Mais conteúdo relacionado
Semelhante a 50120130405015 (20)
Mais de IAEME Publication (20)
50120130405015
- 1. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 4, Issue 5, September – October (2013), pp. 115-137
© IAEME: www.iaeme.com/ijcet.asp
Journal Impact Factor (2013): 6.1302 (Calculated by GISI)
www.jifactor.com
IJCET
©IAEME
DYNAMIC EXPIRATION ENABLED ROLE BASED ACCESS CONTROL
MODEL ሺࡰࡱࡱࡾሻ FOR CLOUD COMPUTING ENVIRONMENT
Levina T1, Dr. S C Lingareddy2 and Kashyap Dhruve3
1
2
(Assistant Professor, Alpha College of Engg, Bangalore, India)
(Professor & HOD Dept of CSE, Alpha College of Engg, Bangalore, India)
3
(Technical Director, Planet-i Technologies, Bangalore, India)
ABSTRACT
Cloud computing is one of the most emerging technique for fulfilling service demands in
various forms. The key issue that is considered for its enhancement and optimization is the access
control. In order to fulfill this requirement, here in this paper the author has proposed a robust system
model called, “Dynamic expiration enabled role based access control ሺܥܣܤܴܧܧܦሻ system that
facilitates a widespread set of temporal constraints which further provides the fine grained policies
for time-based access control scheme. This paper presents a study of the key issues of expressiveness
and minimality in cloud environment. The presented research work illustrates that even with nonminimalitythe presented model can provide higher flexibility with minimum complexity for
presentation of constraints and efficient role assignments. This makes the proposed system functional
with higher user count and the simultaneous role-permission, even without compromising with the
security issues. The ܥܣܤܴܧܧܦsystem is evaluated on the Amazon Cloud, the scalability and
efficient access control mechanism is established proved by the results discussed in this paper.
Keywords: Role based access control system, Cloud computing, Access Control, DEERBAC
I.
INTRODUCTION
Cloud computing is one of the most emerging technologies of present days and a service
infrastructure that facilitates service on demand for calculation, data storage and highly robust
network infrastructures. In this technology, the computation of resources are considered and
provided as the services over the internet. Some other technical societies also states cloud computing
in different definition, like “a technology or system model that functions for providing omnipresent,
expedient, on demand access of defined network to a shared collection of configurable computing
resources and frameworks. In order to accomplish the efficient cloud services over internet it can
115
- 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
facilitate a rapid and highly efficient system with minimum resource management activities and least
interaction of service providers.
In cloud computing one of the predominant security issues is the access control of
information and system security. In order to control the various time-sensitive activities numerous
cloud applications like management of workflow and real-time operational databases, the access
control specifications are required to be enhanced with the optimum temporal constraints. The
presented research work has been motivated by the requirement of a highly robust and effective
access control approach that could meet and can alleviatethe security concerns in cloud environment
with raised trust level for numerous cloud based applications and service segments. One of the
predominant and efficient approach for accomplishing cloud security requirements in organization is
ܴ ݈݁െ ܾܽ ݈ݎݐ݊ܿ ݏݏ݁ܿܿܽ ݀݁ݏሺܴܥܣܤሻ that fulfills various security requirements [1], [2], [3], [4].
As compared to the existing traditional approaches of discretionary and mandatory access control
ሺܥܣܯ ݀݊ܽ ܥܣܦሻ system [5], [2], [6], [7], [8] the ܴ ܥܣܤmechanism can be much fruitful and
effective solution. In case of cloud environment of heterogeneous nature like Internet [9], [11],
ܴ ܥܣܤsystem framework might be much effective solution for secure interpolation purposes.
On the other hand the time factor plays a vital role for management of time-sensitive
access controls. The user creation with role assignment and its optimization is also a key
aspect of cloud computing which is required to be optimized. Meanwhile, a better example
for time management could be the management of workflow which do encompasses the
critical deadlines for completion of invocations. In order to meet such requirements the
time-based or period oriented techniques are suggested [12] [13], [14], [15]. On the other hand in
order to manage the roles and the user permission a highly effective and efficient system
is required that could manage the users with their respective roles assignment and cloud security.
In order to achieve these all expectations here in this paper we have proposed
a ݈݁݀ܯ ݈ݎݐ݊ܿ ݏݏ݁ܿܿܣ ݀݁ݏܾܽ ݈݁ݎ ݈ܾ݀݁ܽ݊݁ ݊݅ݐܽݎ݅ݔ݁ ܿ݅݉ܽ݊ݕܦሺܥܣܤܴܧܧܦሻ model that
emphasizes on the highly effective and responsible system constraints as well as time oriented user
creation and role assignment system that could meet the requirement of highly efficient and
productive system model for competitive cloud environment. These all considered constraints
characterize themselves effective with the implementation of orthogonally with every aspects of role
based Access control mechanism such as role creation, user definition, role assignment, activation of
specific roles, defining roles for users, assignment of role permissions.
