The Efficient Maintenance of Access Roles with Role Hiding

Chaoyi Pang chaoyi.pang@csiro.auXiuzhen Zhang xiuzhen.zhang@rmit.edu.au

Yanchun Zhang yzhang@csm.vu.edu.auKotagiri Ramamohanarao rao@csse.unimelb.edu.au

COMAD'2008. 2

Overview Motivation Multi-domain secure role graph Main ideas Updating cross-domain accesses Updating privileges on a role Experiments Conclusions

COMAD'2008. 3

MotivationThe efficient maintenance of role accessibility:

In a multi-domain environment that supports role-hiding.

In a multi-domain environment where a service provider acts as the central mediator.

In database applications using a first-order predicate language (SQL).

To support various updates and changes.

COMAD'2008. 4

The role graph A directed acyclic graph (DAG)

representing the subsumption relationship among roles.

The transitive closure relation for a role graph represents the “reachability” relationship.

COMAD'2008. 5

The multi-domain secure role graph G0, the role graph for the mediating

service provider. G1 … Gn, the role graphs for domains 1 …

n. Cross-domain accesses link domains. Some roles of a domain are hidden from

the service provider or other domains.

COMAD'2008. 6

The multi-domain secure role graph: an example

COMAD'2008. 7

The privileges for roles

• In a domain, the privileges for a role are propagated to its ancestor roles.

• Privileges are not propagated via the cross-domain arcs.

COMAD'2008. 8

Main ideas The role accessibility is represented as

computing the transitive closure relation among roles.

The incremental maintenance of the accessibility of roles is mapped to incrementally compute the transitive closures for DAGs.

COMAD'2008. 9

Core algorithms – Add(G, TCG, E)

Given a graph G, its transitive closure TCG, and a set of arcs E to be inserted to G, the new access node pairs that should be added to TC are those form a path via E.

INSERT INTO Susp(Start,Tail)SELECT DISTINCT X.Start, Y.TailFROM TC X, TC Y, EWHERE X.Tail=E.Start AND Y.Start=E.Tail;

INSERT INTO TC(Start,Tail)SELECT * FROM Susp;

COMAD'2008. 10

Core Algorithms – Del(G, TC, E)A set of node pairs depending on E are

deleted first, which may result in wrong deletions. The wrong deletions are then corrected via joining.

COMAD'2008. 11

Core Algorithms – Del(G, TC, E) …

% Table Susp: When deleting E(Start,Tail), any path from x % via a node pair of E to y are affected and stored in Susp.INSERT INTO Susp(Start,Tail)SELECT X.Start, Y.TailFROM TC X, TC Y, EWHERE X.Tail=E.Start AND Y.Start=E.Tail;

% TABLE Trust: the node pairs not using the deleted arcs of E.INSERT INTO Trust(Start,Tail)SELECT A.Start, A.TailFROM TC AWHERE NOT EXISTS (SELECT * FROM Susp X

WHERE X.Star=A.Star AND X.Tail=A.Tail);

COMAD'2008. 12

Core Algorithms – Del(G, TC, E) …% TABLE Temp: new node pair (u,v) represents a path from u to v.INSERT INTO Temp(Start,Tail)SELECT A.Start, B.TailFROM TRUST A, G, TRUST BWHERE A.Tail=G.Star AND G.Tail=B.Star AND

(NOT EXISTS (SELECT * FROM EWHERE E.Star=G.Star AND E.Tail=G.Tail)) AND(EXISTS (SELECT * FROM Susp X

WHERE X.Star=A.Star AND X.Tail=B.Tail));

% The result: Update TABLE TC.DELETE FROM TC;INSERT INTO TC(Start,Tail)(SELECT Start, Tail FROM Trust)UNION(SELECT A.Start, A.Tail FROM Temp A);

COMAD'2008. 13

Updating cross-domain arcs Inserting a cross-domain arc e(u, v):

Let <u be the set of arcs originating from u that need to be inserted.

Add(Gms, TCGms, TC<u), where Gms is the global role graph.

Remove redundant access node pairs. Deleting a cross-domain arc e(u, v):

Let >v be the set of arcs need to be deleted. H=Del(Gms, TCGms, e).

Del(G’, H, TC>v) where G’=Gms-e.

COMAD'2008. 14

Updating role privilegesUpdate (insertion or deletion) of a privilege

on a role: Finding the affected roles. Removing null and reducible roles, and

removing redundancy. Subsumption induced by merging roles.

COMAD'2008. 15

Experiments

COMAD'2008. 16

Conclusions The efficient maintenance of accessibility

among roles in a multi-domain environment supporting role hiding has been studied.

The SQL-based incremental approach can be applied in database applications.

Our proposed approach can be extended to multi service providers satisfying the acyclic requirement for role graphs.