Abstract
Role based access control (RBAC) is the widely accepted and used access control model. However, mappings among the set of users, roles and permissions in RBAC is a major challenging task. This leads to errors in practical applications. Incorporating human decisions on mappings of RBAC could resolve this issue. But, in real time, human decisions are fuzzy in nature. So, fuzzy techniques can be incorporated into RBAC through fuzzy role based access control (FRBAC). Fuzzy formal concept analysis (FFCA) is a mathematical model for representation of uncertain information in the form of formal context. However to the best of our knowledge, there are no works on modelling fuzzy RBAC through fuzzy FCA. The objective of this paper is to propose the model of representing FRBAC in the form of FFCA. The initial results of our experiments show that the proposed model could implement the major features of RBAC.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Role based access control is the highly sophisticated predominantly used policy neutral access control model for online enterprise application [1–3]. The major relationships among the components of RBAC are mappings of role with permission, user with role and user with permission. It has extensively reduced the complexity of security administrator in terms of managing the access permissions of users. By implementing the important security principles of RBAC such as least privilege, separation of duty and data abstraction, it has further simplified the task of security administrator and made it easier. In the recent times, with the massive growth of the number of users in online enterprise applications, the mappings on user with role becomes complicated and error prone. The error in user with role mapping leads to escape the frauds and creates the conflict of interest in assigning dynamically mutually exclusive roles. It leads to the involvement of human decisions on user with role mapping become essential. But, in real time scenario, human decisions on mapping user with role are fuzzy. In this mapping, the crisp set of objects or users are assigned with fuzzy role strength while mapping with different set of roles. So that, the application of fuzzy role based access control (FRBAC) in user with role mappings become essential. Martínez-García et al. [4] have successfully introduced the FRBAC model with its complete formalism in the form of core FRBAC, hierarchical FRBAC and constrained FRBAC.
Fuzzy formal context is the mathematical representation of uncertain information in the form of formal context and it incorporates the fuzzy set theory into formal concept analysis (FCA). Fuzzy formal concept analysis (FFCA) has been successfully applied in evaluation of clustering quality [5]. In the recent time FFCA has been applied in distributed creation of model in cloud environment [6]. The literature [7] shows the various applications of FFCA in knowledge discovery in databases (KDD) such as discovery of semantic web services, user behavioural model from web usage logs etc. Concept lattices have been extensively used in implementation of access control policies [8]. Sergei et al. [9] have used an interactive technique to construct lattices for access control models with the help of attribute exploration process in FCA. Dau and Knechtel [10] have designed the triadic formal context for RBAC and further discussed the steps to derive dyadic formal context. FFCA has also been adapted in fuzzy descriptive logics [11].
Motivated by the fruitful results of Martínez-García et al. [4], Sergei et al. [9] and Dau and Knechtel [10], we propose fuzzy role based access control model using fuzzy formal concept analysis. In this paper, we have formalized a model for user with role mapping of FRBAC using one-sided threshold method of FFCA. Our intensive literature shows that this is the first attempt in formalizing FRBAC using FFCA. The initial results of our experiments show that the proposed model could implement the user with role mappings of FRBAC. The rest of the paper is organized as follows. Sections 2.1 and 2.2 provides the brief background of FRBAC and FFCA respectively. The related work is described in Sect. 2.3. We present the proposed modeling of FRBAC using FFCA in Sect. 3 and the demonstration of experimental results in Sect. 4.
2 Background
2.1 Fuzzy Role Based Access Control
FRBAC is suitable for risk based environments where the uncertain authorization related information exists. Here, the action on the data resources gets fractional meaning. Access decisions are based on the level of imprecision and get the fuzzy value in the range of zero to one. Incorporating fuzzy decisions in the mappings of user with role, role with permission and user with permission derives the FRBAC model. Some of the FRBAC system [11] defines the mapping of user with role based on the comparison of trustworthiness of user and role. A user is fixed to a role only when the trustworthiness of the user is greater than or equal to the role required trustworthiness. It gives the comparison between role and trust degree. In addition to this, permissions are assigned to trust degree rather than roles.