Specifically, the proposed ܥܣܤܴܧܧܦsystem differentiates between the activation or
enabling of roles and the activation of individual roles. In this approach a specific role is defined and
is activated only in the circumstance when a particular user is permitted to get it. An activated role
becomes functional when the user is permitted for access in the duration of defined session. The
roles could not be activated by the users in case of disabled role session. Hence, the considered or
specified model does specify the roles on after enabling or disabling when it can/cannot be assumed
by users.
In the proposed system model we have considered three dominant kinds of hierarchy that
strengthens the system model with higher efficiency and security enhancement. These are
inheritance-only hierarchy ሺ ܫെ ݄݅݁ݕ݄ܿݎܽݎሻ, activation-only hierarchy ሺ ܣെ ݄݅݁ݕ݄ܿݎܽݎሻ and
݄݅݊݁ ݁ܿ݊ܽݐ݅ݎെ ܽܿ ݕ݄ܿݎܽݎ݄݁݅ ݊݅ݐܽݒ݅ݐሺ ܣܫെ ݄݅݁ݕ݄ܿݎܽݎሻ. The first hierarchy permits the semantics
for permission-inheritance while the second refers semantics for activation of roles only and the last
considered and developed hierarchy permits both the role activation as well as permission
inheritance. Considering these all, here in this system model we have implemented these all three
hierarchies which have been further divided into two categories called as restricted and unrestricted
kind of hierarchy [16], [17].
In general issues allied with any access control model or frameworks with rich constraint
language are the factor of minimality and its expressiveness where the minimality refers the
116
- 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
minimum status of set of constraints and it is a vital criterion that determines the effectives of the
minimal model over the nonminimal models. Here in this paper we have proposed and developed a
highly robust framework that addresses the existing problems of minimality, expressiveness, user
creation, role generation and respective role-permission with the expected minimum expiration
period in ܴ ܥܣܤframework. The proposed ܥܣܤܴܧܧܦmodel has performed better in terms of highly
efficient role creation and multiple role assignments per user in defined minimum time even without
violating the security aspects in comparison with ܥܣܤܴܶܩmodel [17]. Considering the power of
expressiveness, here in this work we have illustrated that the numerous sets of model constraints
could be used for generating a family of ܥܣܤܴܧܧܦsystem model with similar expressive power.
Even being a non-minimal set of constraints in ܥܣܤܴܧܧܦcloud framework here in this work has
established itself as more beneficial in terms of numerous advantages like least complexity, better
manageability and the feasibility in the characterization of policies of access control management. It
has illustrated that the constraints of timing for individual role assignments for users could be easily
substituted by the temporal constraints for effective role enabling activities.
The proposed and developed system architecture ܥܣܤܴܧܧܦcan be significant for examining
and investigating the performance of the model with minimality factor, expressiveness, and
complexity, feasibility in user creation, highly efficient and optimum user creation, role generation
and role-permission assignments for cloud environment without compromising with the security. The
results obtained for various user sizes and respective role generation with role assignments in the
proposed model and framework architecture establishes itself as the best system forhighly efficient
user managements, role creation and role assignments system for cloud computing environment.
The other sections of the manuscript have been presented as follows: Section II presents the
related work of the considered technologies which is ascended by section III that states ܥܣܤܴܧܧܦ
model and its introduction for functionalities. Section IV presents expressiveness of ܥܣܤܴܧܧܦ
model and its modeling. This section also presents the operations on periodicity expressions
algorithms, various developed algorithms and the system complexity along with its design
constraints. Section V presents the results obtained and its analysis which is ascended by Section VI
that discusses the conclusions of the developed system model.
II. RELATED WORKS
Considering the requirement of a highly robust and effective solution for access control and
role management in cloud computing environment a number of researches have been induced and
many of them have performed well also. In this way to research process the first scientist group
Bertino et al. introduced TRBAC framework that emphasizes on the dominant constraints of RBAC
system model [14]. The shortcomings of that system model were rooted with the use of temporal
constraints for performing role enabling that limited its performance for multiple service
requirements in cloud environments. At the next phase the predominant work was for ܥܣܤܴܶܩ
model [17] the extended form of ܴܶ ܥܣܤmodel with the difference of inclusion of few extensive set
of constraints.
ܶ ܥܣܤmodelwas introduced in [14] that mainly support the temporal authorization and key
deviation principles [14] but still lacks in addressing the roles and its effective assignments. A
number of other researchers have advocated for the implementation of certain significant supporting
constraints in anܴ ܥܣܤmodel and few dominant works have been done in [18], [13], [5], [17], [19],
[8]. Then while, those research efforts could not address the problem of time-based access
restrictions and effective user creation with role assignment of multiple sizes. This shortcoming was
illuminated in our work. In certain work [15] the researcher came out with a system architecture
based on a logic-oriented constraint specification language that might be employed for specifying the
constraints on individual roles, users and the role-assignments on the users. In [13] a temporal data
117
- 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
authorization model ሺܶܯܣܦሻwas proposed that could represent the access control policies on the
basis of temporal behaviour of the data [13]. Considering these research gaps and requirements here
in this paper we have proposed a ܥܣܤܴܧܧܦmodel that emphasizes on the characteristic of
permission by implementing the dynamic assignments of role-permission with the help of constraints
of periodicity, session constraint and Event dependencies.
