systems are vulnerable to many different kinds of threats that can lead to various types of damage resulting in significant economic losses. Consequently, the importance of Information Security has grown and evolved in a similar manner. In its most basic definition, Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The aim of Information Security is to minimize risks related to the three main security goals confidentiality, integrity, and availability e usually referred to as "CIA" c o m p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 7 4 8 e7 6 9 0167-4048/$ e see front matter

Rancang Bangun Aplikasi User Dependency Tool Untuk Database Ms Sql Server Berbasis Graph Neo4j

Perusahaan atau organisasi besar memiliki pengguna – pengguna basis data yang beragam. Pengguna – pengguna tersebut terdiri dari aplikasi, pegawai bagian pemasaran, pegawai bagian teknologi informasi, admin basis data, middleware, dan pengguna lainnya. Keragaman pengguna ini ditimbulkan oleh variasi yang terdapat dalam solusi teknologi informasi untuk memenuhi kebutuhan bisnis. Selain itu, keragaman pengguna ini juga disebabkan oleh pengelolaan atau manajemen basis data pada tiap lapisan organisasi, mulai dari admin basis data sampai pengguna basis data di tiap divisi atau departemen. Keragaman pengguna ini meningkatkan kompleksitas konfigurasi akses terhadap basis data, sehingga hal tersebut menimbulkan kesulitan terhadap admin basis data dalam memantau seluruh akses pengguna. Salah satu solusi untuk memantau seluruh akses pengguna adalah menggunakan mekanisme pengelolaan pengguna SQL Server. Kelemahan yang paling utama dalam mekanisme tersebut adalah tampilan GUI (Graphical User Interface) yang terpisah untuk pengguna beserta peran dan objek beserta hak akses. Hal tersebut mengakibatkan admin basis data perlu membuat tampilan (view) yang dihasilkan dari beberapa atau satu eksekusi query untuk menggabungkan kedua tampilan yang terpisah. Metode seperti ini menyebabkan admin untuk membuka SSMS (SQL Server Management Studio) beberapa kali apabila admin membutuhkan data pengguna beserta peran dan hak aksesnya. Metode tersebut menghambat jalannya komunikasi antar pihak admin dan manajemen dalam hal keperluan audit. Metode yang ideal dalam menyajikan data yang standar dan cepat adalah metode yang dapat dipahami oleh admin basis data secara mudah tanpa adanya dukungan atau dokumentasi khusus. Dalam penelitian ini, peniliti bertujuan untuk menampilkan data pengguna basis data beserta peran dan hak aksesnya terhadap objek basis data dalam bentuk visualisasi yang sederhana. Visualisasi tersebut adalah visualisasi berbentuk graph (node dan relasinya). Visualisasi ditampilkan dengan menggunakan basis data Neo4j sebagai penyimpanan graph dalam bentuk situs (web). Visualisasi yang dikembangkan juga disambungkan dengan basis data SQL Server sebagai sumber data untuk proses ekstraksi. Hasil akhir dari tugas akhir ini adalah aplikasi User Dependency Tool yang menampilkan visualisasi pengguna basis data beserta peran, hak akses, objek basis data, dan relasi – relasinya dalam bentuk graph. ============= Large companies or organizations have multiple database users. These users consist of applications, marketing department employees, information technology department employees, database administrators, middleware, and other users. This diversity of users is caused by the variations contained in information technology solutions to meet business needs. In addition, the diversity of users is also caused by the management or database management on each layer of the organization, ranging from the database admin until the database user in each division or department. This diversity of users increases the complexity of access configuration for the database, thus making it difficult for database administrators to monitor all users’s access. One of the solutions to monitor all user’s access is to use SQL Server user management mechanism. The main drawback of the mechanism is the separated GUI (Graphical User Interface) displays for users along with roles and objects along with permissions. This results in the database admin needing to create a view that created from multiple or one query execution to combine the two separated displays. This method causes the admin to open SSMS (SQL Server Management Studio) multiple times if the admin requires user data along with its roles and permissions. This method impedes the communication between the admin and management in terms of audit purposes. The ideal method of presenting standard and fast data is a method that can easily be understood by database administrators without any special support or documentation. In this study, the researcher aims to display the data of database users along with their roles and permissions to database objects in the form of simple visualization. This simple visualization is a graph visualization (nodes and relationships). This visualization is displayed using the Neo4j database as a graph storage in the form of a website (web). The developed visualization is also connected to the SQL Server database as the data source for the extraction process. The end result of this final project is the User Dependency Tool application that displays the visualization of database users along with their roles, their permissions, database objects, and their relations in graph

An Access Definition and Query Language : Towards a Unified Access Control Model

In this work we suggest a meta access control model emulating established access control models by configuration and offering enhanced features like the delegation of rights, ego-centered roles, and decentralized administration. The suggested meta access control model is named \\u27\\u27Access Definition and Query Language\\u27\\u27 (ADQL). ADQL is represented by a formal, context-free grammar allowing to express the targeted access control model, policies, facts, and access queries as a formal language

Semantic role-based access control

In this thesis we propose two semantic ontological role-based access control (RBAC) reasoning processes. These processes infer user authorisations according to a set of role permission and denial assignments, together with user role assignments. The first process, SO-RBAC (Semantic Ontological Role-Based Access Control) uses OWL-DL to store the ontology, and SWRL to perform reasoning. It is based mainly on RBAC models previously described using Prolog. This demonstrates the feasibility of writing an RBAC model in OWL and performing reasoning inside it, but is still tied closely to descriptive logic concepts, and does not effectively exploit OWL features such as the class hierarchy. To fully exploit the capabilities of OWL, it was necessary to enhance the SO-RBAC model by programming it in OWL-Full. The resulting OWL-Full model, ESO-RBAC (Enhanced Semantic Ontological Role-Based Access Control), uses Jena for performing reasoning, and allows an object-oriented definition of roles and of data items. The definitions of roles as classes, and users as members of classes representing roles, allows user-role assignments to be defined in a way that is natural to OWL. All information relevant to determining authorisations is stored in the ontology. The resulting RBAC model is more flexible than models based on predicate logic and relational database systems. There are three motivations for this research. First, we found that relational database systems do not implement all of the features of RBAC that we modelled in Prolog. Furthermore, implementations of RBAC in database management systems is always vendor-specific, so the user is dependent on a particular vendor's procedures when granting permissions and denials. Second, Prolog and relational database systems cannot naturally represent hierarchical data, which is the backbone of any semantic representation of RBAC models. An RBAC model should be able to infer user authorisations from a hierarchy of both roles and data types, that is, determine permission or denial from not just the type of role (which may include sub-roles), but also the type of data (which may include sub-types). Third, OWL reasoner-enabled ontologies allow us to describe and manipulate the semantics of RBAC differently, and consequently to address the previous two problems efficiently. The contribution of this thesis is twofold. First, we propose semantic ontological reasoning processes, which are domain and implementation independent, and can be run from any distributed computing environment. This can be developed through integrated development environments such as NetBeans and using OWL APIs. Second, we have pioneered a way of exploiting OWL and its reasoners for the purpose of defining and manipulating the semantics of RBAC. Therefore, we automatically infer OWL concepts according to a specific stage that we define in our proposed reasoning processes. OWL ontologies are not static vocabularies of terms and constraints that define the semantics of RBAC. They are repositories of concepts that allow ad-hoc inference, with the ultimate goal in RBAC of granting permissions and denials