Permission and role automatic assigning of user in role-based access control

Role mining and setup affect the usage of role-based access control(RBAC).Traditionally,user's role and permission assigning are manipulated by security administrator of system.However,the cost is expensive and the operating process is complex.A new role analyzing method was proposed by generating mappings and using them to provide recommendation for systems.The relation among sets of permissions,roles and users was explored by generating mappings,and the relation between sets of users and attributes was analyzed by means of the concept lattice model,generating a critical mapping between the attribute and permission sets,and making the meaning of the role natural and operational.Thus,a role is determined by permission set and user's attributes.The generated mappings were used to automatically assign permissions and roles to new users.Experimental results show that the proposed algorithm is effective and efficient.

校园网中的Role-based Access Control模型设计

介绍了如何将Role basedAccessControl(RBAC)模型应用于校园网的访问控制系统中。其特点是通过分配和取消角色来完成用户权限的授予和取消 ,并且提供了角色分配规则和操作检查规则。安全管理人员根据需要定义各种角色 ,并设置合适的访问权限 ,而用户根据其责任和资历被指派为不同的角色。根据系统的实际需求 。

A distributed role-based access control model for multi-domain environments

Access control in multi-domain environments is an important question in building coalition between domains. Based on the RBAC access control model and the concepts of secure domain, the role delegation and role mapping are proposed, which support the third-party authorization. A distributed RBAC model is then presented. Finally implementation issues are discussed.

Consistency maintenance for constraint in role-based access control model

Constraint is an important aspect of role based access control and is sometimes argued to be the principal motivation for role based access control (RBAC). But so far few authors have discussed consistency maintenance for constraint in RBAC model. Based on researches of constraints among roles and types of inconsistency among constraints, this paper introduces corresponding formal rules, rule based reasoning and corresponding methods to detect, avoid and resolve these inconsistencies. Finally, the paper introduces briefly the application of consistency maintenance in ZD PDM, an enterprise oriented product data management (PDM) system.

A General Attribute and Rule Based Role-Based Access Control Model

Growing numbers of users and many access control policies which involve many different resource attributes in service-oriented environments bring various problems in protecting resource.This paper analyzes the relationships of resource attributes to user attributes in all policies, and propose a general attribute and rule based role-based access control(GAR-RBAC) model to meet the security needs. The model can dynamically assign users to roles via rules to meet the need of growing numbers of users. These rules use different attribute expression and permission as a part of authorization constraints, and are defined by analyzing relations of resource attributes to user attributes in many access policies that are defined by the enterprise. The model is a general access control model, and can support many access control policies, and also can be used to wider application for service. The paper also describes how to use the GAR-RBAC model in Web service environments.

A Cache Considering Role-Based Access Control and Trust in Privilege Management Infrastructure

PMI （privilege management infrastructure） is used to perform access control to resource in an E-commerce or E-government system. With the ever-increasing need for secure transaction, the need for systems that offer a wide variety of QoS （quality-of-service） features is also growing. In order to improve the QoS of PMI system, a cache based on RBAC （Role-based Access control） and trust is proposed. Our system is realized based on Web service. How to design the cache based on RBAC and trust in the access control model is deseribed in detail. The algorithm to query role permission in cache and to add records in cache is dealt with. The policy to update cache is introduced also.

Centralized Role-Based Access Control for Federated Multi-Domain Environments

The secure interaction among multiple security domains is a major concern. In this paper, we highlight the issues of secure interoperability among multiple security domains operating under the widely accepted Role Based Access Control （RBAC） model. We propose a model called CRBAC that easily establishes a global policy for roles mapping among multiple security domains. Our model is based on an extension of the RBAC model. Also, multiple security domains were composed to one abstract security domain. Also roles in the multiple domains are translated to permissions of roles in the abstract security domain. These permissions keep theirs hierarchies. The roles in the abstract security domain implement roles mapping among the multiple security domains. Then, authorized users of any security domain can transparently access resources in the multiple domains.

Distributed Role-based Access Control for Coaliagion Application

Access control in multi-domain environments is one of the important questions of building coalition between domains. On the basis of RBAC access control model, the concepts of role delegation and role mapping are proposed, which support the third-party authorization. Then, a distributed RBAC model is presented. Finally the implementation issues are discussed.