To describe the RBAC model, we use the notation and model definition given by Martínez-García et al. in [4]. FRBAC has been divided into three parts namely core FRBAC, hierarchical FRBAC and constrained FRBAC. The basic functionalities are dealt in Core FRBAC. Hierarchical FRBAC is the extension of the core FRBAC with hierarchies of roles. Constrained FRBAC incorporates the separation of duty constraints. The main functionality of core FRBAC is the assignment of user with role and role with permission fixed through the fuzzy relation of the form UA: U x R → [0, 1] and PA: R x P → [0, 1]. Here, UA represents the mappings of user (U) with role(R) and PA represents the mappings of roles (R) with permissions (P). The user with role mapping represents how the individual user (u) associated with the individual role (r) with the mapping function (µUA) which represents the strength of user with role. Similarly, the role with permission mapping represents how the individual role (r) associated with different permission (p) with the mapping function (µPA) which represents the strength of role with permission. The readers are suggested to refer [4] to find the study on active assignment relation, user with permission mapping and access function. Hierarchical FRBAC defines the hierarchical relation between roles. Here, the permissions of high priority role are derived from the low priority role and the users of high priority role are the users of the low priority role. Here, the high priority role represents the senior role in role hierarchy and low priority role represents the junior role in role hierarchy. Constrained FRBAC describes the constraints on static separation of duty and dynamic separation of duty in FRBAC. The detailed study on hierarchical FRBAC and constrained FRBAC is available in [4]. To understand the real time application scenarios of FRBAC, consider the example described in [4] that the database of a hospital is accessed by an external party in order to perform the epidemical research. Here, the external party user is allowed to get a role with a relational strength to access the hospital database based on the trustworthiness. This is an example of user with role mapping in FRBAC.
2.2 Fuzzy Formal Concept Analysis
Formal concept analysis (FCA) is a mathematical theory which makes the knowledge in terms of formal concepts. The formal concept is an ordered pair with extents and intents. The extents are the subset of all objects in the context. The intents are the subset of all attributes in the context. The partial ordering among the set of all formal concepts with super-sub relationship is known as concept lattice.
Fuzzy formal concept analysis (FFCA) is a mathematical model to represent the uncertain information in the precise formalism of FCA. It works on uncertain values. It integrates the fuzzy set theory and formal concept analysis. It is a fuzzy valued relation in which an object can have the attribute in a certain conceptual scaling. We can define the fuzzy relationship (R) between objects (OBJ) and attributes (ATT) as R: OBJ x ATT → [0,1]. FFCA has the membership value in the range of zero and one. Fuzzy formal concept is a pair < A, B > where A is a set of objects with crisp values and B is a set of attributes with fuzzy values such that A↑ = B and B↓ = A.
In the above Eqs. (1) and (2), the operators (↑) and (↓) represents the concept forming operators. Similarly, fuzzy formal concept can be defined with fuzzy set of objects and crisp set of attributes. The alpha cut is a common approach to fuzzification of FCA. It is to reduce the fuzzy value into crisp calculation. There are two methods to represent the fuzzy formal concepts. They are one-sided threshold and fuzzy closure operator based on residuated implication. The one sided threshold holds either intents or extents as fuzzy and not the both. The other method is the fuzzy closure operation based on residuated implication holds both intents and extents as fuzzy. In real time scenario, there are practical applications for one sided threshold as like user with role mapping in FRBAC. It is difficult to represent the practical applications for the FFCA method based on residuated implications. The method based on alpha-cut becomes crisp, once the particular choice of threshold is met. The literature [7] shows the various applications of FFCA in KDD such as discovery of semantic web services, user behavioural model from web usage logs etc.
