Abstract
Delegation is a mechanism that allows a user A to act on another user B’s behalf by making B’s access rights available to A. It is well recognized as an important mechanism to provide resiliency and flexibility in access control systems, and has gained popularity in the research community. However, most existing literature focuses on modeling and managing delegations. Little work has been done on understanding the impact of delegation on the security of existing access control systems. In particular, no formal notion of security with respect to delegation has been proposed. Many existing access control systems are designed without having delegation in mind. Simply incorporating a delegation module into those systems may cause security breaches.
This paper focuses on the security aspect of delegation in access control systems. We first give examples on how colluding users may abuse the delegation support of access control systems to circumvent security policies, such as separation of duty. As a major contribution, we propose a formal notion of security with respect to delegation in access control systems. After that, we discuss potential mechanisms to enforce security. In particular, we design a novel source-based enforcement mechanism for workflow authorization systems so as to achieve both security and efficiency.
Chapter PDF
Similar content being viewed by others
References
Atluri, V., Warner, J.: Supporting conditional delegation in secure workflow management systems. In: SACMAT 2005: Proceedings of the tenth ACM symposium on Access control models and technologies, pp. 49–58. ACM Press, New York (2005)
Barka, E., Sandhu, R.: Framework for role-based delegation models. In: ACSAC 2000: Proceedings of the 16th Annual Computer Security Applications Conference, Washington, DC, USA, p. 168. IEEE Computer Society Press, Los Alamitos (2000)
Barka, E., Sandhu, R.: A role-based delegation model and some extensions (2000)
Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2(1), 65–104 (1999)
Crampton, J.: A reference monitor for workflow systems with constrained task execution. In: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies (SACMAT 2005), Stockholm, Sweden, June 2005, pp. 38–47 (2005)
Crampton, J., Khambhammettu, H.: Delegation in role-based access control. In: Proceedings of 11th European Symposium on Research in Computer Security (2006)
Joshi, J.B.D., Bertino, E.: Fine-grained role-based delegation in presence of the hybrid role hierarchy. In: SACMAT 2006: Proceedings of the eleventh ACM symposium on Access control models and technologies, pp. 81–90. ACM Press, New York (2006)
Na, S., Cheon, S.: Role delegation in role-based access control. In: RBAC 2000: Proceedings of the fifth ACM workshop on Role-based access control, pp. 39–44. ACM Press, New York (2000)
Schaad, A.: A framework for organisational control principles. Ph.D Thesis, University of York (2003)
Tan, K., Crampton, J., Gunter, C.: The consistency of task-based authorization constraints in workflow systems. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW), pp. 155–169 (2004)
Wainer, J., Kumar, A.: A fine-grained, controllable, user-to-user delegation method in rbac. In: SACMAT 2005: Proceedings of the tenth ACM symposium on Access control models and technologies, pp. 59–66. ACM Press, New York (2005)
Wang, Q., Li, N.: Satisfiability and resiliency in workflow systems. In: Proc. European Symp. on Research in Computer Security (September 2007)
Wang, Q., Li, N.: On the security of delegation in access control systems. CERIAS Technical Report (July 2008), http://www.cs.purdue.edu/homes/wangq/papers/delegation.pdf
Warner, J., Atluri, V.: Inter-instance authorization constraints for secure workflow management. In: Proc. ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 190–199 (2006)
Zhang, L., Ahn, G.-J., Chu, B.-T.: A rule-based framework for role-based delegation and revocation. ACM Trans. Inf. Syst. Secur. 6(3), 404–441 (2003)
Zhang, X., Oh, S., Sandhu, R.: Pbdm: a flexible delegation model in rbac. In: SACMAT 2003: Proceedings of the eighth ACM symposium on Access control models and technologies, pp. 149–157. ACM Press, New York (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, Q., Li, N., Chen, H. (2008). On the Security of Delegation in Access Control Systems. In: Jajodia, S., Lopez, J. (eds) Computer Security - ESORICS 2008. ESORICS 2008. Lecture Notes in Computer Science, vol 5283. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88313-5_21
Download citation
DOI: https://doi.org/10.1007/978-3-540-88313-5_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88312-8
Online ISBN: 978-3-540-88313-5
eBook Packages: Computer ScienceComputer Science (R0)