In this research work we have tried to implement the unique and highly robust system model
that considers all of the key aspects like minimality, session constraints, expressiveness, user
management and allied role permission facility with optimum performance level and the usability of
access control and management.
III. DEERBCA MODELING AND TEMPORAL ROLE HIERARCHY
3.1 IntroducingDEERBCA Model
In the highly robust and complicated systems of cloud computing the proposed dynamic
expiration enabled role based access control model, ܥܣܤܴܧܧܦplays a significant role in cloud
computing environment and its resource management. The mechanism of ܥܣܤܴܧܧܦalso
accommodates the individual concepts of role provisioning, its activation and even the provision of
environment constraints as well as the event expressions allied with it.
In the proposed ܥܣܤܴܧܧܦapproach the system architecture characterizes a number of set of
constraints. These are as follows:
1. Temporal role enable/disable constraints
Temporal role enabling/disabling constraints are those constraints that permit the characteristics
of intervals and that time durations in which the role of users are enabled. In case of defined
duration constraints the constraint enabling event ignites or initiates the enabling or disabling of a
particular role. This initiation takes place either by enabling functions or by a specific administrator
initiated runtime process.
2. Provision of temporal restraints on individual user’s role and the assignment of its rolepermission
Such kind of restraints permits the characteristics of function intervals and the time duration
in which the role for a specific user or its permission is allotted or issued.
3. Activation constraints
Activation constraints are those constraints that permit the nature of employed restrictions
functional of the activation of a user’s role. These constraints encompasses, the characterization of
the complete time interval for which a defined user can initiate a role or the count
ofcontemporaneous activations of the role defined at a specific time.
4. Runtime proceedings
A combination of runtime events permits the supervisor to vigorouslycommence the
ܥܣܤܴܧܧܦprocedures, or facilitate the period or commencementrestraints.
Few others combination of runtime procedures permits the users to make certain request for
activating or deactivating the roles.
5. Constraint permissible expressions
The proposed ܥܣܤܴܧܧܦmechanism encompasses the events which enables or disables the
aforesaidtime duration and activation constraints for individual roles.
6. Event dependencies
The event dependencies in the proposed ܥܣܤܴܧܧܦsystem represent the expressions of the
inter-dependencies among all the encompassing events.In the development of DEERBAC system
model a number of system constraints have been used. The key constraints are periodicity
constraints, duration constraints, time based role activation constraints, Cardinality constraint on role
118
- 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
activation, Event dependencies and constraints of run time request. In expression the periodicity
constraints for user role assignment is given by (݃ݏܣ :ܽݎܲ ,ܵ ,ܦ /݃ݏܣܦ ܴ ݁ ݐሻ while for role
enabling and role permissionሺ ,)ܴ ݃ݏܣܦ/:ܽݎܲ ,ܵ ,ܦሺ݃ݏܣ :ܽݎܲ ,ܲ ,ܫ௪ /݃ݏܣܦ௪ ܴ ݐሻ expressions are
employed respectively.
For
duration
constraint
the
expressions
ሺሾሺܵ ,ܦሻ|ܯሿ, ܯோ ܴܲ ܾܦ/݊ܧ :ݎሻ
and ሺሾሺܵ ,ܦሻ|ܯሿ, ܯ ܲ݃ݏܣܦ :ݎ /݃ݏܣܦ ܴ ݁ ݐሻare used for user-role assignment (ܩோ ) and rolepermission assignmentܩோ௪ respectively. The sporadic expression implemented in the expressions of
the considered constraints is represented in the form of ሺܵ ,ܦሻ [20], in which the variable or entity
ܵrefers the expression representing an infinite combination of periodictime moments, and the
variable entity D refers ܦൌ ሾܾ݁݃݅݊, ݁݊݀ሿ is a time duration representing the lower and upper bounds
which are inflicted on instants inentityܵ. On the other hand the expression ݈ܵሺܵ ,ܦሻis employed for
stating all the encompassed time durations in composite function ሺܵ ,ܦሻ.
In this paper, we have also implemented a function ܲ ݈ܵሺܵ ,ܦሻthat represents the collection
of the end points present in the intervals in ሺܵ ,ܦሻthat states that in case the entity or function ሺܵ ,ܦሻ
is represented in the form of a set of durations ሼሺݐ௨ଵ , ݐ௧ଵ ሻ, ሺݐ௨ଶ , ݐ௧ଶ ሻ, … , ݐ௨ , ݐ௧ ሽthen; the function can
be given as follows:
ܲ ݈ݏሺܵ ,ܦሻ ൌ ሼሺݐ௨ଵ , ݐ௧ଵ ሻ, ሺݐ௨ଶ , ݐ௧ଶ ሻ, … , ݐ௨ , ݐ௧ ሽ
In these mathematical modeling or expressions the variable ܦdenotes the time interval for a
defined constraint.
