Dynamic User Role Assignment in Remote Access Control

M. Saffarian, Qiang Tang, Willem Jonker, Pieter H. Hartel

Research output: Book/ReportReportProfessional

49 Downloads (Pure)

Abstract

The Role-Based Access Control (RBAC) model has been widely applied to a single domain in which users are known to the administrative unit of that domain, beforehand. However, the application of the conventional RBAC model for remote access control scenarios is not straightforward. In such scenarios, the access requestor is outside of the provider domain and thus, the user population is heterogeneous and dynamic. Here, the main challenge is to automatically assign users to appropriate roles of the provider domain. Trust management has been proposed as a supporting technique to solve the problem of remote access control. The key idea is to establish a mutual trust between the requestor and provider based on credentials they exchange. However, a credential doesn't convey any information about the behavior of its holder during the time it is being used. Furthermore, in terms of privileges granted to the requestor, existing trust management systems are either too restrictive or not restrictive enough. In this paper, we propose a new dynamic user-role assignment approach for remote access control, where a stranger requests for access from a provider domain. Our approach has two advantages compared to the existing dynamic user-role assignment techniques. Firstly, it addresses the principle of least privilege without degrading the efficiency of the access control system. Secondly, it takes into account both credentials and the past behavior of the requestor in such a way that he cannot compensate for the lack of necessary credentials by having a good past behavior.
Original languageUndefined
Place of PublicationEnschede
PublisherDistributed and Embedded Security (DIES)
Number of pages15
Publication statusPublished - 14 Apr 2009

Publication series

NameCTIT Technical Report Series
PublisherUniversity of Twente, Centre for Telematica and Information Technology (CTIT)
No.TR-CTIT-09-14
ISSN (Print)1381-3625

Keywords

  • SCS-Cybersecurity
  • IR-65474
  • METIS-263828
  • Remote Access Control
  • EWI-15311
  • Secure Data Management
  • DB-SDM: SECURE DATA MANAGEMENT

Cite this

Saffarian, M., Tang, Q., Jonker, W., & Hartel, P. H. (2009). Dynamic User Role Assignment in Remote Access Control. (CTIT Technical Report Series; No. TR-CTIT-09-14). Enschede: Distributed and Embedded Security (DIES).
Saffarian, M. ; Tang, Qiang ; Jonker, Willem ; Hartel, Pieter H. / Dynamic User Role Assignment in Remote Access Control. Enschede : Distributed and Embedded Security (DIES), 2009. 15 p. (CTIT Technical Report Series; TR-CTIT-09-14).
@book{5c82e8b5836b405e9f17fe91dbb8874c,
title = "Dynamic User Role Assignment in Remote Access Control",
abstract = "The Role-Based Access Control (RBAC) model has been widely applied to a single domain in which users are known to the administrative unit of that domain, beforehand. However, the application of the conventional RBAC model for remote access control scenarios is not straightforward. In such scenarios, the access requestor is outside of the provider domain and thus, the user population is heterogeneous and dynamic. Here, the main challenge is to automatically assign users to appropriate roles of the provider domain. Trust management has been proposed as a supporting technique to solve the problem of remote access control. The key idea is to establish a mutual trust between the requestor and provider based on credentials they exchange. However, a credential doesn't convey any information about the behavior of its holder during the time it is being used. Furthermore, in terms of privileges granted to the requestor, existing trust management systems are either too restrictive or not restrictive enough. In this paper, we propose a new dynamic user-role assignment approach for remote access control, where a stranger requests for access from a provider domain. Our approach has two advantages compared to the existing dynamic user-role assignment techniques. Firstly, it addresses the principle of least privilege without degrading the efficiency of the access control system. Secondly, it takes into account both credentials and the past behavior of the requestor in such a way that he cannot compensate for the lack of necessary credentials by having a good past behavior.",
keywords = "SCS-Cybersecurity, IR-65474, METIS-263828, Remote Access Control, EWI-15311, Secure Data Management, DB-SDM: SECURE DATA MANAGEMENT",
author = "M. Saffarian and Qiang Tang and Willem Jonker and Hartel, {Pieter H.}",
note = "eemcs-eprint-15311",
year = "2009",
month = "4",
day = "14",
language = "Undefined",
series = "CTIT Technical Report Series",
publisher = "Distributed and Embedded Security (DIES)",
number = "TR-CTIT-09-14",

}

Saffarian, M, Tang, Q, Jonker, W & Hartel, PH 2009, Dynamic User Role Assignment in Remote Access Control. CTIT Technical Report Series, no. TR-CTIT-09-14, Distributed and Embedded Security (DIES), Enschede.

