The present work considers structural modification of the role hierarchy in a formal model of the role-based access control. The marked directed graph (the role graph), graphically representing an ordered set of roles, was analyzed to define the ordering relation in the role set and to distribute permissions according to the generated hierarchy. We constructed algorithms of the role graph’s transformations using different criteria of optimality and proved correctness of these algorithms. In the process, such characteristics as principles of permission distribution in the system, presence of role duplicates, the role graph’s peculiarities, e.g. how tree-like the graph is, were considered. The main result of the work is proof of possibility of constructing several role graphs corresponding to the same RBAC model. Thus, on the basis of relevant criteria, one can transform the role graph to make analysis and modification of a given RBAC model more effective.
E.Bertino, E.Terzi, A.Kamra and A.Vakali, Intrusion detection in RBAC-administered databases, in: Proceedings of the 21st Annual Computer Security Applications Conference, 2005, pp. 170–182.
2.
R.Chandramouli and R.Sandhu, Role based access control features in commercial database management systems, in: Proceedings of the 21st National Information Systems Security Conference, Crystal City, Virginia, 1998.
3.
A.Colantonio, R.D.Pietro, A.Ocello and N.V.Verde, Taming role mining complexity in RBAC, Computers & Security29(5) (2010), 548–564.
4.
J.Crampton and G.Loizou, Administrative scope and role hierarchy operations, in: Proceedings of Seventh ACM Symposium on Access Control Models and Technologies (SACMAT 2002), 2002, pp. 145–154.
5.
J.Crampton and G.Loizou, Administrative scope: A foundation for role-based administrative models, ACM Transactions on Information and System Security6(2) (2003), 201–231.
6.
D.Ferraiolo, J.Cugini and R.Kuhn, Role-based access control: Features and motivations, in: Proceedings of 11th Annual Computer Security Applications Conference, IEEE Computer Society Press, 1995, pp. 249–255.
7.
D.Ferraiolo and R.Kuhn, Role-based access control, in: Proceedings of 15th NIST-NCSC National Computer Security Conference, Baltimore, Maryland, 1992, pp. 554–563.
8.
D.Ferraiolo, R.Sandhu, S.Gavrila, D.R.Kuhn and R.Chandramouli, Proposed NIST standard for role based access control, ACM Transactions on Information and System Security4(3) (2001), 224–274.
9.
M.Grobe-Rhode, F.P.Presicce and M.Simeoni, Formal software specification with refinements and modules of typed graph transformation systems, Journal of Computer and System Sciences64(2) (2002), 171–218.
10.
T.Jaeger and J.Tidswell, Rebuttal to the NIST RBAC model proposal, in: Proceedings of 5th ACM Workshop on Role-Based Access Control, Berlin, Germany, 2000, pp. 65–66.
11.
M.Koch, L.V.Mancini and F.Parisi-Presicce, A formal model for role-based access control using graph transformation, in: Proc. of 5th ESORICS, LNCS, Vol. 1895, 2000, pp. 122–139.
12.
M.Koch, L.V.Mancini and F.Parisi-Presicce, Decidability of safety in graph-based models for access control, in: Proc. of 7th ESORICS, LNCS, Vol. 2502, 2002, pp. 229–243.
13.
M.Koch, L.V.Mancini and F.Parisi-Presicce, A graph-based formalism for RBAC, ACM Transactions on Information and System Security5(3) (2002), 332–365.
14.
M.Koch, L.V.Mancini and F.Parisi-Presicce, Graph-based specification of access control policies, Journal of Computer and System Sciences71(1) (2005), 1–33.
15.
M.Koch and F.Parisi-Presicce, Describing policies with graph constraints and rules, in: Proceeding ICGT’02 Proceedings of the First International Conference on Graph Transformation, 2002, pp. 223–238.
16.
M.Leitner, Delta analysis of role-based access control models, in: Lecture Notes in Computer Science, Vol. 8111, 2013, pp. 507–514.
17.
