Abstract
In the last few years there has been an increasing interest for a novel category of access control models known as location-based or spatially-aware role-based access control (RBAC) models. Those models advance classical RBAC models in that they regulate the access to sensitive resources based on the position of mobile users. An issue that has not yet been investigated is how to administer spatially-aware access control policies. In this paper we introduce GEO-RBAC Admin, the administration model for the location-based GEO-RBAC model. We discuss the concepts underlying such administrative model and present a language for the specification of GEO-RBAC policies.
Similar content being viewed by others
References
Damiani, M.L., Bertino, E., Catania, B., Perlasca, P.: GEO-RBAC: a spatially Aware RBAC. ACM Trans. Inform. Syst. Secur. (TISSEC). 10(1), 2 (2007)
Kern, A., Schaad, A., Moffet, J.: An adminstration concept for the enterprise role-based access control model. In: Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (2003)
Bertino, E., Andrea Bonatti, P., Ferrari, E.: TRBAC: a temporal role-based access control model. ACM Trans. Inform. Syst. Secur. 4(3), 191–233 (2001)
Covington, M.J., Long, W., Srinivasan, S., Dev, A.K., Ahamad, M., Abowd, G.D.: Securing context-aware applications using environment roles. In: Proceedings of the 6th ACM symposium on Access Control Models and Technologies (SACMAT’01), pp. 10–20. ACM Press, Chantilly, Virginia, USA (2001)
Hansen, F., Oleshchuk, V.: SRBAC: a spatial role-based access control model for mobile systems. In: Proceedings of the 7th Nordic Workshop on Secure IT Systems (NORDSEC’03), pp. 129–141. Gjøvik, Norway (2003)
Fu, S., Xu, C.Z.; A coordinated spatio-temporal access control model for mobile computing in coalition environments. In: Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS’05)-Workshop17 (2005)
Chandran, S.M., Joshi, J.B.D.: LoT RBAC: a location and time-based rbac model. In: Proceedings of the 6th International Conference on Web Information Systems Engineering (WISE’05), pp. 361–375. Springer-Verlag, New York, USA (2005)
Kumar, M., Newman, R.: STRBAC – an approach towards spatio-temporal role-based access control. In: Communication, Network, and Information Security, pp. 150–155 (2006)
Aich, S., Sural, S., Majumdar, A.K.: STARBAC: spatio temporal role based access control. In: OTM Conferences (2) 2007, pp. 1567–1582 (2007)
Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inform. Syst. Secur. 2(1), 105–135 (1999)
Crampton, J., Loizou, G.: Administrative scope: a foundation for role-based administrative models. ACM Trans. Inform. Syst. Secur. 6(2), 201–231 (2003)
Oh, S., Sandhu, R., Zhang, X.: An effective role administration model using organization structure. ACM Trans. Inform. Syst. Secur. 9(2), 113–137 (2006)
Li, N., Mao, Z.: Administration in role-based access control. In: ASIACCS ’07: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pp. 127–138. ACM Press, New York, NY, USA (2007)
Bhatti, R., Joshi, J.B.D., Bertino, E., Ghafoor, A.: X-GTRBAC Admin: a decentralized administration model for enterprise-wide access control. ACM Trans. Inform. Syst. Secur. 4, 388–423 (2005).
Bertino, E., Jajodia, S., Samarati, P.: A flexible authorization mechanism for relational data management systems. ACM Trans. Inform. Syst. 17(2), 101–140 (1999)
Griffiths, P.P., Wade, B.W.: An authorization mechanism for a relational database system. ACM Trans. Database Syst. 1(3), 242–255 (1976)
Acknowledgements
This work has been partially funded by the European Commission in the context of the project Geographic Privacy-aware Knowledge Discovery and Delivery (GeoPKDD); IST-6FP-014915; web site: http://www.geopkdd.eu.
Author information
Authors and Affiliations
Corresponding author
Appendix: The Operations in GEO-RBAC Admin
Appendix: The Operations in GEO-RBAC Admin
In this section we report the set of administrative commands along with their semantics. Administrative commands are presented in three distinct tables: Table 10 contains the administrative functions for the management of regular roles and regular role-permission assignment; Table 11 contains the administrative functions for the management of administrative roles and administrative role-permission assignment; Table 12 contains both the administrative commands for the management of users and user-role assignment, and the Review Functions.
1.1 Conventions and Tables of Administrative Commands
Preliminarily we recall and extend the notation presented in Sect. 4.4
-
C d is the current domain in which the operation is invoked: the current domain is known because we assume it is specified by the user at login time. C r is the admin role of the initiator of the administrative operation. We assume that whenever an admin operation is invoked the system first checks whether the initiator has an admin role in the current domain.
-
SubD(r,d) returns the set of sub-domains of d created by admin role r where sub-domains are specified by their name;
-
d_Prms(r,d) returns the set of application and system permissions assigned to admin role r in domain d: this set is comprehensive of the permissions assigned to both the schema of r and directly to r; function Sk(r) returns the schema of role r.
-
TypeOf returns the type of a spatial feature; Contains(a,b) is a spatial predicate that is True if the extent of feature b is contained in the extent of feature a.
-
The following functions are defined over the Admin Hierarchy AH: ChildrenT(r,d) and DescendantT(r,d) return, respectively, the set of children and the descendants of [r,d] in AH; AddChildT(d,r,d′,r′) creates a new node [d′,r′] as child of node [d,r]; UpdateChildT(d,r,d′,r′) updates the role field of the child of node [r,d ] having domain d′ with value r′; DeleteChildrenT(d,r,d′) deletes the nodes [d′−], which are children of [d,r] in AH.
Rights and permissions
About this article
Cite this article
Damiani, M.L., Bertino, E. & Silvestri, C. Spatial Domains for the Administration of Location-based Access Control Policies. J Netw Syst Manage 16, 277–302 (2008). https://doi.org/10.1007/s10922-008-9106-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10922-008-9106-0