• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.4
• /
• pp.37-45
• /
• 2003

Role-based Access Control(RBAC) model has advantage of easy management of access control with constraints such as permission inheritance and separation of duty in role hierarchy. However, previous RBAC studies could not properly reflect the real-world organization structure with its role hierarchy. User who is a member of senior role can perform all permissions because senior role inherits all permissions of junior roles in the role hierarchy. Therefore there is a possibility for senior role members to abuse permissions due to violation of the least privilege principle. In this paper, we present a new model of role hierarchy, which restricts the unconditional permission inheritance. In the proposed model, a role is divided into sub roles(unconditional inheritance. restricted inheritance, private role), keeping organization structure in corporate environment. With restricted inheritance, the proposed model prevents permission abuse by specifying the degree of inheritance in role hierarchy.

• Proceedings of the Korea Society for Simulation Conference
• /
• 2005.11a
• /
• pp.51-55
• /
• 2005

Assuring integrity of permission assignment (PA) constraints is a difficult task in role-based access control (RBAC) because of the large number of constraints, users, roles and permissions in a large enterprise environment. We provide solutions for this problem using the conflict concept. This paper introduces the conflict model in order to understand the conflicts easily and to detect conflicts effectively. The conflict model is classified as a permission-permission model and a role-permission model. This paper defines two type conflicts using the conflict model. The first type is an inter-PA-constraints (IPAC) conflict that takes place between PA constraints. The other type is a PA-PAC conflict that takes place between a PA and a PA constraint (PAC) Also, the conditions of conflict occurrence are formally specified and proved. We can assure integrity on permission assignment by checking conflicts before PA and PA constraints are applied.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.12 no.4
• /
• pp.41-53
• /
• 2002

Role Based Access Control (RBAC), which is a method, using role as an access control, has been popular with users and it is recognized as an effective method to replace the Discretionary Access Control and the Mandatory Access Control However, the existing Role Based Access Control Models have only been limited to the bureaucracy organization in which a distinctive hierarchy system was used, incorporating a stable structure and a standardized work system. Only in some parts, some access control models have been used, which supports 'Team' concept, such as Team Based Access Control Model. However, it did not incorporate the characteristics of the adhocracy organization, which is similar to the company's task force team, whose characteristics are organic, temporary, no standardized operation procedures, and many frequent changes. In this study, we have discussed the characteristics of the adhocracy organization which is different from the existing bureaucracy organization, and we have also discussed the problems related to when the existing access control models are used as the access control model for the adhocracy organization due to its characteristics. In addition, based on the problems, we have suggested an improved role based access control model for the adhocracy organization, and have come up with the solutions when any problems occur in the access control system.

• The Transactions of the Korea Information Processing Society
• /
• v.5 no.7
• /
• pp.1801-1812
• /
• 1998

기존의 접근 제어 메커니즘인 강제적 접근 제어와 임의적 접근 제어는 무결성을 요구하는 상용 환경의 정보 보안에는 부족하여 이의 대안으로 직무 기반 접근 제어 (RBAC:Role Based Access Control)가 주목 받고 있으며, 직무를 수행하는 사용자의 의무 분리(Separation of Duty)에 대한 연구가 최근 이루어지고 있다. RBAC에서 사용자는 직무에 배정된 접근권한(Privilege) 만을 수행하여야 하는데 상호 배타적(Mutual exclusive)특성을 갖는 직무는 표현 및 접근 권한의 직무 배정과 수행에 있어서 어려움이 있다. 본 논문에서는 RBAC의 기본 특성을 분석하여 직무에 접근권한을 부여하고 사용자를 직무에 배정하는데 따른 안전한 접근 제어를 위하여 반순서 관계를 갖는 직무의 승계 속성에 따라 직무의 계층 형태를 분류하고, 직무에 배정되는 접근권한의 표현과 관리를 용이하게 하기 위하여 객체에 부여된 객체 접근권한을 분석하여 방향성 그래프를 이용하여 기본 접근권한으로 모델링한다. 접근권한 그래프(Privilege Graph)로 표현된 기본 접근권한에 직무를 배정하면 상호 배타적 직무의 접근권한과 의무 분리의 표현 및 관리를 용이하게 할 수 있다. 이를 기반으로 의무 분리를 포함한 RBAC의 안정성 특성과 접근권한 그래프를 이용한 직무의 의무 분리를 위한 직무 관리 알고리즘을 제시한다.

• The KIPS Transactions:PartC
• /
• v.14C no.1 s.111
• /
• pp.65-72
• /
• 2007

The existing RBAC models are not sufficient for managing delegations or separation of roles. Researches have been done on RBDM(Role Based Delegation Model) that deal with delegating role or permission to other users. In this paper, we divide the delegated roles into two groups: periodic and temporary delegation roles. When a role is delegated, a time period is assigned together, which is used to revoke the permission of delegated role automatically. In our model, the role of monotonic delegation by an original user can be revoked at any time in case of malicious use by the delegated user. The contribution of our model is that the malicious use of delegated role can be prohibited and security vulnerability in the role hierarchy due to role delegations can be alleviated. The proposed model, T RBDM(Time out Based RBDM) is analyzed and compared with the conventional models, such as RBDM0, RBDM1 and PBDM. Our model shows an advantage over other models in terms of security robustness.

