Information Technology Reference
In-Depth Information
detail in the literature, we only describe the aspects that are required to model context-
dependent access control. For more information, we refer to [13,14].
Definition 1 (Partially Ordered Set
P ;
[13]). Let
P
be a set. A partial order
on
P
is a binary relation
on
P
such that for all
x, y, z ∈ P
there holds (i)
x ≤ x
(reflexivity), (ii)
x ≤ y
and
y ≤ x
imply
x = y
(antisymmetry), and (iii)
x ≤ y
and
y ≤
z
imply
x ≤ z
(transitivity).
Without introducing contexts, we can specify role hierarchies for role-based access
control with the definition above.We suggest now tomodel the context itself as a partially
ordered set and then compose a new hierarchy, i.e., the context-dependent role hierarchy,
by applying a specific arithmetic over partially ordered sets. With the help of the direct
product (which is sometimes also called Cartesian product), we create the context-
dependent role hierarchy from the role hierarchy and the context hierarchy as specified
in Sect. 4.
Definition 2 (Cartesian Product
P 1 × ··· × P n of Partially Ordered Sets [13]).
Let
P 1 × ··· ×P n can be made
into an ordered set by imposing the coordinate-wise order defined by
P 1 ,...,P n be ordered sets. The Cartesian product
( x 1 , ..., x n ) ( y 1 , ..., y n )
⇐⇒
( ∀i ) x i ≤ y i
in
P i .
Informally, a product
P × Q
is drawn by replacing each point of a diagram of
P
by a
copy of a diagram of
Q
, and connecting corresponding points. Figure 4 depicts a direct
product
P × Q
of two partially ordered sets
P
and
Q
.
6 Role Hierarchy for Context-Dependent Access Control
In this section, we combine the arguments given in Sects. 2 to 5, and thereby, we establish
a connected motivation for what follows. In Sect. 2, it was motivated that access control
decisions should also take the identification mechanism into account as a relevant con-
text parameter. This idea combines an adequate protection level with reasonable user
requirements and convenience aspects. Since a collaboration environment may support
a large number of users, where the assignment from users to projects may change dy-
namically, such collaboration environments pose demanding requirements to security
administration systems. Furthermore, providers of collaboration environments have an
interest, that changes in the security policy can be dealt with easily and efficiently, e.g.,
by the introduction of new permissions, or new team roles. This means that they require
adequate support for administration.
RBAC, as presented in Sect. 3, dramatically simplifies access control management,
which is extremely valuable for large number of users or permissions. It also supports
the requirement for flexibility in presence of frequently changing access control poli-
cies. Consequently, there arises the question how RBAC can be used to provide efficient
solutions for controlling context-dependent access to web-based collaboration environ-
ments exploiting the advantages of RBAC. Thus, our goal is to provide answers on how
to approach and model collaboration environment requirements for context dependency
with RBAC.
Search WWH ::




Custom Search