Protecting Information Sharing in Distributed Collaborative Environment

1
Protecting Information Sharing in Distributed
Collaborative Environment

• Min Li
• University of Southern Queensland

2
Role-Based Access Control

• Users

Roles
Permissions
Surgeon
Operate
Radiologist
Interpret X-Ray
Write Prescription
Physician
Read Prescription
Patient
Read Demographics
Universal
?
3
Motivation

• The motivation is that users may delegate role
  authorities to others to process some authorized
  functions and remove the authorities later.
• For example
• (1) vacation delegate the job
  functions to others
• (2) collaboration of work -- need to grant
  some access authority to share information.
• My study aims to develop a policy-based framework
  for information sharing in distributed
  collaborative environments with role-based
  delegation and revocation.

4
Background

• Delegation has been recognized as a flexible
  and useful access control for information
  sharing.
• Lampson et al. (1992) presented an example on
  how a person can delegate its authority to
  others
• Blaze et al.(1996) introduced trust management
  for decentralized authorization
• Aura (1999) described a delegation mechanism to
  support access management in a distributed
  computing environment.

5
Significance

• We can find the major requirements of
  role-based delegation in this example
• 1. Group-based delegation
• delegating user may need to delegate a
  role to all members of another role at the same
  time.
• 2. Multi-step delegation
• allows a delegated user to further
  delegate the delegated role.
• 3. Revocation
• refers to the process to take away the
  delegated privileges
• 4. Constraints
• defines whether or not the delegation or
  revocation process is valid.
• 5. Partial delegation
• allows users only to delegate required
  permissions.

6
Approach

• Task 1 A role-based delegation framework
• There are various delegations in real-time
  application single-step, multistep, group-based,
  and partial delegations. We will develop
  delegation models to support these different
  delegations.
• Revocation is an important process that must
  accompany the delegation. Several different
  semantics of user revocation exist global and
  local, strong and weak. Our developed framework
  will support all types of user revocation
  identified in the above dimensions.
• Task 2 The rule-based policy specification
  language
• The motivation behind policy-based language
• 1) delegation relations defined in role-based
  delegation model lead to declarative rules
• 2) an individual organization may need local
  policies to further control delegation and
  revocation.

7
Current Progress

• 1. We develop a flexible ability-based delegation
  model (ABDM), in which a user can delegate a
  collection of permissions, named an ability, to
  another user or a group.(Part of Task 1)
• 2. We discuss granting and revocation models
  related to mobile and immobile memberships
  between permissions and roles.(Part of Task 1)
• 3. We specify constraints of Usage Control Model
  (UCON) with object constraints language (OCL).
  This work is under preparation for submitting.
  (Part of Task 2)

8
Future Work

• Privacy and data protection is becoming
  essential in IS
• Enterprises should declare the purpose for
  which data is collected, who can receive it and
  the authorized users who can access it.
• Enterprises may provide services in many
  different ways and may delegate the execution of
  parts of the service to third parties.
• Apply a purpose graph model to characterize
  the way the enterprises need to fulfill a
  service.
• Find a way satisfying the minimum information
  cost to fulfill the purpose.

9
Thanks