Information Technology Reference
In-Depth Information
Context-Dependent Access Control
for Web-Based Collaboration Environments
with Role-Based Approach
Ruben Wolf and Markus Schneider
Fraunhofer Gesellschaft (FhG), Institute for Secure Telecooperation (SIT)
Darmstadt, Germany
{
ruben.wolf,markus.schneider
}
@sit.fraunhofer.de
Abstract.
Controlling access to resources is one of the most important protection
goals for web-based collaboration environments in practice. In general, access con-
trol requires identification of subjects that intend to use resources. Today, there are
several identification mechanisms for subjects, providing different security levels.
However, some of them are only suitable to be used in specific environments. In
this paper we consider access control to web-based collaboration environments
where access control also depends on the actually used identification mechanism
as a context-dependent parameter. Furthermore, we show how to model this kind
of context-dependent access control for web-based collaboration environments by
using role-based concepts. Additionally, we present how complex role hierarchies
in the context-dependent case can be generated from basic role hierarchies. This
is achieved by applying direct products as a special arithmetic operation over role
hierarchies and context hierarchies.
1
Introduction
The World Wide Web provides powerful means for nowadays collaboration environ-
ments. Collaboration environments include a bunch of tools and resources to support
teamwork. After former collaboration environments have mostly been applications with
specific clients, the trend is towards providing collaboration environments with web-
based user interfaces for accessing the offered services with a simple web browser. For
an overview about existing collaboration environments we refer to [1,2].
However, when dealing with collaboration services provided over open networks,
security questions like controlling access to offered services are of central interest in col-
laboration environments. Access control is usually strongly related to identification of
the requesting user. There are several technical solutions which are used in practice, e.g.,
challenge & response protocols based on digital signatures and public key certificates
(e.g., as in [3,4]), passwords (e.g., as in [5]), and even cookies [6]. The decision which
of these identification mechanisms has to be applied depends on the protection goals
in the corresponding application and the desired security level. High-level protection
goals usually require stronger mechanisms. Thus, the usage of specific functions within
the collaboration environment may only be allowed to be requested after identification
with well-chosen mechanisms. In today's web practice, access to web-based collabo-
ration environments requires always one specific mechanism. On the other hand, there
