We consider an extension of the Role-Based Access Control model in which rules assign users to roles based on attributes. We consider an open (allow-by-default) policy approach in which rules can assign users negated roles thus preventing access to the permissions associated to the role. The problems of detecting redundancies and inconsistencies are formally stated. By expressing the conditions on the attributes in the rules with formulae of theories that can be efficiently decided by Satisfiability Modulo Theories (SMT) solvers, we characterize the decidability and complexity of the problems of detecting redundancies and inconsistencies. The proof of the result is constructive and based on an algorithm that repeatedly solves SMT problems. An experimental evaluation with synthetic benchmark problems shows the practical viability of our technique.

Automated and Efficient Analysis of Role-Based Access Control with Attributes / Armando, A; Ranise, S. - 7371:(2012), pp. 25-40. (Intervento presentato al convegno 26th Conference on Data and Applications Security and Privacy (DBSec) tenutosi a Paris nel 19-21/07/2012).

Automated and Efficient Analysis of Role-Based Access Control with Attributes

Ranise, S
2012-01-01

Abstract

We consider an extension of the Role-Based Access Control model in which rules assign users to roles based on attributes. We consider an open (allow-by-default) policy approach in which rules can assign users negated roles thus preventing access to the permissions associated to the role. The problems of detecting redundancies and inconsistencies are formally stated. By expressing the conditions on the attributes in the rules with formulae of theories that can be efficiently decided by Satisfiability Modulo Theories (SMT) solvers, we characterize the decidability and complexity of the problems of detecting redundancies and inconsistencies. The proof of the result is constructive and based on an algorithm that repeatedly solves SMT problems. An experimental evaluation with synthetic benchmark problems shows the practical viability of our technique.
2012
26th Conference on Data and Applications Security and Privacy (DBSec)
HEIDELBERGER PLATZ 3, D-14197 BERLIN, GERMANY
SPRINGER-VERLAG BERLIN
Armando, A; Ranise, S
Automated and Efficient Analysis of Role-Based Access Control with Attributes / Armando, A; Ranise, S. - 7371:(2012), pp. 25-40. (Intervento presentato al convegno 26th Conference on Data and Applications Security and Privacy (DBSec) tenutosi a Paris nel 19-21/07/2012).
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/333048
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? 12
social impact