3.2 Temporal Role Hierarchies
The overview of the temporal hierarchies of the proposed ܥܣܤܴܧܧܦsystem model has been
discussed in this section.Table-1 illustrates the predicate notations employed for representing the
semantics of the considered hierarchies. The considered entities like predicate enabled, assigned have
been given be presentation ݊ܧሺܴ, ݐሻ, ݃ݏܣሺ݁, ܴ, ݐሻ and ݃ݏܣሺݐ ,ܴ ,ݓሻ. These all notations denote the
status of the roles, roles of user and assignment of role permission at time t, respectively.
The activation of ሺ݁, ܴ, ݐሻby means of predicate signifies that the specific user ݁might
activate specific role ܴ at certain time period .ݐAnd further it states that the specific user u is
unconditionally or unequivocally allotted to that specific roleܴ. The other entity ݐܿܣሺ݁, ݐ ,ܴ ,ݑሻstates
the role ܴ is in active state in the specific user’s session or duration ܵ at time instant t, while another
entity ݍܿܣሺ݁, ݐ ,ݑ ,ݓሻ illustrates towards the acquisition of permission by ݁ at the session.ݑThe
predominant relationships among the predicates are in general considered and emphasized by the
axioms as mentioned in Table 1. Even these axioms do identify the acquisition of permission and the
role activation in the proposed ܥܣܤܴܧܧܦsystem model.
Predicate
݊ܧሺܴ, ݐሻ
ሺ݁_ ݃ݏܣሺ݁, ܴ, ݐሻሻ
ሺ ݃ݏܣ_ݓሺݐ ,ܴ ,ݓሻሻ
ܿܽ݊_ݐܿܣሺ݁, ܴ, ݐሻ
ܿܽ݊_ ݍܿܣሺ݁, ݐ ,ݓሻ
ܿܽ݊_ܾ݁_ ݍܿܣሺݐ ,ܴ ,ݓሻ
TABLE 1: Status Predicates
Meaning
Role ܴ is enable at time ݐ
User ݁ is assigned to role ܴ at time ݐ
Permission ݓis assigned to role ܴ at time ݐ
User ݁ can active role ݎat time ݐ
User ݁ can acquire permission ݓat time ݐ
Permission ݓcan be acquire through role ܴ at time ݐ
ݐܿܣሺ݁, ܴ, ݐ ,ݑሻ
Role ܴ is active in user ݁’ ݑsession ݑat time ݐ
ݍܿܣሺ݁, ݐ ,ݑ ,ݓሻ
User ݁’ acquires permission ݓin session ݑat ݐ
119
- 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
The axiom 1"݃ݏܣሺݐ ,ܴ ,ݓሻ ՜ ܿܽ݊_ܾ݁_ݍܿܣሺݐ ,ܴ ,ݓሻ"indicates that in case any person is
allotted to perform a specific role, then the same can be accomplished with the help of that specific
role.Similarly, the second axiom 2 “ ݃ݏܣሺ݁, ܴ, ݐሻ ՜ ܿܽ݊_ݐܿܣሺ݁, ܴ, ݐሻ" denotes that all of the
consisting users are facilitated a specific role so that they may activate that specific roles and
function. Axiom 3ܿܽ݊_ݐܿܣሺ݁, ܴ, ݐሻ ݍܿܣ_ܾ݁_݊ܽܿ רሺݐ ,ܴ ,ݓሻ ՜ ܿܽ݊_ ݍܿܣሺ݁, ݐ ,ݓሻ”, it is stated that
in case a particular user u is provided a role ܴ then all the encompassing functionalities or roles r
could be accomplished with the help of that user .ݑ
Inthe same way, the ascending axiom 4 ݐܿܣሺ݁, ܴ, ݐ ,ݓሻ ݍܿܣ_ܾ݁_݊ܽܿ רሺݐ ,ܴ ,ݓሻ ՜
ݍܿܣሺ݁, ݐ ,ݑ ,ݓሻsay that in case a user session or duration in which one has to activate a specific
roleR, in that circumstances the user ݁ accomplishes then all the permissions that could be collected
through the role ܴ. It must be noted that the axioms presented in 1 and 2 illustrates towards the
permission-acquisition and role-activation semantics which are in general governed by overt userrole and the person or privilege of the role assignment.
In general, a particular hierarchy of role ܴ lengthens the extent of the permission-acquisition
and the semantics of the role-activation further than the preciseallocations by means of hierarchical
relations which are predefined among permitted or considered roles. In our proposed ܥܣܤܴܧܧܦ
model or framework the predominant three hierarchies are considered. These are: permissioninheritance-only
hierarchy
which
is
also
known
as ܫെ ݄݅݁,ݕ݄ܿݎܽݎ
݈݁ݎെ ݐܿܣെ ݕ݄ܿݎܽݎ݄݁݅ ݕ݈݊or ܣെ ݄݅݁ ,ݕ݄ܿݎܽݎand the third and the last hierarchy are referred to
as ܿ ݁ܿ݊ܽݐ݅ݎ݄݁݊݅ ܾ݀݁݊݅݉െ ݕ݄ܿݎܽݎ݄݁݅ ݐܿܣor ܣܫെ ݄݅݁ .]71[ ,]61[ ݕ݄ܿݎܽݎThese all framework
hierarchy might be of any kind, either of restricted or unrestricted kinds.