• Convergence Security Journal
• /
• v.16 no.7
• /
• pp.77-84
• /
• 2016

In general RBAC(Role-Based-Access Control) model, senior role has junior role's permissions by virtue of role hierarchy. But although the opposite case is needed partially in medical institutions, such case cannot be performed in medical information systems. This is because inheritances of permissions in role hierarchies are static. In order to tackle this problem, this paper defined a dynamic role assignment, thereby proposed the way for the junior temporarily to be able to perform the permissions of the senior, and showed the applications of medical information systems.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2001.11a
• /
• pp.33-38
• /
• 2001

역할기반 접근제어(RBAC : Role Based Access Control)는 임의적 접근제어와 강제적 접근제어에 비해 견고함과 유연성을 제공한다. 따라서 RBAC은 최근 금융시스템 및 병원시스템 등에서 많은 관심의 대상이 되고 있다. 본 논문에서는 안전성이 인증된 다중등급보안(MLS : Multi-Level Security) 리눅스를 이용하여 인터넷상에서 가상은행의 금융업무를 안전하게 처리할 수 있는 다중등급기반의 RBAC 시스템을 구현함을 보인다.

• Proceedings of the Korean Information Science Society Conference
• /
• 2001.04a
• /
• pp.790-792
• /
• 2001

오늘날 웹서버를 활용한 업무처리 시스템에서는 웹서버의 기능이 중앙집중화된 정보시스템보다는 웹서버가 처리해야 할 기능별로 별도의 웹서버를 두어 부하를 분산시켜 처리하는 시스템 구성이 일반적이다. 이러한 환경에서 자연히 웹서버도 많아지고 사용하려는 사용자도 많아지게 되는데 이때 이러한 사용자가 웹서버에 제공하는 자원에 대한 접근을 제어할 필요가 있게 된다. 이를 위한 효율적인 방안으로 RBAC(Role Based Access Control)을 사용하는 방법을 생각할 수 있다. 그러나 복수개의 서로 다른 서비스를 담당하는 각각의 서버에는 서로 다른 RBAC 구조가 존재할 수 있게 된다. 이러한 시스템환경에서 일반적으로 한사람의 사용자는 각각의 서버마다 서로 다른 역할을 담당하게 되고 자신의 업무를 처리하는데 있어 각각의 서버별로 별도의 역할을 부여받게 된다. 이에 본 논문에서는 동일 도메인내에서의 분산 웹서버들이 존재할 때 현재 접근제어의 가장 적합한 개념인 역할기반 접근제어기법을 응용하여 사용자가 복수개의 이들 웹서버를 사용하여 업무를 처리함에 있어 매번 각 서버에서 인증을 받아야하는 불편을 없애 이 문제를 효율적으로 해결해 보고자하며 이를 위해 기존의 RBAC에 Role의 상위 개념인 Work개념을 도입해 사용자가 자신의 업무를 수행시 Role이 아닌 좀더 추상적이고 포괄적 개념인 Work를 선택할 수 있게 함으로 해서 각 서버에서 선택된 Work에 따라 자신에게 부여되는 권한을 이용해 원활하게 업무를 수행할 수 있도록 하는 방법을 제안한다.

• The KIPS Transactions:PartC
• /
• v.14C no.6
• /
• pp.537-544
• /
• 2007

A home network is a residential local area network in which digital home appliances are connected with each other. Applying the mobile agent technology to the home network is expected to provide a new computing model. In particular, mobility and asynchronous ability of mobile agent can be used to reduce network traffic generated for managing home appliances. However, in order to apply the mobile agent concept to the home network, access control for mobile agents is necessary. In the existing home network system, there is one special server, sometimes called home server This server generally has mapping tables to be updated periodically, which describes access control lists between users' authorities and corresponding devices. In this paper, we propose a role-based access control framework with mobile agents in home networks. This framework, called Secure KAgent framework, is designed and implemented based on KAgent system. It has two main characteristics: to control access permissions based on Role-Based Access Control(RBAC) scheme and to safety assign roles to mobile agents by role tickets.

• KIISE Transactions on Computing Practices
• /
• v.22 no.9
• /
• pp.441-448
• /
• 2016

RBAC(Role-Based Access Control), which is widely used in Medical Information Systems, is vulnerable to illegal access through abuse/misuse of permissions. In order to solve this problem, treatment based risk assessment of access requests is necessary. In this paper, we propose a risk evaluation method based on treatment information. We use network analysis to determine the correlation between treatment information and access objects. Risk evaluation can detect access that is unrelated to the treatment. It also provides indicators for information disclosure threats of insiders. We verify the validity using large amounts of data in real medical information systems.