Dynamically Authorized Role-Based Access Control for Grid Applications

Grid computing is concerned with the sharing and coordinated use of diverse resources in distributed “virtual organizations”. The heterogeneous, dynamic and multi-domain nature of these environments makes challenging security issues that demand new technical approaches. Despite the recent advances in access control approaches applicable to Grid computing, there remain issues that impede the development of effective access control models for Grid applications. Among them there are the lack of context-based models for access control, and reliance on identity or capability-based access control schemes. An access control scheme that resolve these issues is presented, and a dynamically authorized role-based access control (D-RBAC) model extending the RBAC with context constraints is proposed. The D-RABC mechanisms dynamically grant permissions to users based on a set of contextual information collected from the system and user’s environments, while retaining the advantages of RBAC model. The implementation architecture of D-RBAC for the Grid application is also described.

A Blockchain-Based Access Control Scheme for Reputation Value Attributes of the Internet of Things

The Internet of Things(IoT)access controlmechanism may encounter security issues such as single point of failure and data tampering.To address these issues,a blockchain-based IoT reputation value attribute access control scheme is proposed.Firstly,writing the reputation value as an attribute into the access control policy,and then deploying the access control policy in the smart contract of the blockchain system can enable the system to provide more fine-grained access control;Secondly,storing a large amount of resources fromthe Internet of Things in Inter Planetary File System(IPFS)to improve system throughput;Finally,map resource access operations to qualification tokens to improve the performance of the access control system.Complete simulation experiments based on the Hyperledger Fabric platform.Fromthe simulation experimental results,it can be seen that the access control system can achieve more fine-grained and dynamic access control while maintaining high throughput and low time delay,providing sufficient reliability and security for access control of IoT devices.

Adaptable and Dynamic Access Control Decision-Enforcement Approach Based on Multilayer Hybrid Deep Learning Techniques in BYOD Environment

Organizations are adopting the Bring Your Own Device(BYOD)concept to enhance productivity and reduce expenses.However,this trend introduces security challenges,such as unauthorized access.Traditional access control systems,such as Attribute-Based Access Control(ABAC)and Role-Based Access Control(RBAC),are limited in their ability to enforce access decisions due to the variability and dynamism of attributes related to users and resources.This paper proposes a method for enforcing access decisions that is adaptable and dynamic,based on multilayer hybrid deep learning techniques,particularly the Tabular Deep Neural Network Tabular DNN method.This technique transforms all input attributes in an access request into a binary classification(allow or deny)using multiple layers,ensuring accurate and efficient access decision-making.The proposed solution was evaluated using the Kaggle Amazon access control policy dataset and demonstrated its effectiveness by achieving a 94%accuracy rate.Additionally,the proposed solution enhances the implementation of access decisions based on a variety of resource and user attributes while ensuring privacy through indirect communication with the Policy Administration Point(PAP).This solution significantly improves the flexibility of access control systems,making themmore dynamic and adaptable to the evolving needs ofmodern organizations.Furthermore,it offers a scalable approach to manage the complexities associated with the BYOD environment,providing a robust framework for secure and efficient access management.

Blockchain-Enabled Privacy Protection and Access Control Scheme Towards Sensitive Digital Assets Management

With the growth of requirements for data sharing,a novel business model of digital assets trading has emerged that allows data owners to sell their data for monetary gain.In the distributed ledger of blockchain,however,the privacy of stakeholder's identity and the confidentiality of data content are threatened.Therefore,we proposed a blockchainenabled privacy-preserving and access control scheme to address the above problems.First,the multi-channel mechanism is introduced to provide the privacy protection of distributed ledger inside the channel and achieve coarse-grained access control to digital assets.Then,we use multi-authority attribute-based encryption(MAABE)algorithm to build a fine-grained access control model for data trading in a single channel and describe its instantiation in detail.Security analysis shows that the scheme has IND-CPA secure and can provide privacy protection and collusion resistance.Compared with other schemes,our solution has better performance in privacy protection and access control.The evaluation results demonstrate its effectiveness and practicability.