Among these hierarchies the restricted one might be further classified into two types, weakly
and strongly restricted. The hierarchy of unrestricted type ܫെ ݄݅݁ ܽݕ݄ܿݎܽݎ௧ ߚthat states that in
case there exists a ୲ β, then the role permission or even acquisition permission could be
accomplished with the help of role ݔwhich encompasses all the approvals or acknowledgements that
could be gained with the help of specific role .ݕIn other way, the permissions of the ascenders roles
are in general inherited or ascended by the roles with higher priority. Meanwhile, the condition
which is in relation to the unrestricted A-hierarchy states that in case a user ݁ activates a specific role
ݔwith the condition ݔ௧ ߚ, then that user ݁might also initiate the role ߚwhether being not assigned
toߚ. Furthermore, the user ݁might not get theߚ’ ݏpermissions only by initiatingܽ. On the other hand,
the permission-inheritance nature is not permitted in an unrestricted A-hierarchy framework. It can
be found that the ܣܫെ ݄݅݁ݕ݄ܿݎܽݎis the specific and of course alone framework that encompasses
both kind of inheritance, like permission inheritance as well as role-activation kind of semantics. The
weakly restricted hierarchy permits the inheritance or the activation semantics in the non-overlapping
activation sessionof the systematically allied roles, on the other hand the hierarchies restricted
strongly permits the inheritance and the activation semantics only in the overlapping causing
sessions.
As per the considered condition for ܫെ ݄݅݁ݕ݄ܿݎܽݎሺ ܽ݀݁ݐܿ݅ݎݐݏ݁ݎ ݕ݈݇ܽ݁ݓ௧ ߚሻ is presented,
then only the role is required to be activated at time ݐso as to implement the inheritance semantics.
The roles or defined role ݕmight or even might not be activated at that specific time then while, in
case of ܫെ ݄݅݁ ݕ݄ܿݎܽݎwhich is a kind of strongly restricted hierarchy framework, if ܽ ௨ ௧ ߚ is
stated then the entities, ܽ and ߚis required to be activated at the specific time ݐso as to employ the
inheritance semantics. The hierarchies like restricted Aand IA are defined in the same way.
IV. EXPRESSIVENESS OF ࡰࡱࡱࡾ MODEL AND ITS MODELING
The overall system has been introduced in the previous section and has been discuss that the
proposed ܥܣܤܴܧܧܦmodelpermits the characterization of a huge set time-related constraints.
Observing these factors a significant question arises that whether this kind of exhaustive set of
120
- 7. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
temporal constraints is required or is there a minimal combination of constraintswhich posses’
similar expressive capability or capability of expressiveness with all the significant constraint of the
proposed model .ܥܣܤܴܧܧܦHere, in this presented section, it would be illustrated that all the
encompassing constraints of proposed model are not minimal. Implementing or even considering the
notion of activity-equivalence or a-equivalence, it has been depicted that there exists a negligible set
of system constraint that could have an expressive power equivalent of the proposed ܥܣܤܴܧܧܦ
constraint. In the proposed approach and system model we have demonstrated an analysis that in
spite of minimum value, the set representing the non-minimal system constraints facilitates the better
option and efficiency for representing the cloud access constraints. Specifically, this kind of options
and alternatives do permit the users highly robust and convenient system mechanism with
comparatively minimum complexity. Additionally, thehuge sum of access restraints present in
ܥܣܤܴܧܧܦsystem facilitates better functional feasibility along with the proper selection of a
semantically apparent characteristicby implementing optimization measures for enhancing the
usability of the model. The following algorithm represents the algorithm presentation for conversion
of the role permission.
Algorithm ܴܲ_ݐݎ݁ݒ݊ܥ
Input: ݕܩ ; ࡻ࢛࢚࢛࢚ ݕܩ ௨௧
1. ݕܩ௨௧ ൌ ሼܶ ᇱ , ܷ ݏ݈ܴ݁ ,ݏݎ݁ݏᇱ , ܲ݁ ܪܴ ,ݏ݊݅ݏݏ݅݉ݎᇱ ሽ ൌ
2. ݕܩ ൌ ሼܶ, ܷܪܴ ,ݏ݊݅ݏݏ݅݉ݎ݁ܲ ,ݏ݈ܴ݁ ,ݏݎ݁ݏሽ;
3. ۴ ݀ ࡴࡱ܀۽ൌ ሼࣛ, ݃ݏܣ :ݎ௪ /݃ݏܣ௪ ܴ ݐ ݓሽ ࣛ ݁ݎ݄݁ݓ ,ܶ אൌ
ሼሺܷ ,ܯሻ, ሺሾܯ ,|ܷ ,ܯ ሿ, ܯሻሽ ۲ܗ
4.