2.3 Related Work
The basic RBAC policy, model, components and their interactions are available in [1]. Sandhu et al. have introduced the unified model for RBAC called NIST RBAC model [2] and [3]. Temporal-RBAC (TRBAC) [12] was introduced as the extension of the RBAC to meet the interest of individuals in terms activating and disabling the roles periodically. Distributed RBAC (dRBAC) [13] mechanism was evolved to meet the requirements of multiple domain environments. Based on the concept of classification of tasks, Task-role based access control (T-RBAC) [14] was introduced to suit the requirements of enterprises and industrial applications. Unal and Cagalyan [15] modeled the FPM-RBAC to solve major issues of multiple domains RBAC such as location and mobility constraints, inter domain services and separation of duty. Baracaldo et al. [16] have recommended a RBAC framework to support the temporal and separation of duty constraints for the secure inter operation among multiple domains. Kumar and Newman [17] introduced a new approach called STRBAC to deal with spatio-temporal aspects of RBAC. Zhou et al. [18] have introduced the cryptographic RBAC system for the storage system in cloud environment. Lee et al. [19] have introduced the XACML based RBAC model for substation automation system in smart grid environment. Ni et al. [20] have introduced framework for privacy aware RBAC. Martino et al. [21] have introduced the Multi-domain and privacy aware RBAC in eHealth. Takabi et al. [22] have proposed a model to introduce separation of duty policies in RBAC using fuzzy set theory. Nawarathna and Kodithuwakku [23] have presented a new FRBAC model for database security with Fuzzy policy evaluator. Wang and Liu [24] have proposed a user-role assignment model based on user trustworthiness in the system. Knechtel [25] have formalized the access control matrix of RBAC as a triadic context with the support of descriptive logic. Aswani Kumar [26] has used the formal concept analysis to model the access permission of RBAC. Further, Aswani Kumar [27] has used fuzzy K-means clustering to reduce the formal context and used the FCA for association rule mining. Chinese wall security policy has been modeled using formal concept analysis [28]. Singh et al. [29] have proposed an algorithm for fuzzy formal concepts generation based on the interval values. Based on our thorough literature survey, this is the first attempt to achieve FRABC using fuzzy FCA.
3 Fuzzy Role Based Access Control Using Fuzzy FCA
In the access control matrix of FRBAC, rows represent subjects, columns represent the objects and the entries in this matrix are the fuzzy values ranges from zero to one. So, it is called as fuzzy access control matrix. Generally, these fuzzy access control matrix represents the three different mappings in FRBAC. Those mappings are user with role, role with permission and user with permission. In this proposed model, we present the fuzzy access control matrix which represents the mappings of the user with role only. In this matrix, rows are the crisp set of users and the columns are the fuzzy set of roles and the entries are the fuzzy values which represents the relational strength of crisp users on different fuzzy roles. Based on the application dependent and authorization-related information such as the trustworthiness of the user, seniority level of the user and the purpose of need to know by user, the fuzzy relational strength values is assigned in user-role assignment. The user-role relation strength also represents the risk associated to the fact that a user belongs to a role. The value of relational strength is derived from user trustworthiness. To derive the user and role matrix as the context, the set of users are identified as the formal objects and the set of roles as the formal attributes.
The steps given below describe the procedure to derive the user with role mappings of fuzzy role based access control using fuzzy formal concept analysis.
-
1.
Identify the set of users (U), the set of roles (R) and the relational strength (I) of individual users on different roles. Here, the relational strengths are the fuzzy values.
-
2.
Derive the matrix (MUxR) of identified users (U) and roles (R) by assigning the fuzzy relational strength value between users and roles.
-
3.
Transform the matrix (MUxR) derived in step 2 as the fuzzy formal context KU,R = K (U, R, IU,R) as the mappings the users with roles in FRBAC.
-
4.
Obtain the different fuzzy concepts from the fuzzy formal context (KU,R) derived in step 3.
-
5.
Construct the fuzzy concept lattice from the fuzzy formal concepts obtained in step 4. Here, the formal objects or users are organized in various levels of the lattice depends upon how the various users are associated with the different formal attributes or roles.
In the next section, we demonstrate the proposed modeling of FRBAC using FFCA with a practical example.
4 Experimental Results
To demonstrate our proposed work, we consider the scenario of FRBAC on mapping user with role. To bring the clarity in our discussion, we consider only the four users and four roles. The four users are identified as U1, U2, U3 and U4 and the four roles are identified as R1, R2, R3 and R4. The mapping of these users with roles is the fuzzy values from zero to one. Here, the users are considered as the crisp objects and the roles are considered as the fuzzy attributes. The association of individual users U1, U2, U3 and U4 with fuzzy roles R1, R2, R3 and R4 are described as UA1, UA2, UA3 and UA4 respectively and they are mentioned below.
By merging the UA1, UA2, UA3 and UA4, we can derive the matrix (MUxR) of user with role mapping in FRBAC. Then, extract the fuzzy values from the above mentioned associations and formalize the fuzzy formal context as described below in the Table 1.
Next, derive the various fuzzy concepts from the fuzzy formal context of users with roles mapping of FRBAC described in Table 1. Here, we use fuzzy concept generation algorithm described in [30].
