Return to search

Models for authorization and conflict resolution

Access control is a significant issue in any secure computer system. Authorization models provide a formalism and framework for specifying and evaluating access control policies that determine how access is granted and delegated among particular users. The aim of this dissertation is to investigate flexible decentralized authorization model supporting authorization delegation, both positive and negative authorization, and conflict resolution. A graph based authorization framework is proposed which can support authorization delegations and both positive and negative authorizations. In particular, it is shown that the existing conflict resolution methods are limited when applied to decentralized authorization models and cyclic authorizations can even lead to undesirable situations. A new conflict resolution policy is then proposed, which can support well controlled delegation by giving predecessors higher priorities along the delegation path. The thesis provides a formal description of the proposed model and detailed descriptions of algorithms to implement it. The model is represented using labelled digraphs, which provide a formal basis for proving the semantic correctness of the model. A weighted graph based model is presented which allows grantors to further express degrees of certainties about their granting of authorizations. The work is further extended to consider more complex domains where subjects, objects and access rights are hierarchically structured and authorization inheritance along the hierarchies taken into account. A precise semantics is given which is based on stable model semantics, and, several important properties of delegatable authorization programs investigated. The framework provides users a reasonable method to express complex security policy. To address the many situations in which users may need to be granted or delegated authorizations for a limited period of time, a temporal decentralized authorization model is proposed in which temporal authorization delegations and negations are allowable. Proper semantic properties are further investigated. Finally, as an application, the thesis shows how the proposed authorization model can be used in a e-consent system on health data. A system architecture for e-consent is presented and different types of e-consent models discussed. The proposed model is shown to provide users a good framework for representing and evaluating these models. / Doctor of Philosphy (PhD)

Identiferoai:union.ndltd.org:ADTP/182170
Date January 2003
CreatorsRuan, Chun, University of Western Sydney, College of Science, Technology and Environment, School of Computing and Information Technology
Source SetsAustraliasian Digital Theses Program
LanguageEnglish
Detected LanguageEnglish
SourceTHESIS_CSTE_CIT_Ruan_C.xml

Page generated in 0.0014 seconds