Role-Based Authorization Constraints Specification

Gail-Joon Ahn, Ravi Sandhu

Research output: Contribution to journalArticle

312 Citations (Scopus)

Abstract

Constraints are an important aspect of role-based access control (RBAC) and are often regarded as one of the principal motivations behind RBAC. Although the importance of constraints in RBAC has been recognized for a long time, they have not received much attention. In this article, we introduce an intuitive formal language for specifying role-based authorization constraints named RCL 2000 including its basic elements, syntax, and semantics. We give soundness and completeness proofs for RCL 2000 relative to a restricted form of first-order predicate logic. Also, we show how previously identified role-based authorization constraints such as separation of duty (SOD) can be expressed in our language. Moreover, we show there are other significant SOD properties that have not been previously identified in the literature. Our work shows that there are many alternate formulations of even the simplest SOD properties, with varying degree of flexibility and assurance. Our language provides us a rigorous foundation for systematic study of role-based authorization constraints.

Original languageEnglish (US)
Pages (from-to)207-226
Number of pages20
JournalACM Transactions on Information and System Security
Volume3
Issue number4
DOIs
StatePublished - Nov 1 2000
Externally publishedYes

Fingerprint

Access control
Specifications
Formal languages
Semantics

Keywords

  • Access control models
  • authorization constraints
  • constraints specification
  • Languages
  • role-based access control
  • Security

ASJC Scopus subject areas

  • Computer Science(all)
  • Safety, Risk, Reliability and Quality

Cite this

Role-Based Authorization Constraints Specification. / Ahn, Gail-Joon; Sandhu, Ravi.

In: ACM Transactions on Information and System Security, Vol. 3, No. 4, 01.11.2000, p. 207-226.

Research output: Contribution to journalArticle

@article{dfe5ea4cd05645439ca085aa1cacbe98,
title = "Role-Based Authorization Constraints Specification",
abstract = "Constraints are an important aspect of role-based access control (RBAC) and are often regarded as one of the principal motivations behind RBAC. Although the importance of constraints in RBAC has been recognized for a long time, they have not received much attention. In this article, we introduce an intuitive formal language for specifying role-based authorization constraints named RCL 2000 including its basic elements, syntax, and semantics. We give soundness and completeness proofs for RCL 2000 relative to a restricted form of first-order predicate logic. Also, we show how previously identified role-based authorization constraints such as separation of duty (SOD) can be expressed in our language. Moreover, we show there are other significant SOD properties that have not been previously identified in the literature. Our work shows that there are many alternate formulations of even the simplest SOD properties, with varying degree of flexibility and assurance. Our language provides us a rigorous foundation for systematic study of role-based authorization constraints.",
keywords = "Access control models, authorization constraints, constraints specification, Languages, role-based access control, Security",
author = "Gail-Joon Ahn and Ravi Sandhu",
year = "2000",
month = "11",
day = "1",
doi = "10.1145/382912.382913",
language = "English (US)",
volume = "3",
pages = "207--226",
journal = "ACM Transactions on Information and System Security",
issn = "1094-9224",
publisher = "Association for Computing Machinery (ACM)",
number = "4",

}

TY - JOUR

T1 - Role-Based Authorization Constraints Specification

AU - Ahn, Gail-Joon

AU - Sandhu, Ravi

PY - 2000/11/1

Y1 - 2000/11/1

N2 - Constraints are an important aspect of role-based access control (RBAC) and are often regarded as one of the principal motivations behind RBAC. Although the importance of constraints in RBAC has been recognized for a long time, they have not received much attention. In this article, we introduce an intuitive formal language for specifying role-based authorization constraints named RCL 2000 including its basic elements, syntax, and semantics. We give soundness and completeness proofs for RCL 2000 relative to a restricted form of first-order predicate logic. Also, we show how previously identified role-based authorization constraints such as separation of duty (SOD) can be expressed in our language. Moreover, we show there are other significant SOD properties that have not been previously identified in the literature. Our work shows that there are many alternate formulations of even the simplest SOD properties, with varying degree of flexibility and assurance. Our language provides us a rigorous foundation for systematic study of role-based authorization constraints.

AB - Constraints are an important aspect of role-based access control (RBAC) and are often regarded as one of the principal motivations behind RBAC. Although the importance of constraints in RBAC has been recognized for a long time, they have not received much attention. In this article, we introduce an intuitive formal language for specifying role-based authorization constraints named RCL 2000 including its basic elements, syntax, and semantics. We give soundness and completeness proofs for RCL 2000 relative to a restricted form of first-order predicate logic. Also, we show how previously identified role-based authorization constraints such as separation of duty (SOD) can be expressed in our language. Moreover, we show there are other significant SOD properties that have not been previously identified in the literature. Our work shows that there are many alternate formulations of even the simplest SOD properties, with varying degree of flexibility and assurance. Our language provides us a rigorous foundation for systematic study of role-based authorization constraints.

KW - Access control models

KW - authorization constraints

KW - constraints specification

KW - Languages

KW - role-based access control

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=84956993736&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84956993736&partnerID=8YFLogxK

U2 - 10.1145/382912.382913

DO - 10.1145/382912.382913

M3 - Article

AN - SCOPUS:84956993736

VL - 3

SP - 207

EP - 226

JO - ACM Transactions on Information and System Security

JF - ACM Transactions on Information and System Security

SN - 1094-9224

IS - 4

ER -