Cross-Domain Bilateral Access Control on Blockchain-Cloud Based Data Trading System

Data trading enables data owners and data requesters to sell and purchase data.With the emergence of blockchain technology,research on blockchain-based data trading systems is receiving a lot of attention.Particularly,to reduce the on-chain storage cost,a novel paradigm of blockchain and cloud fusion has been widely considered as a promising data trading platform.Moreover,the fact that data can be used for commercial purposes will encourage users and organizations from various fields to participate in the data marketplace.In the data marketplace,it is a challenge how to trade the data securely outsourced to the external cloud in a way that restricts access to the data only to authorized users across multiple domains.In this paper,we propose a cross-domain bilateral access control protocol for blockchain-cloud based data trading systems.We consider a system model that consists of domain authorities,data senders,data receivers,a blockchain layer,and a cloud provider.The proposed protocol enables access control and source identification of the outsourced data by leveraging identity-based cryptographic techniques.In the proposed protocol,the outsourced data of the sender is encrypted under the target receiver’s identity,and the cloud provider performs policy-match verification on the authorization tags of the sender and receiver generated by the identity-based signature scheme.Therefore,data trading can be achieved only if the identities of the data sender and receiver simultaneously meet the policies specified by each other.To demonstrate efficiency,we evaluate the performance of the proposed protocol and compare it with existing studies.

Big Data Access Control Mechanism Based on Two-Layer Permission Decision Structure

Big data resources are characterized by large scale, wide sources, and strong dynamics. Existing access controlmechanisms based on manual policy formulation by security experts suffer from drawbacks such as low policymanagement efficiency and difficulty in accurately describing the access control policy. To overcome theseproblems, this paper proposes a big data access control mechanism based on a two-layer permission decisionstructure. This mechanism extends the attribute-based access control (ABAC) model. Business attributes areintroduced in the ABAC model as business constraints between entities. The proposed mechanism implementsa two-layer permission decision structure composed of the inherent attributes of access control entities and thebusiness attributes, which constitute the general permission decision algorithm based on logical calculation andthe business permission decision algorithm based on a bi-directional long short-term memory (BiLSTM) neuralnetwork, respectively. The general permission decision algorithm is used to implement accurate policy decisions,while the business permission decision algorithm implements fuzzy decisions based on the business constraints.The BiLSTM neural network is used to calculate the similarity of the business attributes to realize intelligent,adaptive, and efficient access control permission decisions. Through the two-layer permission decision structure,the complex and diverse big data access control management requirements can be satisfied by considering thesecurity and availability of resources. Experimental results show that the proposed mechanism is effective andreliable. In summary, it can efficiently support the secure sharing of big data resources.

Automatic Generation of Attribute-Based Access Control Policies from Natural Language Documents

In response to the challenges of generating Attribute-Based Access Control(ABAC)policies,this paper proposes a deep learning-based method to automatically generate ABAC policies from natural language documents.This method is aimed at organizations such as companies and schools that are transitioning from traditional access control models to the ABAC model.The manual retrieval and analysis involved in this transition are inefficient,prone to errors,and costly.Most organizations have high-level specifications defined for security policies that include a set of access control policies,which often exist in the form of natural language documents.Utilizing this rich source of information,our method effectively identifies and extracts the necessary attributes and rules for access control from natural language documents,thereby constructing and optimizing access control policies.This work transforms the problem of policy automation generation into two tasks:extraction of access control statements andmining of access control attributes.First,the Chat General Language Model(ChatGLM)isemployed to extract access control-related statements from a wide range of natural language documents by constructing unique prompts and leveraging the model’s In-Context Learning to contextualize the statements.Then,the Iterated Dilated-Convolutions-Conditional Random Field(ID-CNN-CRF)model is used to annotate access control attributes within these extracted statements,including subject attributes,object attributes,and action attributes,thus reassembling new access control policies.Experimental results show that our method,compared to baseline methods,achieved the highest F1 score of 0.961,confirming the model’s effectiveness and accuracy.

