Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Role-Based Access Control System API Supporting External Authority Interface

  • Ma, Jin (Dept. of Super Computing, KISTI) ;
  • Kim, Hyunah (Dept. of Computer Science, Kyonggi University) ;
  • Park, Minjae (Dept. of Computer Software, Daelim University)
  • Received : 2017.08.29
  • Accepted : 2018.02.21
  • Published : 2018.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

In industries that are operating various enterprise systems, new systems are integrated and operated in accordance with each period. In particular, when a new system is to be integrated, one of the major considerations is the single sign-on part for integrating and operating the authentication. To implement this authority system using role-based access control method, an extension method for access control method is needed. Therefore, in this paper, we design an extended role-based access control model for interworking with legacy authority system and provide its APIs. The extended role-based access control model is a model in which external authority information, which holds authority information in the authority information, is added. And we describe operations that the REST Web APIs are based on these models. In this paper, the method is described in the back-end APIs and can be implemented as an operation of an extended role-based access control system based on the method.

Keywords

References

  1. Atluri, Vijayalakshmi and David F. Ferraiolo. "Role-Based Access Control." Encyclopedia of Cryptography and Security (2011). http://doi.org/10.1007/978-1-4419-5906-5_829
  2. R.W. Baldwin, "Naming and Grouping Privileges to Simplify Security Management in Large Databases," In IEEE Symposium on Computer Security and Privacy, 1990. http://doi.org/10.1109/RISP.1990.63844
  3. K.R. Poland M.J. Nash, "Some Conundrums Concerning Separation of Duty," In IEEE Symposium on Computer Security and Privacy, 1990. http://doi.org/10.1109/RISP.1990.63851
  4. https://en.wikipedia.org/wiki/Role-based_access_control
  5. D.F. Ferraiolo and D.R. Kuhn (1992) "Role Based Access Control" 15th National Computer Security Conference, Oct 13-16, 1992, pp. 554-563. - introduced formal model for role based access control.
  6. R. S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. "Role-Based Access Control Models", IEEE Computer 29(2): 38-47, IEEE Press, 1996.- proposed a framework for RBAC models. http://doi.org/10.1109/2.485845
  7. R. Sandhu, D.F. Ferraiolo, D, R. Kuhn (2000), "The NIST Model for Role Based Access Control: Toward a Unified Standard," Proceedings, 5th ACM Workshop on Role Based Access Control, July 26-27, 2000, Berlin, pp.47-63 - first public draft of the NIST RBAC model and proposal for an RBAC standard. http://doi.org/10.1145/344287.344301
  8. D.F. Ferraiolo, R. Kuhn, R. Sandhu (2007), "RBAC Standard Rationale: comments on a Critique of the ANSI Standard on Role Based Access Control", IEEE Security & Privacy, vol. 5, no. 6 (Nov/Dec 2007), pp. 51-53 - explains decisions made in developing RBAC standard. https://doi.org/10.1109/MSP.2007.173
  9. D.R. Kuhn, E.J. Coyne, T.R. Weil, "Adding Attributes to Role Based Access Control", IEEE Computer, vol. 43, no. 6 (June, 2010), pp. 79-81. http://doi.org/10.1109/MC.2010.155
  10. Hwang Yu-Dong, Park Dong-Gue, "Extended GTRBAC Delegation Model for Access Control Enforcement in Enterprise Environments", Journal of Internet Computing and Services, Vol. 7 No.1, 2006.2, 17-30.
  11. Seng-phil Hong, Hyun-me Jang, "Applied Method of Privacy Information Protection Mechanism", Journal of Internet Computing and Services, Vol. 9, No. 2, 2008.4, 51-59
  12. Kyung-Soo Joo, Jung-Woong Woo, "An Object-Oriented Analysis and Design Methodology for Security of Web Applications", Journal of Internet Computing and Services, Vol.14, No.4, 2013.8, 35-42 https://doi.org/10.7472/jksii.2013.14.4.35
  13. D.R. Kuhn, "Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control Systems" Second ACM Workshop on Role-Based Access Control. 1997 http://doi.org/10.1145/266741.266749
  14. R. Chandramouli, R. Sandhu, "Role Based Access Control Features in Commercial Database Management Systems," 21st National Information Systems Security Conference, October 6-9, 1998
  15. S. Gavrila, J. Barkley, "Formal Specification for Role Based Access Control User/Role and Role/Role Relationship Management" (1998), Third ACM Workshop on Role-Based Access Control. http://doi.org/10.1145/286884.286902
  16. D.R. Kuhn. "Role Based Access Control on MLS Systems Without Kernel Changes" Third ACM Workshop on Role Based Access Control, October 22-23,1998 http://doi.org/10.1145/286884.286890
  17. R. Sandhu, D. Ferraiolo, R. Kuhn, "The NIST Model for Role Based Access Control: Towards a Unified Standard," Proceedings, 5th ACM Workshop on Role Based Access Control, July 26-27, 2000, Berlin, pp.47-63 http://doi.org/10.1145/344287.344301