Security policy integration based on role-based access control model in healthcare collaborative environments

Recently research is focused on security policy integration and conflict reconciliation among various healthcare organizations. However, challenging security and privacy risks issues still arisen during sharing sensitive patient data in different large distributed organizations.In this paper, we proposed an approach for integrating security policies based on Role-Based Access Control (RBAC) policy model that supports dynamic constraint rules and meta data information, reduces policy redundancy and resolves conflicts based on the types of policy redundancy and conflict.We believe this work can support dynamic updates and control policies in collaborative environments

Policy inconsistency detection bassed on RBAC model in cross-organizational collaboration

Policy integration and conflict resolutions among various organizations still remain a major challenge.Moreover, policy inconsistency detection approach with logical reasoning techniques which considers integration requirements from collaboration parties has not been well studied.In this paper, we proposed a model to detect inconsistencies based on role-based access control (RBAC) that considers role hierarchy (RH) and temporal and spatial constraints.A model to prune and collect only the required policies based on access control requirements from different organizations is designed.Policy inconsistency detection should be enhanced with logical-based analysis in order to develop security policy integration.We believe this work could provide manner to filter a large amount of unrelated policies and only return potential collaboration policies for conflict resolution

An Effective Modality Conflict Model for Identifying Applicable Policies During Policy Evaluation

Policy evaluation is a process to determine whether a request submitted by a user satisfies the access control policies defined by an organization. Modality conflict is one of the main issues in policy evaluation. Existing modality conflict detection approaches do not consider complex condition attributes such as spatial and temporal constraints. An effective authorization propagation rule is needed to detect the modality conflicts that occur among the applicable policies. This work proposes a modality conflict detection model to identify the applicable policies during policy evaluation, which supports an authorization propagation rule to investigate the class-subclass relationships of a subject, resource, action, and location of a request and a policy. The comparison with previous work is conducted, and findings show the solution which considers the condition attribute (i.e. spatial and temporal constraints) can affect the decision as to whether the applicable policies should be retrieved or not which further affect the accuracy of the modality conflict detection process. Whereas the applicable policies which are retrieved for a request can influence the detection of modality conflict among the applicable policies. In conclusion, our proposed solution is more effective in identifying the applicable policies and detecting modality conflict than the previous work

Heterogeneity policy evaluation with modality conflict analysis

Policy evaluation is a process to determine whether a request satisfies the access control policies. There are two main phases in the policy evaluation, namely: (i) matching the attribute values of a request and a policy, and (ii) detecting modality conflict. Existing policy evaluation engines utilized a simple string equal matching function, but they do not explore naming heterogeneity. The authorizations could be propagated according to the inheritance relationships between concepts along not only subject, resource, action, but also location hierarchies. This thesis aimed to propose matching functions which are not limited to string equal matching function that aim to resolve naming heterogeneity, namely: synonym equal, hyponym, syntactical-synonym equal, syntactical-hyponym, syntactical equal, hyponym common word, and abbreviation equal. An authorization propagation rule is proposed to identify the applicable policies, which relies on inheritance relationships between concepts, on the basis of the partially ordered structures obtained by classifying subject, resource, action, and condition attributes. Our solution assists the policy administrators in filtering out the irrelevant policies which helps them to resolve the modality conflict among the applicable policies before the actual policy evaluation taken place. We have evaluated the effectiveness of our proposed solution on real XACML policies for university, conference management, and health-care domain. Our solution resulted lower percentage of R but higher percentage of P and F for all sets of policies when more attributes are considered in retrieving the applicable policies and in detecting the modality conflict compared when these constraints are not considered. Our solution achieved the higher percentage of P, R and F in matching the attribute values of a request and a policy, in retrieving the applicable policies, and in detecting modality conflict as compared to the previous work. The accuracy of the proposed solution indicates that our proposed solution is better than the Sun's XACML implementation in policy evaluation

Modality conflict detection model with authorization propagation in policy evaluation

Modality conflict is one of the main issues in policy evaluation. Existing modality conflict detection approaches do not consider complex condition attributes such as spatial and temporal constraints. In this paper, a modality conflict detection model is proposed to identify the applicable policies during policy evaluation, which supports an authorization propagation rule to investigate the class-subclass relationships of a subject, resource, action, and location of a request and a policy. We have evaluated the effectiveness of our proposed modality conflict detection model on real XACML policies for university, conference management, and health-care domain. Overall, our solution achieved higher percentage of P, R, and F in retrieving the applicable policies and in detecting modality conflict as compared to the previous work

