Yuqing Sun

On the Complexity of Authorization in RBAC under Qualification and Security Constraints

In practice, assigning access permissions to users must satisfy a variety of constraints motivated by business and security requirements. Here, we focus on Role-Based Access Control (RBAC) systems, in which access permissions are assigned to roles and roles are then assigned to users. User-role assignment is subject to role-based constraints, such as mutual exclusion constraints, prerequisite constraints, and role-cardinality constraints. Also, whether a user is qualified for a role depends on whether his/her qualification satisfies the roles requirements. In other words, a role can only be assigned to a certain set of qualified users. In this paper, we study fundamental problems related to access control constraints and user-role assignment, such as determining whether there are conflicts in a set of constraints, verifying whether a user-role assignment satisfies all constraints, and how to generate a valid user-role assignment for a system configuration. Computational complexity results and/or algorithms are given for the problems we consider.

Specification and enforcement of flexible security policy for active cooperation

Interoperation and services sharing among different systems are becoming new paradigms for enterprise collaboration. To keep ahead in strong competition environments, an enterprise should provide flexible and comprehensive services to partners and support active collaborations with partners and customers. Achieving such goals requires enterprises to specify and enforce flexible security policies for their information systems. Although the area of access control has been widely investigated, current approaches still do not support flexible security policies able to account for different weighs that typically characterize the various attributes of the requesting parties and transactions and reflect the access control criteria that are relevant for the enterprise. In this paper we propose a novel approach that addresses such flexibility requirements while at the same time reducing the complexity of security management. To support flexible policy specification, we define the notion of restraint rules for authorization management processes and introduce the concept of impact weight for the conditions in these restraint rules. We also introduce a new data structure for the encoding of the condition tree as well as the corresponding algorithm for efficiently evaluating conditions. Furthermore, we present a system architecture that implements above approach and supports interoperation among heterogeneous platforms.

Authorization and User Failure Resiliency for WS-BPEL Business Processes

We investigate the problem of WS-BPEL processes resiliency in RBAC-WS-BPEL, an authorization model for WS-BPEL that supports the specification of authorizations for the execution of WS-BPEL process activities by roles and users and authorization constraints, such as separation and binding of duty. The goal of resiliency is to guarantee that even if some users becomes unavailable during the execution of a WS-BPEL process, the remaining users can still complete the execution of the process. We extend RBAC-WS-BPEL with a new type of constraints called resiliency constraints and the notion of user failure resiliency for WS-BPEL processes and propose an algorithm to determine if a WS-BPEL process is user failure resilient.

Ontology based hybrid access control for automatic interoperation

Semantic interoperation and service sharing have been accepted as efficient means to facilitate collaboration among heterogonous system applications. However, extensibility and complexity are still crucial problems in supporting multi-level automatic collaborations across dynamically changed domains. In this paper, we propose the ontology based hybrid access control model. It introduces the concept of Industry Coalition, which defines the common ontology and servers as the portal of an application domain for public. By mapping local authorizations to the common ontology, an enterprise can efficiently tackle the problems of automatic interoperation across heterogonous systems in the Coalition, as well as of the general requests from dynamically changed exterior collaborators not belonging to the Coalition. Several algorithms are also proposed to generate authorization mappings and maintain security constraints consistent. To illustrate our model, an example of property right exchange is given and experiment results are discussed.

Integrating constraints to support legally flexible business processes

Flexible collaboration is a notable attribute of Web 2.0, which is often in the form of multiple users participating different activities that together complete a whole business process. In such an environment, business processes may be dynamically customized or adjusted, as well as the participants may be selected or attend uncertainly. So how to ensure the legitimacy of a business process for both security and business is increasingly critical. In this paper, we investigate this problem and introduce a novel method to support legally flexible business processes. The proposed Constraint-based Business Process Management Model incorporates constraints into the standard activities composing a business process, where the security constraints place restrictions on participants performing the activities and business constraints restrict the dependencies between multiple activities. By the assembly operations, business processes can be dynamically generated and adjusted with activities, that are obliged to the specified constraints. Several algorithms are presented to verify the consistency of constraints and the soundness of the generated business processes, as well as to perform the execution planning to guarantee the correct execution of a business process on the precondition of satisfying all constraints. We present an illustrative example and implement a prototype for the proposed model that is an application of property rights exchange for supporting legal business processes.