Deep Learning Social Network Access Control Model Based on User Preferences

A deep learning access controlmodel based on user preferences is proposed to address the issue of personal privacy leakage in social networks.Firstly,socialusers andsocialdata entities are extractedfromthe social networkandused to construct homogeneous and heterogeneous graphs.Secondly,a graph neural networkmodel is designed based on user daily social behavior and daily social data to simulate the dissemination and changes of user social preferences and user personal preferences in the social network.Then,high-order neighbor nodes,hidden neighbor nodes,displayed neighbor nodes,and social data nodes are used to update user nodes to expand the depth and breadth of user preferences.Finally,a multi-layer attention network is used to classify user nodes in the homogeneous graph into two classes:allow access and deny access.The fine-grained access control problem in social networks is transformed into a node classification problem in a graph neural network.The model is validated using a dataset and compared with other methods without losing generality.The model improved accuracy by 2.18%compared to the baseline method GraphSAGE,and improved F1 score by 1.45%compared to the baseline method,verifying the effectiveness of the model.

A Dual-Cluster-Head Based Medium Access Control for Large-Scale UAV Ad-Hoc Networks

Unmanned Aerial Vehicle(UAV)ad hoc network has achieved significant growth for its flexibility,extensibility,and high deployability in recent years.The application of clustering scheme for UAV ad hoc network is imperative to enhance the performance of throughput and energy efficiency.In conventional clustering scheme,a single cluster head(CH)is always assigned in each cluster.However,this method has some weaknesses such as overload and premature death of CH when the number of UAVs increased.In order to solve this problem,we propose a dual-cluster-head based medium access control(DCHMAC)scheme for large-scale UAV networks.In DCHMAC,two CHs are elected to manage resource allocation and data forwarding cooperatively.Specifically,two CHs work on different channels.One of CH is used for intra-cluster communication and the other one is for inter-cluster communication.A Markov chain model is developed to analyse the throughput of the network.Simulation result shows that compared with FM-MAC(flying ad hoc networks multi-channel MAC,FM-MAC),DCHMAC improves the throughput by approximately 20%~50%and prolongs the network lifetime by approximately 40%.

Task-and-role-based access-control model for computational grid

Access control in a grid environment is a challenging issue because the heterogeneous nature and independent administration of geographically dispersed resources in grid require access control to use fine-grained policies. We established a task-and-role-based access-control model for computational grid (CG-TRBAC model), integrating the concepts of role-based access control (RBAC) and task-based access control (TBAC). In this model, condition restrictions are defined and concepts specifically tailored to Workflow Management System are simplified or omitted so that role assignment and security administration fit computational grid better than traditional models; permissions are mutable with the task status and system variables, and can be dynamically controlled. The CG-TRBAC model is proved flexible and extendible. It can implement different control policies. It embodies the security principle of least privilege and executes active dynamic authorization. A task attribute can be extended to satisfy different requirements in a real grid system.

Research and Realization of the Role-Based System Access Control Management

The systematical structure of the role-based access control was analyzed,giving a full description of the definitions of user,user access,and the relation between post role and access. It puts forward a role-based access control management which is relatively independent in the applied system. This management achieves the control on user's access by distribution and cancel of role-play,which is a better solution to the problems of the access control management for the applied system. Besides,a complete scheme for the realization of this access control was provided.

Blockchain-Empowered Token-Based Access Control System with User Reputation Evaluation

Currently,data security and privacy protection are becoming more and more important.Access control is a method of authorization for users through predefined policies.Token-based access control(TBAC)enhances the manageability of authorization through the token.However,traditional access control policies lack the ability to dynamically adjust based on user access behavior.Incorporating user reputation evaluation into access control can provide valuable feedback to enhance system security and flexibility.As a result,this paper proposes a blockchain-empowered TBAC system and introduces a user reputation evaluation module to provide feedback on access control.The TBAC system divides the access control process into three stages:policy upload,token request,and resource request.The user reputation evaluation module evaluates the user’s token reputation and resource reputation for the token request and resource request stages of the TBAC system.The proposed system is implemented using the Hyperledger Fabric blockchain.The TBAC system is evaluated to prove that it has high processing performance.The user reputation evaluation model is proved to be more conservative and sensitive by comparative study with other methods.In addition,the security analysis shows that the TBAC system has a certain anti-attack ability and can maintain stable operation under the Distributed Denial of Service(DDoS)attack environment.