The generated fuzzy formal concepts under the fuzzy formal context described in Table 1 are shown in Table 2. From the Table 2, we can understand the fuzzy concepts as follows. The concept C2 represents the users U1, U3 and U4 and they are related to the role R1 with the role strength of 0.4. The concept C3 represents the users U2, U3 and U4 and they are related to the roles R3 and R4 with the role strength of 0.4 and 0.6 respectively. Similarly, the concept C4 represents the users U1 and U2 and they are related to R2 with the role strength of 0.7. In this way, we can understand all the concepts listed in Table 2, by the way in which the set of user at individual concepts are associated with the set of roles along with their role strength.
Totally, we have achieved twelve different concepts. This formal analysis on user-role assignment helps to classify the various concepts and helps to understand how the individual user is associated with different roles and more than one user are associated with different common roles with their relational strength.
Then, we construct the fuzzy concept lattice structure as shown in Fig. 1 from the fuzzy formal concepts listed in Table 2. In this lattice structure, the nodes are representing the concepts and the concepts are representing the association of set of users along with the set of roles with their role strength. The addition and deletion of users into the fuzzy formal context or the updates into the role strength will bring the necessary updates into the resultant concept lattice as per the concept forming operator function. In this lattice structure, we can visualize that concepts containing all of the four users U1, U2, U3 and U4 at the top level or level 1 and the concepts associated with three users U1, U2 and U3 are at the level 2. Similarly, the concepts associated with two users, single user and none of the users are at the level 3, level 4 and level 5 respectively. This represents that least privilege and user hierarchy is achieved in mapping of users with role in FRBAC. It represents the user hierarchy with their least privilege based on the relational strength on different roles. In addition to this, user-role assignment lattice help to visualize how many roles with which every individual user is associated. This lattice structure is required to be experimented further to test whether it satisfies the other security features such as static and dynamic separation of duty. Similarly, the experimentation on other mappings of FRBAC such as role with permission and user with permission in fuzzy formal context is left for the future work.
5 Conclusion
In this paper, we have modeled FRBAC using fuzzy FCA. To demonstrate this, we have formalized the set of users as the crisp objects and the set of roles as fuzzy attributes in FRBAC. The entries into this fuzzy formal context represent the relational strength of the set of users with different roles in FRBAC based fuzzy formal context. This fuzzy formal context exactly represents the mapping of user with role in FRBAC. Then, we generate the list of fuzzy concepts for the FRBAC based fuzzy formal context. Next, we construct the model of FRBAC based fuzzy concept lattice from the fuzzy concepts generated. The resultant FRBAC based fuzzy concept lattice satisfies the two main security features of FRBAC such as least privilege and user hierarchy.
References
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role based access control: towards a unified standard. In: Proceedings of the 5th ACM Workshop on Role Based Access Control, July 26–27, Berlin, pp. 47–63 (2000). Initial proposal for the current INCITS 359-2004 RBAC standard
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Richard Kuhn, D., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)
Martínez-García, C., Navarro-Arribas, G., Borrell, J.: Fuzzy role-based access control. Inf. Process. Lett. 111(10), 483–487 (2011)
Sassi, M., Touzi, A.G., Ounelli, H.: Clustering quality evaluation based on fuzzy FCA. In: Wagner, R., Revell, N., Pernul, G. (eds.) DEXA 2007. LNCS, vol. 4653, pp. 639–649. Springer, Heidelberg (2007)
Sarnovsky, M., Butka, P., Pocsova, J.: Cloud computing as a platform for distributed fuzzy FCA approach in data analysis. In: 16th IEEE International Conference on Intelligent Engineering Systems (INES), pp. 291–296. IEEE (2012)
Poelmans, J., Elzinga, P., Viaene, S., Dedene, G.: Formal concept analysis in knowledge discovery: a survey. In: Croitoru, M., Ferré, S., Lukose, D. (eds.) ICCS 2010. LNCS, vol. 6208, pp. 139–153. Springer, Heidelberg (2010)