Proactive defense of insider threats through authorization management

Among various attacks that may potentially target information systems, insider threat is recognized as an important factor of serious damage. In this paper, we investigate this problem from the view of authorizations in the context of access control. The objectives are to assess the sensitive authorizations in a system and to make appropriate arrangement for reducing the convenience of insider fraud. The proposed analytical framework takes the security constraints and the user relationships into account besides the traditional assessment of each independent user. Specially, different fraud patterns and insider attacks are formally modeled. These concerns are meaningful in practice since with the enforcement of security constraint like Separation of Duty, a single user only possesses partial privileges for a sensitive task. Thus a person who want to launch an attack need to adopt social engineering and collude with others. Based on this framework, we study the critical user problems, which find the most critical subset of users for a sensitive task, as well as discuss how to mitigate the fraud risk to the lowest level. We show that the computational complexities of these problems are NP-hard in general case but some special cases remain tractable. An approximate solution to these problems is presented.

A Novel Approach for Role Hierarchies in Flexible RBAC Workflow

Security and flexibility are two important issues in workflow management systems. The RBAC flexible workflow model is proposed recently which captures above needs, however there exist an open issue of its role hierarchies. With the numbers of users and roles increasing, how to reduce down the complexity of management is emerging concernful. A novel method of role management is presented in this paper that introduce the notation of partial inheritance into the role hierarchies. Compared with other dominating methods, it can efficiently achieve the objectives of role management inflexible workflow

Scheduling mobile collaborating workforce for multiple urgent events

Despite the advancement of wireless technologies that allows collaboration at different places, under emergencies, professionals are often still required to arrive at the scene to carry out critical tasks. Under many practical constraints, how to schedule mobile collaborating workforce for urgent event requirements becomes a challenging problem. In this paper, we study the optimal mobile workforce assignment problems for multiple events and propose an efficient algorithm to find an optimal workforce arrangement with respect to quick response under qualification and location constraints. A practical example is given to illustrate how our method works. We also study the exception case where there are not enough qualified users. We allow a user to take on multiple qualified tasks previously assigned to different users. But each person is restricted within one event location so as to reduce traffic transfer between different places for the quick response purpose. We analyze the computational complexity of the problem of finding an optimal assignment of mobile workforce under such restraints and solve it by means of integer linear programming.

A GPU-based algorithm for building stochastic clustered-dot screens

In industrial pattern reproduction, clustered-dot screens are usually created to transform continuous tone image into halftone image for batch printing. But the algorithms generating clustered-dot screens are usually difficult to process large image because they are very slowly and need lot of memory. In addition, the generated halftone image often have periodic patterns, leading to poor tone reproduction. In this paper, a GPU-based algorithm for building stochastic clustered-dot screens is proposed. In the algorithm, after stochastically laying screen dot centers within a large dither matrix, Voronoi diagram is constructed to obtain the region of each screen dot, which is implemented with GPU. Then, each screen dots region is filled to get the stochastic clustered-dot screens, where a better gray density filling method that can be implemented easily on GPU is used. Experiments show the method can generate screens faster and with less memory than traditional algorithms. Moreover, in a halftone image generated by our method, the details and highlight part can be better expressed.

Active Authorization Management for Multi-domain Cooperation

In a multi-domain collaboration environment, an enterprise should authorize different access rights for sensitive information to partners according to its security policies and relationships with them, which may be changed dynamically with the development of transaction and business rules. So, it is emerging as one of the major concerns to effectively manage the authorizations while supporting flexible multi-level collaboration. In this work, we propose an active authorization model for multi-domain cooperation, which introduces the notions of business rules and context parameters to update security policies automatically and satisfy the dynamic context requirements. The algorithms of handling authorization queries and roles mapping are also presented. The system architecture is discussed in detail to implement this model and support interoperation among heterogeneous platforms.