Policy inconsistency detection based on RBAC model in cross-organizational collaboration

Policy integration and conflict resolutions among various organizations still remain a major challenge. Moreover, policy inconsistency detection approach with logical reasoning techniques which considers integration requirements from collaboration parties has not been well studied. In this paper, we proposed a model to detect inconsistencies based on role-based access control (RBAC) that considers role hierarchy (RH) and temporal and spatial constraints. A model to prune and collect only the required policies based on access control requirements from different organizations is designed. Policy inconsistency detection should be enhanced with logical-based analysis in order to develop security policy integration. We believe this work could provide manner to filter a large amount of unrelated policies and only return potential collaboration policies for conflict resolution

An effective modality conflict model for identifying applicable policies during policy evaluation

Policy evaluation is a process to determine whether a request submitted by a user satisfies the access control policies defined by an organization. Modality conflict is one of the main issues in policy evaluation. Existing modality conflict detection approaches do not consider complex condition attributes such as spatial and temporal constraints. An effective authorization propagation rule is needed to detect the modality conflicts that occur among the applicable policies. This work proposes a modality conflict detection model to identify the applicable policies during policy evaluation, which supports an authorization propagation rule to investigate the class-subclass relationships of a subject, resource, action, and location of a request and a policy. The comparison with previous work is conducted, and findings show the solution which considers the condition attribute (i.e. spatial and temporal constraints) can affect the decision as to whether the applicable policies should be retrieved or not which further affect the accuracy of the modality conflict detection process. Whereas the applicable policies which are retrieved for a request can influence the detection of modality conflict among the applicable policies. In conclusion, our proposed solution is more effective in identifying the applicable policies and detecting modality conflict than the previous work

Modality conflict analysis in XACML policy evaluation

Modality conflict is one of the main issues in policy evaluation. Modality conflict arises when two or more policies that refer to the same subject, action, and resource but with modalities of opposite sign. Authorizations could be propagated according to the inheritance relationships between concepts not only based on subject, resource, and action, but also condition. Identifying the applicable policies and detecting the modality conflict when temporal and spatial constraints are specified in the policies have not received enough attention. Hence, in this paper an authorization propagation rule is proposed to identify the applicable policies during policy evaluation, which relies on inheritance relationships between concepts, on the basis of the partially ordered structures obtained by classifying subject, resource, action, and condition attributes. An effective authorization propagation rule can detect most of the modality conflicts that occur among the applicable policies

Security extensible access control markup language policy integration based on role-based access control model in healthcare collaborative environments

Recently research is focused on security policy integration and conflict reconciliation among various healthcare organizations. Problem statement: However, challenging security and privacy risk issues still arisen during sharing sensitive patient data in different large distributed organizations. Though eXtensible Access Control Markup Language (XACML) has a powerful capacity of expression, it does not support all the elements character of RBAC. Thus, it has not been built to manage security in large distributed systems in healthcare domain since each organization may join or leave at runtime. The policy redundancy and conflict resolution are important to resolve redundancy and inconsistencies before security policies can be integrated for healthcare collaboration. Existing approaches did not look at policy redundancy and conflict resolution process based on the types of redundancy and conflict for dynamic set of organizations collaboration. Besides that, a policy integration mechanism in order to generate actual security policy integration is not in well studied. Approach: In this study, we proposed an approach for integrating security XACML policies based on RBAC policy model considering both constraints and metadata information. Besides that, an approach to filter and collect only the required policies from different organizations based on user’s integration requirements is investigated. It is important for us to resolve policy redundancy and conflicts based on the types of policy redundancy and conflicts. Results: From the observation and literature analysis, it can be concluded that our work could provide the maximum confidence for pre-compile a large amount of policies and only return the most similar policies for policy integration. Besides that, our approach proved that the more restrict policy will be generated during the policy integration. Conclusion: Our work can guarantee the completeness as well as consistency of the access control policy. It is recommended that the dynamic constraints such as dynamic Separation of Duty (SOD) should be considered because we believe this consideration can support dynamic updates and control policies in collaborative environments