Crampton, J.: Authorization and antichains. Ph.D. diss.: Birkbeck College (2002)
Sergei, A.O., Kourie, D.G., Eloff, J.H.P.: Building access control models with attribute exploration. Comput. Secur. 28(1–2), 2–7 (2009)
Dau, F., Knechtel, M.: Access policy design supported by FCA methods. In: Rudolph, S., Dau, F., Kuznetsov, S.O. (eds.) ICCS 2009. LNCS, vol. 5662, pp. 141–154. Springer, Heidelberg (2009)
Takabi, H., Amini, M., Jalili, R.: Enhancing role-based access control model through fuzzy relations. In: Third International Symposium on Information Assurance and Security, IAS 2007, pp. 131–136. IEEE (2007)
Bertino, E., Bonatti, P.A., Ferrari, E.: TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 191–233 (2001)
Freudenthal, E., Pesin, T., Port, L., Keenan, E., Karamcheti, V.: dRBAC: distributed role-based access control for dynamic coalition environments. In: Proceedings of the 22nd International Conference on Distributed Computing Systems, pp. 411–420. IEEE (2002)
Oh, S., Park, S.: Task-role based access control (T-RBAC): an improved access control model for enterprise environment. In: Ibrahim, M., Küng, J., Revell, N. (eds.) DEXA 2000. LNCS, vol. 1873, p. 264. Springer, Heidelberg (2000)
Unal, D., Caglayan, M.U.: A formal role-based access control model for security policies in multi-domain mobile networks. Comput. Netw. 57, 330–350 (2013)
Baracaldo, N., Maasoumzadeh, A., Joshi, J.: A secure constriant aware role based access conrol interoperation framework. IEEE (2011). 978-1-4577-0460-4/11
Kumar, M., Newman, R.E.: STRBAC - an approach towards spatio-temporal role-based access control. In: Proceedings of the 3rd IASTED International Conference on Communication, Network, and Information Security, pp. 150– 155 (2006)
Zhou, L., Varadharajan, V., Hitchens, M.: Secure administration of cryptographic role-based access control for large-scale cloud storage systems. J. Comput. Syst. Sci. 80(8), 1518–1533 (2014)
Lee, B., Kim, D.-K., Yang, H., Jang, H.: Role-based access control for substation automation systems using XACML. Inf. Syst. 53, 237–249 (2015)
Ni, Q., Bertino, E., Lobo, J., Brodie, C., Karat, C.-M., Karat, J., Trombeta, A.: Privacy-aware role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(3), 1–31 (2010)
Martino, L.D., Ni, Q., Lin, D., Bertino, E.: Multi-domain and privacy-aware role based access control in eHealth. In: Second International Conference on Pervasive Computing Technologies for Healthcare, Pervasive Health 2008, pp. 131–134. IEEE (2008)
Takabi, H., Amini, M., Jalili, R.: Separation of duty in role-based access control model through fuzzy relations. In: Third International Symposium on Information Assurance and Security, IAS 2007, pp. 125–130. IEEE (2007)
Nawarathna, U.H.G.R.D., Kodithuwakku, S.R.: A fuzzy role based access control model for database security. In: Proceedings of the International Conference on Information and Automation, pp. 313–318 (2005)
Wang, C., Liu, S.: Study on fuzzy theory based web access control model. In: International Symposiums on Information Processing (ISIP) 2008, pp. 178–182. IEEE (2008)
Knechtel, M.: Access restrictions to and with description logic web ontologies, pp. 1–139. Dresden University of Technology (2010)
Aswani Kumar, Ch.: Designing role-based access control using formal concept analysis. Secur. Commun. Netw. 6(3), 373–383 (2013)
Aswani Kumar, Ch.: Fuzzy clustering-based formal concept analysis for association rules mining. Applied artificial intelligence 26(3), 274–301 (2012)
Mouliswaran, S.C., Aswani Kumar, C., Chandrasekar, C.: Modeling Chinese wall access control using formal concept analysis. In: International Conference on Contemporary Computing and Informatics (IC3I), pp. 811–816. IEEE (2014)
Singh, P.K., Aswani Kumar, C., Li, J.: Knowledge representation using interval-valued fuzzy formal concept lattice. Soft Comput., 1–18 (2015). doi:10.1007/s00500-015-1600-1
Martin, T., Majidian, A.: Finding fuzzy concepts for creative knowledge discovery. Int. J. Intell. Syst. 28(1), 93–114 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Subramanian, C., Cherukuri, A., Chelliah, C. (2015). Modeling Fuzzy Role Based Access Control Using Fuzzy Formal Concept Analysis. In: Abawajy, J., Mukherjea, S., Thampi, S., Ruiz-Martínez, A. (eds) Security in Computing and Communications. SSCC 2015. Communications in Computer and Information Science, vol 536. Springer, Cham. https://doi.org/10.1007/978-3-319-22915-7_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-22915-7_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22914-0
Online ISBN: 978-3-319-22915-7
eBook Packages: Computer ScienceComputer Science (R0)