N.Li and Z.Mao, Administration in role-based access control, in: ASIACCS’07 Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, 2007, pp. 127–138.
18.
Y.Nakamura, SELinux policy editor RBAC guide, 2006, pp. 1–8, available at: http://seedit.sourceforge.net/doc/2.0/rbac_guide.pdf.
19.
M.Nyanchama and S.L.Osborn, Access rights administration in role-based security systems, in: Proceedings of the IFIP WG11.3 Working Conference on Database Security VII, North-Holland, 1994, pp. 37–56.
20.
M.Nyanchama and S.L.Osborn, The role graph model and conflict of interest, ACM Transactions on Information and System Security2(1) (1999), 3–33.
21.
Oracle, Oracle Solaris administration: Security services, 2012, pp. 131–210, available at: http://docs.oracle.com/cd/E23824_01/pdf/821-1456.pdf.
22.
S.L.Osborn, Integrating role graphs: A tool for security integration, Data & Knowledge Engineering43(3) (2002), 317–333.
23.
S.L.Osborn, Role-based access control: Past, present and future, in: PST’06 Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, ACM International Conference Proceeding Series, 2006, p. 4.
24.
S.L.Osborn, Y.Han and J.Liu, A methodology for managing roles in legacy systems, in: SACMAT’03 Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, 2003, pp. 33–40.
25.
R.S.Sandhu and V.Bhamidipati, Role-based administration of user-role assignment: The URA97 model and its Oracle implementation, Journal of Computer Security7 (1999), 317–342.
26.
R.S.Sandhu, V.Bhamidipati, E.Coyne, S.Ganta and C.Youman, The ARBAC97 model for role-based administration of roles: Preliminary description and outline, in: Proceedings of the Second ACM Workshop on Role-Based Access Control (RBAC 1997), 1997, pp. 41–50.
27.
R.S.Sandhu, V.Bhamidipati and Q.Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and Systems Security2(1) (1999), 105–135.
28.
R.S.Sandhu, E.J.Coyne, H.L.Feinstein and C.E.Youman, Role based access control: A multidimensional view, in: Proceedings of 10th Annual Computer Security Applications Conference, Orlando, 1994, pp. 54–62.
29.
R.S.Sandhu, E.J.Coyne, H.L.Feinstein and C.E.Youman, Role-based access control models, IEEE Computer29(2) (1996), 38–47.
30.
R.S.Sandhu, D.Ferraiolo and R.Kuhn, The NIST model for role-based access control: Towards a unified standard, in: Proceedings of 5th ACM Workshop on Role-Based Access Control, Berlin, Germany, 2000, pp. 47–63.
31.
Sun Microsystems, RBAC in the Solaris operating environment, available at: http://www.oracle.com/technetwork/server-storage/solaris/overview/wp-rbac-149876.pdf.
32.
M.N.Tahir, Hierarchies in contextual role-based access control model (C-RBAC), International Journal of Computer Science and Security (IJCSS)2(4) (2008), 28–42.
33.
M.Theriault and F.Newman, Oracle 9: Oracle Security Handbook, McGraw-Hill/Osborne, 2001.
34.
R.Thion and S.Coulondre, Representation and reasoning on role-based access control policies with conceptual graphs, in: Proceeding of Conceptual Structures: Inspiration and Application, 14th International Conference on Conceptual Structures, ICCS 2006, Aalborg University, Denmark, 2006, pp. 427–440.
35.
M.Toahchoodee, I.Ray and R.M.McConnell, Using graph theory to represent a spatio-temporal role-based access control model, International Jornal of Next-Generation Computing1(2) (2010), 231–250.
36.
H.Wang and S.L.Osborn, Static and dynamic delegation in the role graph model, IEEE Trans. Knowl. Data Eng.23(10) (2011), 1569–1582.
37.
D.Zhang, K.Ramamohanarao, S.Versteeg and R.Zhang, Graph based strategies to role engineering, in: CSIIRW’10 Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, 2010, Article N. 25.