Generate a speciϐic roleܴ ;
5.
Substitute all occurrences of ሼࣛ, ݃ݏܣ :ݎ௪ /݃ݏܣܦ௪ ܴ ݐ ݓሽ byሼࣛ, ݊ܧ :ݎ௪ /
ܾ݀௪ ܴ in T’
௦ೢ
6.
Perform (add default assignment “௦ ܴ ݐ ݓ ” to T’
ೢ
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
۴ࡴࡱ܀۽Event
ܶ אᇱ , ܴݐ ݁ݎ݄݁ݓൌ "ܲԢଵ , … , ܲԢ , ܩԢଵ , … , ܩԢ ՜
ܲ :ݎାଵ after ∆௧ " ܦ
Replace ܲ"= ’ܴݐ ݕܾ ܴݐԢଵ , … , ܲԢ , ܩԢଵ , … , ܩԢ ՜ ܲ :ݎԢାଵ after ∆௧ ”, such that,
݈ ൌ 1 ݉ ݐ 1, ݂ ൌ 1 ݐሻ
IFሺܲ ൌൌ "݃ݏܣ௪ /݃ݏܣܦ௪ "ܴ ݐ ݓሻTHEN’ܩ ൌ ݊ܧ௪ /ܾ݀௪ ܴ ";
ELSE update ܲ’ ’ܧ ൌ ܲ ;
IFሺܩ ൌൌ ""ܴ ݐ ݓ ݃ݏܣܦ/݃ݏܣሻTHEN’ܩ ൌ ܴ ܾ݀/݊ܧ ";
ELSE update’ܩ ൌ ܩ ;
ENDFOR
Update Roles’=Roles’ ሼܴ ሽ;
FOR each role ܴ ݐ݄ܽݐ ݄ܿݑݏ ݏ݈ܴ݁ אሼܴ ܴ ሽDO
Update ܴ ܪᇱ ൌ ܴܪᇱ ൛ܴ ܴ ൟ; ܴ ܪᇱ ൌ ܴܪᇱ െ ൛ܴ ଼ ܴ ൟ
ENDFOR
Update ܴ ܪᇱ ൌ ܴܪᇱ ሼܴ ଼ ܴ ሽ;
ENDFOR
Algorithm 1: ܴܲ_ݐݎ݁ݒ݊ܥ
4.1 Minimality of DEERBAC
With a considered ܥܣܤܴܧܧܦmodel, all of its system constraints are referred to as Temporal
Constraint and Activation base ሺܶܤܣܥሻ.this set of constraints, ܶ ܤܣܥcan be presented as follows:
௫
௫
௫
௫
௫
௫
௫
௫
ܶ ൌ ሺܩோೢ , ܩோೢ, , ܩ௪ோೢ , ܩோ , ܩோ, ,ܩ௪ோ , ܩௗோ , ܩோ , ܩோ , , ܩோ , ܩோ ,
ܩோ , ܩோ , ܩோ , ܩ௧ோ , ܩௗ
In this manuscript and the proposed model, we have employed the name as constraint that
refers towards the combination encompassing the periodicity constraint of specific kinds. For
121
- 8. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
example, ܩோೢ represents user a periodicity constraint which states a role assignment on individual
user’s role and it is expressed asሺ݃ݏܣ :ܽݎܲ ,ܵ ,ܦ /݃ݏܣܦ ܴ ݁ ݐሻ. The periodicity constraints cover
the user role assignmentsܩோ௪ , role enablingܩோ௪ and role permission assignment
ܩ௪ .
In the subsequent sections, a short term like ܶ ൌ ሺܩோೢ , ܩோೢ, ሻ has been employed in the
specific case of non-empty constraints ܩோೢ, ሺா௫௦௦ ሺ,ௌ,:௦ ோሻ୭୰ ୰୭୪ୣ ୣ୬ୟୠ୪୧୬ሻ andܩோೢ . In fact
the nature of a ܥܣܤܴܧܧܦmodel depends on variableܶ, the clusters of users, their individual roles,
the set of roles and the set of specific permissions as well as the role hierarchyܴ .ܪThat’s why; here
in this manuscript the tuple has been employed for presenting a set ofܶ, users, roles and permission
as well as role hierarchy that depicts a complete ܥܣܤܴܧܧܦmodel.
ௗ௬
In this work a notation ሺ݁ ሳ ݓሻ has been defined for reading ݁ .ݏݎ݁ݏݑ ݎThe considered
ሰ
notation achieves the permission ݓat the time instant ݐunder the function .ݕܩNowafter defining the
notations the notions of ܽ െ ݁ ݐ݈݊݁ܽݒ݅ݑݍin between two ܥܣܤܴܧܧܦframeworks or configurations
are defined. Few of the dominant notations have been definedas follows:
Definition 1: Activity-equivalence or ࢇ െ ࢋ࢛࢜ࢇࢋࢉࢋ
In
the
defined
ܥܣܤܴܧܧܦ
framework,
the
two
configurations
ሺܶଵ , ܷݏ݈ܴ݁ ,ݏݎ݁ݏଵ , ܲ݁ܪܴ ,ݏ݊݅ݏݏ݅݉ݎଵ ሻand ݕܩଶ ൌ ሺܶଶ , ܷݏ݈ܴ݁ ,ݏݎ݁ݏଶ , ܲ݁ܪܴ ,ݏ݊݅ݏݏ݅݉ݎଶ ሻሻ
(ݕܩଵ ൌ
can represents ܽܿ ݈݁ܿ݊݁ܽݒ݅ݑݍ݁ ݕݐ݅ݒ݅ݐonly in the situation when the pairs ሺ݁, ݓሻsatisfies the
conditions݁ ݏݎ݁ݏܷ אand .ݏ݊݅ݏݏݏ݅݉ݎ݁ܲ א ݓAgain, in case Gyଵ ൎ Gyୟ and Gyୟ ൎ Gyଶ the
equivalence condition Gyଵ ൎ Gyଶ is accomplished which exhibits the transitivity property.
In the proposed ܥܣܤܴܧܧܦmodel ܽ െ ݁ ݈݁ܿ݊݁ܽݒ݅ݑݍrefers that a particular user could
efficiently exhibit the similar combination of accesses under the two configurations.Therefore, after
replacing the system configurations of ݕܩଵ by another configurationGyଶ the accesses which are not
permitted for a particular or even individual user, is not altered.It must be noted that in the
considered case as we have takenthe similar set of users and their individual permissions therefore
ܽ െ ݁ ݈݁ܿ݊݁ܽݒ݅ݑݍis not must to be implied with that policy equivalence which states that in any
case the two system configurations it is required to consider only similar rule sets. In this work we
have emphasized on illustrating the dissimilar model configurations of constraints as well as roles of
multiple range. This feature permits the similar set of assigned users for accomplishing the same
permission sets and after that it analyzes the configurationally complexities. It makes the system to
perform user role generation and role permission efficiently.
In the ascending research phasewe have illustrated that the constraint sets of ܥܣܤܴܧܧܦis not
minimal. These characteristics states that few kinds of constraints can be efficiently removed without
compromising or minimizing the expressive power of ܥܣܤܴܧܧܦmodel.
Implementing the aforementioned ܽ െ ݈݁݁ܿ݊݁ܽݒ݅ݑݍrelations over a set of ܥܣܤܴܧܧܦmodel, in this
work we have to present that there exists a minimal presentations which employs only periodicity
and the duration constraints. These all constraints are functional on roles and are activated on perrole basis.ܥܣܤܴܧܧܦalso considers default assignments for assigning the permissions and users to
the specific roles without characterizing any temporal restrictions.
In the ascending research phase we have presented certain robust algorithms that could be
employed for generating a-equivalent model or framework for a certain defined model or
configuration.The first algorithm ሺܴܲ_ݐݎ݁ݒ݊ܥሻgenerates a highly robust and effective ܽ െ
݁ݐ݈݊݁ܽݒ݅ݑݍframework for a specific ܥܣܤܴܧܧܦsystem configuration, while considering all the
temporal constraints functional on assignments of role-permission displaced by those for enabling
the role. Meanwhile, another algorithm called ܷܴ_ ݐݎ݁ݒ݊ܥcomes up with new framework tothe
input arrangement ݕܩwhere all the incorporating or participating assignments of role and the
122
- 9. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
constraints ofper-user-role activation is replaced by the considered role enabling and per-role
activation, respectively.