Dynamic User Role Assignment in Remote Access Control. / Saffarian, M.; Tang, Qiang; Jonker, Willem; Hartel, Pieter H.

Enschede : Distributed and Embedded Security (DIES), 2009. 15 p. (CTIT Technical Report Series; No. TR-CTIT-09-14).

Research output: Book/ReportReportProfessional

TY - BOOK

T1 - Dynamic User Role Assignment in Remote Access Control

AU - Saffarian, M.

AU - Tang, Qiang

AU - Jonker, Willem

AU - Hartel, Pieter H.

N1 - eemcs-eprint-15311

PY - 2009/4/14

Y1 - 2009/4/14

N2 - The Role-Based Access Control (RBAC) model has been widely applied to a single domain in which users are known to the administrative unit of that domain, beforehand. However, the application of the conventional RBAC model for remote access control scenarios is not straightforward. In such scenarios, the access requestor is outside of the provider domain and thus, the user population is heterogeneous and dynamic. Here, the main challenge is to automatically assign users to appropriate roles of the provider domain. Trust management has been proposed as a supporting technique to solve the problem of remote access control. The key idea is to establish a mutual trust between the requestor and provider based on credentials they exchange. However, a credential doesn't convey any information about the behavior of its holder during the time it is being used. Furthermore, in terms of privileges granted to the requestor, existing trust management systems are either too restrictive or not restrictive enough. In this paper, we propose a new dynamic user-role assignment approach for remote access control, where a stranger requests for access from a provider domain. Our approach has two advantages compared to the existing dynamic user-role assignment techniques. Firstly, it addresses the principle of least privilege without degrading the efficiency of the access control system. Secondly, it takes into account both credentials and the past behavior of the requestor in such a way that he cannot compensate for the lack of necessary credentials by having a good past behavior.

AB - The Role-Based Access Control (RBAC) model has been widely applied to a single domain in which users are known to the administrative unit of that domain, beforehand. However, the application of the conventional RBAC model for remote access control scenarios is not straightforward. In such scenarios, the access requestor is outside of the provider domain and thus, the user population is heterogeneous and dynamic. Here, the main challenge is to automatically assign users to appropriate roles of the provider domain. Trust management has been proposed as a supporting technique to solve the problem of remote access control. The key idea is to establish a mutual trust between the requestor and provider based on credentials they exchange. However, a credential doesn't convey any information about the behavior of its holder during the time it is being used. Furthermore, in terms of privileges granted to the requestor, existing trust management systems are either too restrictive or not restrictive enough. In this paper, we propose a new dynamic user-role assignment approach for remote access control, where a stranger requests for access from a provider domain. Our approach has two advantages compared to the existing dynamic user-role assignment techniques. Firstly, it addresses the principle of least privilege without degrading the efficiency of the access control system. Secondly, it takes into account both credentials and the past behavior of the requestor in such a way that he cannot compensate for the lack of necessary credentials by having a good past behavior.

KW - SCS-Cybersecurity

KW - IR-65474

KW - METIS-263828

KW - Remote Access Control

KW - EWI-15311

KW - Secure Data Management

KW - DB-SDM: SECURE DATA MANAGEMENT

M3 - Report

T3 - CTIT Technical Report Series

BT - Dynamic User Role Assignment in Remote Access Control

PB - Distributed and Embedded Security (DIES)

CY - Enschede

ER -

Saffarian M, Tang Q, Jonker W, Hartel PH. Dynamic User Role Assignment in Remote Access Control. Enschede: Distributed and Embedded Security (DIES), 2009. 15 p. (CTIT Technical Report Series; TR-CTIT-09-14).