Access Control Administration with Adjustable Decentralization

dc.comment.hiddenI would significantly appreciate it if you could possibly review it by this Wednesday (Septemebr 12) about 10:00 in the morning since I am leaving Waterloo to Europe by 12:30 and will return to Canada on September 28. (Further changes may be hard to handle when I am away.) Once again, let me thank you for your cooperation, in advance. Many thanks. Amiren
dc.contributor.authorChinaei, Amir Hossein
dc.date.accessioned2007-09-12T15:50:52Z
dc.date.available2007-09-12T15:50:52Z
dc.date.issued2007-09-12T15:50:52Z
dc.date.submitted2007-08-22
dc.description.abstractAccess control is a key function of enterprises that preserve and propagate massive data. Access control enforcement and administration are two major components of the system. On one hand, enterprises are responsible for data security; thus, consistent and reliable access control enforcement is necessary although the data may be distributed. On the other hand, data often belongs to several organizational units with various access control policies and many users; therefore, decentralized administration is needed to accommodate diverse access control needs and to avoid the central bottleneck. Yet, the required degree of decentralization varies within different organizations: some organizations may require a powerful administrator in the system; whereas, some others may prefer a self-governing setting in which no central administrator exists, but users fully manage their own data. Hence, a single system with adjustable decentralization will be useful for supporting various (de)centralized models within the spectrum of access control administration. Giving individual users the ability to delegate or grant privileges is a means of decentralizing access control administration. Revocation of arbitrary privileges is a means of retaining control over data. To provide flexible administration, the ability to delegate a specific privilege and the ability to revoke it should be held independently of each other and independently of the privilege itself. Moreover, supporting arbitrary user and data hierarchies, fine-grained access control, and protection of both data (end objects) and metadata (access control data) with a single uniform model will provide the most widely deployable access control system. Conflict resolution is a major aspect of access control administration in systems. Resolving access conflicts when deriving effective privileges from explicit ones is a challenging problem in the presence of both positive and negative privileges, sophisticated data hierarchies, and diversity of conflict resolution strategies. This thesis presents a uniform access control administration model with adjustable decentralization, to protect both data and metadata. There are several contributions in this work. First, we present a novel mechanism to constrain access control administration for each object type at object creation time, as a means of adjusting the degree of decentralization for the object when the system is configured. Second, by controlling the access control metadata with the same mechanism that controls the users’ data, privileges can be granted and revoked to the extent that these actions conform to the corporation’s access control policy. Thus, this model supports a whole spectrum of access control administration, in which each model is characterized as a network of access control states, similar to a finite state automaton. The model depends on a hierarchy of access banks of authorizations which is supported by a formal semantics. Within this framework, we also introduce the self-governance property in the context of access control, and show how the model facilitates it. In particular, using this model, we introduce a conflict-free and decentralized access control administration model in which all users are able to retain complete control over their own data while they are also able to delegate any subset of their privileges to other users or user groups. We also introduce two measures to compare any two access control models in terms of the degrees of decentralization and interpretation. Finally, as the conflict resolution component of access control models, we incorporate a unified algorithm to resolve access conflicts by simultaneously supporting several combined strategies.en
dc.identifier.urihttp://hdl.handle.net/10012/3227
dc.language.isoenen
dc.pendingfalseen
dc.publisherUniversity of Waterlooen
dc.subjectAccess Control Administrationen
dc.subjectDecentralizationen
dc.subjectAuthorizationen
dc.subjectData Securityen
dc.subjectEnhanced Delegation and Revocationen
dc.subjectCombined Conflict Resolution Policiesen
dc.subjectHealth Informaticsen
dc.subjectE-Commerceen
dc.subjectEnterprise Content Managmenten
dc.subject.programComputer Scienceen
dc.titleAccess Control Administration with Adjustable Decentralizationen
dc.typeDoctoral Thesisen
uws-etd.degreeDoctor of Philosophyen
uws-etd.degree.departmentSchool of Computer Scienceen
uws.peerReviewStatusUnrevieweden
uws.scholarLevelGraduateen
uws.typeOfResourceTexten

Files

Original bundle

Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
Chinaei-ThesisElectronicly.pdf
Size:
721.62 KB
Format:
Adobe Portable Document Format

License bundle

Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
256 B
Format:
Item-specific license agreed upon to submission
Description: