In this paper, we develop formal authorization allocation algorithms for permission-role assignments. The formal approaches are based on relational structure, relational algebra and operations. The process of permission-role assignments is an important issue in role-based access control (RBAC) as it may modify the authorization level or imply high-level confidential information to be derived when roles are changed and request different permissions. There are two types of problems that may arise in permission-role assignments. One is related to authorization granting process. Conflicting permissions may be granted to a role, and as a result, users with the role may have or derive a high level of authority. Another is related to authorization revocation. When permission is revoked from a role, the role may still have the permissions from other roles. To solve the problems, this paper presents an authorization granting algorithm, and weak revocation and strong revocation algorithms that are based on relational algebra operations. The algorithms can be used to check conflicts and therefore to help allocate permissions without compromising the security in RBAC. We describe how to use the new algorithms with an anonymity scalable payment scheme. Finally, comparisons with other related work are discussed.
|Cite as: Wang, H., Zhang, Y. and Cao, J. (2003). Formal Authorisation Allocation Approaches for Permission-role Assignment Using Relational Algebra Operations. In Proc. Fourteenth Australasian Database Conference (ADC2003), Adelaide, Australia. CRPIT, 17. Schewe, K.-D. and Zhou, X., Eds. ACS. 125-133. |
(local if available)