Role-Based Access Control Administration of Security Policies and Policy Conflict Resolution in Distributed Systems

摘要

Security models using access control policies have over the years improved from Role-based access control (RBAC) to newer models which have added some features like support for distributed systems and solving problems in older security policy models such as identifying policy conflicts. Access control policies based on hierarchical roles provide more flexibility in controlling system resources for users. The policies allow for granularity when extended to have both allow and deny permissions as well as weighted priority attribute for the rules in the policies. Such flexibility allows administrators to succinctly specify access for their system resources but also prone to conflict.This study found that conflicts in access control policies were still a problem even in recent literature. There have been successful attempts at using algorithms to identify the conflicts. However, the conflicts were only identified but not resolved or averted and system administrators still had to resolve the policy conflicts manually. This study proposed a weighted attribute administration model (WAAM) containing values that feed the calculation of a weighted priority attribute. The values are tied to the user, hierarchical role, and secured objects in a security model to ease their administration and are included in the expression of the access control policy. This study also suggested a weighted attribute algorithm (WAA) using these values to resolve any conflicts in the access control policies. The proposed solution was demonstrated in a simulation that combined the WAAM and WAA. The simulationu27s database used WAAM and had data records for access control policies, some of which had conflicts. The simulation then showed that WAA could both identify and resolve access control policy (ACP) conflicts while providing results in sub-second time. The WAA is extensible so implementing systems can extend WAA to meet specialized needs. This study shows that ACP conflicts can be identified and resolved during authorization of a user into a system.