Extended Privilege Inheritance in RBAC

M.A.C. Dekker, J.G. Cederquist, J. Crampton, Sandro Etalle

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    4 Citations (Scopus)
    7 Downloads (Pure)

    Abstract

    In existing RBAC literature, administrative privileges are inherited just like ordinary user privileges. We argue that from a security viewpoint this is too restrictive, and we believe that a more flexible approach can be very useful in practice. We define an ordering on the set of administrative privileges, enabling us to extend the standard privilege inheritance relation in a natural way. This means that if a user has a particular administrative privilege, then she is also implicitly authorized for weaker administrative privileges. We prove the non-trivial result that it is possible to decide whether one administrative privilege is weaker than another and show how this result can be used to decide administrative requests in an RBAC security monitor.
    Original languageUndefined
    Title of host publicationProceedings of the 2nd ACM symposium on Information, computer and communications security, ASIACCS 2007
    EditorsR. Deng, P. Samarati
    Place of PublicationNew York
    PublisherACM Press
    Pages383-385
    Number of pages3
    ISBN (Print)1-59593-574-6
    DOIs
    Publication statusPublished - 2007
    Event2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS 2007 - Singapore, Singapore
    Duration: 20 Mar 200722 Mar 2007
    Conference number: 2

    Publication series

    NameConference on Computer and Communications Security
    PublisherACM Press
    NumberLNCS4549

    Conference

    Conference2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS 2007
    Abbreviated titleASIACCS
    Country/TerritorySingapore
    CitySingapore
    Period20/03/0722/03/07

    Keywords

    • EWI-10740
    • SCS-Cybersecurity
    • METIS-241765
    • RBAC
    • Access Control
    • administrative privileges
    • IR-61839

    Cite this