Scalable authorization in role-based access control using negative permissions and remote authorization

Show full item record

Title: Scalable authorization in role-based access control using negative permissions and remote authorization
Author: Shah, Arpan Pramod
Advisors: Dr. Peng Ning, Committee Member
Dr. Douglas S. Reeves, Committee Member
Dr. Gregory T. Byrd, Committee Chair
Abstract: Administration of access control is a major issue in large-scale computer systems. Many such computer systems proposed over recent years aim at reducing the effort required to govern access. Role-based access control (RBAC) systems are a huge benefit to this point. They reduce the tasks of an administrator or authorities when users take on different roles in an organization and need to be assigned different access rights or privileges based on these roles. RBAC is a very expressive and flexible access control mechanism that makes it possible to have security policies based on the principle of least privilege, static and dynamic separation of duties, conflicts between roles and permissions, and many more. This research proposes the use of negative permissions and remote authorization for improving the scalability of an RBAC implementation. We discuss how negative permissions would fit in the proposed RBAC model. The thesis describes a mechanism to implement such an RBAC system utilizing negative authorizations. Our implementation is an extension of the Java 2 security architecture to support negative authorizations. We provide support for hierarchy of roles and de-confliction of positive and negative authorizations using the most specific takes precedence model. Future extensions to the model and optimizations to the implemented algorithm are proposed. Another aspect of this thesis is the application of above RBAC model in a distributed environment utilizing a remote authorization management system. A remote authorization mechanism is appropriate in many client-server systems where there is control over the resources at an intermediate communication stack or a middleware component enforces the access rules. In our client-server architecture, an authorization server uses an RBAC system to control access to resources under its domain, and the enforcement of access rules is provided by a security overlay on privileged resources. We address how our negative permissions and remote authorization schemes augment RBAC scalability. We provide the requisite abstraction through UML and architecture diagrams for implementation in other languages and systems. A comparison of this work to other related research done in the RBAC domain is carried out, and future work in this area is discussed.
Date: 2003-06-02
Degree: MS
Discipline: Computer Networking

Files in this item

Files Size Format View
etd.pdf 486.9Kb PDF View/Open

This item appears in the following Collection(s)

Show full item record