DOC PREVIEW
UTD CS 7301 - Scalable and Efficient Reasoning for Enforcing Role-Based Access Control

This preview shows page 1-2-3-18-19-37-38-39 out of 39 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Scalable and Efficient Reasoning for Enforcing Role-Based Access ControlOverviewMotivationMotivation (cont’d)Why Flexible RBACWhy Flexible TRBACAutomationMain ContributionsApproachApproach (cont’d)Theoretical BackgroundRBAC(Mappings)TRBACDescription LogicsDescription LogicsSWRLSlide 18IntuitionStep 1Step 2Step 3Inference StageTBoxABoxRDFDistributed ReasoningHome PartitionConnecting PartitionsSlide 30Temporal RBAC ReasoningSlide 32AdvantagesOptimizationPolicy QueryExampleTraceExperimentsSlide 39Scalable and E cient Reasoning for ffiEnforcing Role-Based Access ControlTyrone CadenheadMurat Kantarcioglu, and Bhavani Thuraisingham1OverviewMotivationContributionsApproachTheoretical Background: –RBAC, TRBAC, Description Logics, SWRLDetailed Overview of Approach and OptimizationsExampleExperimental Results2MotivationOrganizations tend to generate large amount of data (or resources)Users need only partial access to resourcesPairs: (user, role) (role, permission) (action, resource)nu users and nr roles  at most nu ×nr mappingsScalable access control modelExchange expertise among experts, between systemsHeterogeneity in systemMake decision with dataFormal Semantics of Data3Motivation (cont’d)RBAC simplifies Security Management –But Roles are statically definedTRBAC extends RBAC–Roles are dynamically defined and have a temporal dimension–Does not address Heterogeneity inherent in organization information systemsOntology has a Common Vocabulary–Conforms to a Description Logic (DL) formalism •Description Logic (DL) Reasoning Service–Can be Distributed as over a set of Knowledge Bases 4Why Flexible RBAC•Physician SamSam allowed access to BobBob record–When Bob is under is care•Emergency: SamSam is off duty, KellyKelly in emergency room:–BobBob needs immediate treatment–KellyKelly not pre-assigned to view/update BobBob’s recordTemporal RBAC5Why Flexible TRBACKellyKelly needs to collaborate with different specialist from different expertiseSharing of data across wards, departmentsSeamless and unambiguous exchange of informationOntologiesCommon VocabularyEnable reconciliation and translation between different standards6AutomationKellKelly and team make decisionsUsing Bob medical historyAccess is needed TemporarilyAccuracy and efficiency criticalAutomated Tool Access granted in Emergency sessionApply policy rules over relevant data in Bob’s recordVerify the decisions based on formal logicMake access decisions efficiently7Main ContributionsTRBAC Implementation using existing semantic technologiesReasoning Service for access control over large numbers of data instances in DL Knowledge Bases (KBs) E ciently and accurately reason about access rightsffi8ApproachTransform temporal access control policies to rules :Semantic web rule language (SWRL) Partitioning the Knowledge Base (KB)  - Terminological Box (TBox)  - Assertional Box (ABox)A Knowledge Base consists of a TBox and ABox9Approach (cont’d)Achieves:1. Scalability – support many users, roles, sessions, permissions; combinations w.r.t access control policies 2. E ciencyffi - determines the response time to make a decision in milliseconds3. Correct reasoning – ensure all data assertions available when applying the security policies10Theoretical Background•RBAC•TRBAC•Description Logic Language (ALCQ)•SWRL11RBAC 12(Mappings)•Connect individuals from two domain modules:RBAC assignments: •Think of mappings as relations of form P(i, j) with valid pairs (i, j) user-role, role-user, role-permission, permission-role, session-user, role-role and session-role•a binary relationship of form P(x, y), a restriction on values assigned to (x, y) pairs Hospital extensions: •the mappings patient-user, user-patient and patient-sessionPatient-Record constraint: •the one-to-one mappings patient-record and record-patient13TRBACExtension of RBAC Supports temporal accessExpressed by means of role triggers Constrains the set of roles that a particular user can activate at a given time instant TriggersFiring a trigger cause a role to be enabled/disabled Conflict ResolutionSimultaneous enabling and disabling of a rolePriorities14Description Logics•Formally build our domain concepts and the relationships between them.•Add semantics (reasoning)•Use a knowledge representation language•We can formally say a doctor is a user, a surgeon is a doctor, a doctor has a medical degree. 15Description Logics 16SWRLSemantic Web Rule language (SWRL) •W3C recommendation. •A SWRL rule has the form:hi, bj are atoms of the form C(x), P(x, y) , sameAs(x,y), or differentFrom(x,y), where C is an OWL description, P is an OWL property, and x, y are Datalog variables, OWL individuals, or OWL data values17Overview18Intuition•a user assigned to role : –User attributes (name, sex, id) in partition –Details relating to role in partition –Session related details in partition • •Query :•Optimization:19Step 1Build step offline Restrict each partition size: ensures each KB fits into the memory on the machine 20Step 2•Load the policy rules into a new knowledge base . –Rules determine which assertions are relevant to determine any policy objective. •Adding rules to more efficient•Experimental results:–Impact on the reasoning time vs. adding rules to –Rules apply to a small subset of triples –Reduced number of symbols in the ABox21Step 3 RBAC: 22Inference Stage•When there is an access request for a specific patient, start executing steps 2 and 3. •Steps 2 and 3 are our inferencing stages where we enforce the security policies. •These can also be executed concurrently for many patients, as desired.23TBox •RBAC:–The sets and are atomic concepts in –Mappings and are formalized as DL roles•Employees are Users •Primary Physicians are employees with at least one patient•We can Conclude primary physicians are users.24ABox25RDF•W3C recommendation •Make assertions about any resources on the semantic Web•We can say Bob is a doctor–Doctor(Bob)  (Bob rdf:type Doctor)•Bob attended Harvard–(Bob, attended, “Harvard”)26Distributed Reasoning27Home Partition28Connecting Partitions29Distributed Reasoning•Physicians can be both a primary or


View Full Document

UTD CS 7301 - Scalable and Efficient Reasoning for Enforcing Role-Based Access Control

Documents in this Course
Load more
Download Scalable and Efficient Reasoning for Enforcing Role-Based Access Control
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Scalable and Efficient Reasoning for Enforcing Role-Based Access Control and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Scalable and Efficient Reasoning for Enforcing Role-Based Access Control 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?