한국정보과학회논문지:시스템및이론 (Journal of KIISE:Computer Systems and Theory)

한국정보과학회 (Korean Institute of Information Scientists and Engineers)
권호 표지

임무분리와 역할 계층구조를 고려한 대칭 RBAC 모델

Symmetric RBAC Model that Takes the Separation of Duties and Role Hierarchies into Consideration

  • 문창주 (고려대학교 컴퓨터학과) ;
  • 박대하 (시큐리티테크놀로지 정보보호기술연구소) ;
  • 박성진 (한신대학교 정보시스템공학과) ;
  • 백두권 (고려대학교 컴퓨터학과)
  • 발행 : 2003.12.01
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

RBAC은 기존의 DAC과 MAC보다 진보된 접근 통제 방법으로 받아들여진다. RBAC 모델의 권한-역할 부분은 사용자-역할 부분에 비해 상대적으로 연구가 부족하며 이를 극복하기 위한 대칭 RBAC 모델에 대한 연구도 시작 단계이다. 따라서 역할에 적합한 권한을 배정 하는데 많은 어려움이 있다. 본 논문에서는 기존 연구들에서 제시한 권한 배정 제약조건들을 보완한 대칭형 RBAC 모델을 제안한다. 제안한 대칭형 RBAC 모델은 임무분리와 역할의 계층구조를 고려한 권한 배정 제약조건을 제시함으로써 역할의 이해관계 충돌과 권한의 공유와 통합을 권한배정에 반영하고 있다. 또한, AND/OR 그래프를 통해 동적인 권한간의 선행관계를 규정하는 제약조건을 표현함으로써 권한들의 복잡한 선행관계를 효과적으로 제한할 수 있다. 제안한 대칭형 RBAC 모델의 권한 배정 제약조건들은 권한 배정시 지켜야하는 규칙들을 적절히 명세함으로써 권한 배정의 오류를 감소시킨다.

RBAC is accepted as a more advanced control method than existing DAC and MAC. Studies on the permission-role part of RBAC model are relatively insufficient compared with those on the user-role part, and researches on symmetric RBAC models to overcome this is also in an incipient stage. Therefore there is much difficulty in assigning permissions suitable for roles. This paper proposes an symmetric RBAC model that supplements the constraints on permission assignment set forth by previous studies. The proposed symmetric RBAC model reflects the conflicts of interests between roles and the sharing and integration of permissions on the assignment of permissions by presenting the constraints on permission assignment that take the separation of duties and role hierarchies into consideration. In addition, by expressing constraints prescribing prerequisite relations between dynamic permissions through AND/OR graphs, it is possible to effectively limit the complicated prerequisite relations of permissions. The constraints on permission assignment for the proposed symmetric RBAC model reduce errors in permission assignment by properly detailing rules to observe at the time of permission assignment.

키워드

참고문헌

  1. Ravi S. Sandhu, Edward J. Coynek, Hal L. Feinsteink, Charles E. Youmank, Role-Based Access Control Models, IEEE Computer, Volume 29, Number 2, February 1996, pages 38-47 https://doi.org/10.1109/2.485845
  2. Sylvia Osborn, Ravi Sandhu, Qarnar Munawer, Configuring Role-Based Access Control Policies, ACM Transactions on Information and System Security, Vol. 3, No. 2, May 2000, Pages 85 - 106 https://doi.org/10.1145/354876.354878
  3. David F. Ferraiolo, Dennis M. Gilbert, and . ickilyn Lynch. An examination of federal and commercial access control policy needs. In NIST-NCSC National Computer Security conference, pages 107-116, Baltimore, MD, September 20-23 1993
  4. Ravi Sandhu, David Ferraiolo, Richard Kuhn, The NIST Model for Role-Base Access Control: Toward A Unified Standard, Proceedings, 5th ACM Workshop on Role Based Access Control, July 26-27, 2000
  5. David F. Ferraiolo, Ravi Sandhu. Serban Gavrila, Proposed NIST Standard for Role-Based, Access Control, ACM Transactions on Information and System Security, Vol. 4, No. 3, August 2001, pages 224-274 https://doi.org/10.1145/501978.501980
  6. Gail-Joon Ahn, Ravi Sandhu, Role-Based Authorization Constraints Specification, ACM Transactions on Information and System Security, Vol. 3, No. 4, November 2000, pages 207-226 https://doi.org/10.1145/382912.382913
  7. Joon S. Park, Ravi Sandhu, Role-Based Access Control on the Web, ACM Transactions on Information and System Security, Vol. 4, No. 1, February 2001, pages 37-71 https://doi.org/10.1145/383775.383777
  8. Elisa Bertino, Elena Ferrari, Vijay Atluri, The specification and enforcement of authorization constraints in workflow management systems, ACM Transactions on Information and System Security, Vol. 2, No. 1, February 1999, pages 65-104 https://doi.org/10.1145/300830.300837
  9. David F. Ferraiolo, John F. Barkley, and D. Richard Kuhn, A Role-Based Access Control Model and Reference Implementation Within a Corporate Intranet, ACM Transactions on Information and System Security, Vol. 2, No. 1, February 1999, pages 34-64 https://doi.org/10.1145/300830.300834
  10. Collin Atkinson et al., Component-based Product Line Engineering with UML, ADDISON-WESLEY, 2002, page 67-69
  11. Sun Microsystems, Enterprise JavaBeansTM Specification Version 2.1, ch4 Enterprise Beans as components
  12. D.R. Kuhn, Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control Systems, Second ACM Workshop on Role-Based Access Control, 1997 https://doi.org/10.1145/266741.266749
  13. Gligor, V.D., S.I. Gavrila, and D. Ferraiolo. On the formal definition of separation-of-duty policies and their composition, IEEE Symposium on Security and Privacy, May 1998, Oakland, California
  14. You-Feng Lin, Shwu-Yeng T. Lin, Set Theory : An Intuitive Approach, Kyung moon, 1999, ch2
  15. Gail-Joon Ahn, Michael E. Shin, Role-based Authorization Constraints Specification Using Object Constraint Language, In Proceedings of 6th IEEE International Workshop on Enterprise Security (WETICE 2001), MIT, MA, June 20-22, 2001 https://doi.org/10.1109/ENABL.2001.953406
  16. A. Mahanti, A. Bagchi, AND/Or Graph Heuristic Search Methods, Journal of the Association for Computing Machinery, Vol. 32, No. 1, January 1985, page 28-51 https://doi.org/10.1145/2455.2459
  17. George F. Luger, Artificial Intelligence, Addison-Wesley, 2002, page 109-121