Research On Obligation Mechanism Based On P-RBAC Model

With the development of internet and society, the information andprivate data produced by commercial activity, bank, medical treatment andother organizations has increased drastically, especially public cloudservice is being widely applied in our life at present, Privacy is receivingincreasing attention from consumers, companies, researchers andlegislators. So it requires such organizations provide a fine-grainedprivacy protection mechanism to guarantee that the privacy data is beenprotected to some extent when such data being collected, used anddistributed. It is self evident that such privacy protection require a formaland secure access control model, which is also easy to administer andconsistent with the policies of the privacy requirement. Privacy-awareRole-Based Access Control (P-RBAC) model is an extension model ofRBAC. It not only has the advantage of RBAC, such as the inherentrichness in role hierarchical, separation of duty and least privilege, butalso provides a fine-grained mechanism of Conditions, Purposes andObligations, which satisfies the privacy protection requirement. However,with the introduction the components that meet the needs of the privacyrequirements, the types of inconsistency among the policies become morecomplex accordingly. So, in this paper, we focus on the analysis andverification of the obligation on the policies of P-RBAC model.In this paper, we propose three features of the obligation: associationwith action request, temporal constraints and conditional attribute. On thebasis of the analysis on these three features, the representation model ofobligations is proposed. Then, based on this model, we elaborately analysis the problems of security and inconsistency on the P-RBAC accesspolices that with the mechanism of obligations.In order to detect the cascading phenomenon caused by the obligationin the Privacy-aware RBAC system, we propose a way that transformssuch phenomenon into a process of examining loops directed graph. Analgorithm of translating the process into a model checking formalism wasalso proposed to do automatic verification. According the result, thecriteria that solve the cascading are given.In the end of this paper, we use the timed automata tool UPPAAL toimplement the principle of Separation of Duty based on the P-RBAC.According to the different time nodes of the assignment and execution ofobligations, the various states of obligations are defined. Then, the modelsof the states transformation and the mechanism of Separation of Duty aregiven based on the UPPAAL tool. We also propose the reduction rulesthat can relieve the state explosion in the tool according to the analysis thedominance of obligations. Finally, we verify the validity and efficiency ofthis UPPAAL model.