Algorithm ܷܴ_ݐݎ݁ݒ݊ܥ
Input:ݕܩ ; ܱݕܩ ݐݑݐݑ௨௧
1. ݕܩ௨௧ ൌ ݕܩ ሺ݅. ݁. , ሼܶ ᇱ , ܷ ݏ݈ܴ݁ ,ݏݎ݁ݏᇱ , ܲ݁ ܪܴ ,݊݅ݏݏ݅݉ݎᇱ ሽ ൌ
ሼܶ, ܷܪܴ ,݊݅ݏݏ݅݉ݎ݁ܲ ,ݏ݈ܴ݁ ,ݏݎ݁ݏሽሻ; ܷ ൌ
2. ࡲࡻࡾࡱࡴ ݀ ൌ ሼࣛ, ݃ݏܣ :ݎ /݃ݏܣ ݁ ܴݐሽ ࣛ ݁ݎ݄݁ݓ ,ܶ אൌ
ሼሺܷ ,ܯሻ, ሺሾܯ ,|ܷ ,ܯ ሿ, ܯሻሽࡰ
3. ܴܿ ݈݁ݎ ݁ݑݍ݅݊ݑ ݔ ݁ݐܽ݁ݎ ܽ݊݀ ݏݎ݁ݏݑ ݈ ݎ݂ ݏ݈݁ݎ ݂ ݐ݁ݏ
4. Replace all occurrences of ሼࣛ, ݃ݏܣ :ݎ /݃ݏܣܦ ݁ ܴ ݐሽ byሼࣛ, ܴ ܾ݀/݊ܧ :ݎ ሽ in T’
5. Add default assignment “ܴ ݐ ݁ ݃ݏܣܦ/݃ݏܣ ” to T’
6. FOR
each Event dependencies ܶ א ܴݐᇱ , ܴݐ ݁ݎ݄݁ݓൌ "ܲԢଵ , … , ܲԢ , ܩԢଵ , … , ܩԢ ՜
ܲ :ݎାଵ after ∆௧ " ܦ
7. Replace ’ܴݐ ݕܾ ܴݐwhere tR’=ൌ "ܲԢଵ , … , ܲԢ , ܩԢଵ , … , ܩԢ ՜ ܲ :ݎԢାଵafter∆௧ ”, such that
8. IFሺܲ ൌൌ "݃ݏܣ /݊݃ݏܣܦ ݁ "ܴ ݐሻ THEN upate ܲ’ : ൌ ݊ܧ௪ /ܾ݀௪ ܴ ";
9. ELSEܲ’ ൌ ܲ ;
10. IFሺܩ ൌൌ "݃ݏܣܦ/݃ݏܣ ݁ "ܴ ݐሻ THEN ’ܩ : ൌ "ܴ ܾ݀/݊ܧ ";
11. ELSE Update ’ܩ ൌ ܩ ;
12. ENDFOR
13. Update Roles’=Roles’ ሼܴ ሽ;
14. FOR each role ܴ ݐ݄ܽݐ ݄ܿݑݏ ݏ݈ܴ݁ אሼܴ ܴ غ ሽDO
15. ܴ ܪᇱ ൌ ܴ ܪᇱ ൛ܴ غ௨ ܴ ൟ; ܴ ܪᇱ ൌ ܴ ܪᇱ െ ሼܴ غ௨ ܴሽ;
//this is strongly restricted Ahierarchy
16. ENDFOR
17. Update ܴ ܪᇱ ൌ ܴ ܪᇱ ሼܴ ଼ ܴ ሽ;
18. ENDFOR
19. ܴ ܪᇱ ൌ ܴ ܪᇱ ൛ܴ غ௨ ܴൟ;
20. ENDFOR
21. ࡲࡻࡾࡱࡴ ݎ݅ܽሺ݁, ܴሻ
22. ݐܿܣ ൌ ሼݐܿܣோೌ , ݐܿܣோ_௫ , ݐܿܣோ , ݐܿܣோ_ ሽDO
23. IFሺܴ Ԣ ൌ ݃݁݁ܵݐ ሺܴ ,݁ ,ݑሻ ൌൌ ܰܮܫሻܴܶ ݈݁ݎ ݁ݑݍ݅݊ݑ ܽ ݁ݐܽ݁ݎܥ ܰܧܪ ,
//݃݁݁ܵݐ ሺܴ ,݁ ,ݑሻ ൌൌ ܰݐ݄ܽݐ ݏ݊ܽ݁݉ ܮܫ
24. FOR each ݀ ൌ ሺࣛ, ࣜ , ݁, ݐܿܣࣜ ܴሻ߳ܶԢ DO
25. Replace d in T’ by d’ where ݀’ ൌ ሺࣛ, ࣜ , ݐܿܣࣜ ܴ ሻ;
26. ENDFOR
27. IF (ܴ )42 ݁݊݅ܮ ݊݅ݓ݁݊ ݀݁ݐܽ݁ݎܿ ݏܽݓTHEN
28. Role’=Role’ܴ{ };
29. FOR each role ܴ ܴ ݐ݄ܽݐ ݄ܿݑݏ ݏ݈ܴ݁ א ذ௨ ܴ DO
30. ܴ ܪᇱ ൌ ܴ ܪᇱ ൛ܴ ذ௦ ܴ ൟ; ܴ ܪᇱ ൌ ܴ ܪᇱ െ ൛ܴ ذ௨ ܴൟ;
31. ENDFOR
32. ܴ ܪᇱ ൌ ܴ ܪᇱ ሼܴ غ௨ ܴሽ;
33. ܴ݁ ݎ݁ ݈݁ܿܽെ ݕܾ ݐ݊݅ܽݎݐݏ݊ܿ ݊݅ݐܽݒ݅ݐܿܽ ݈݁ݎ൫0, ݐܿܣோ ܴ൯݅݊ ܶԢ
34. ENDFOR
Algorithm 2: ܷܴ_ݐݎ݁ݒ݊ܥ
In the proposed system architecture the algorithm developed depicts that after substituting the
temporal constraints on rolepermissions the minimized system model with similar expressiveness
could be obtained on individual roles and constraints of per-user role. Here theminimal constraint set
(MCS) has been employed for exhibiting the details and reality whether ܽ െ ݁ݐ݈݊݁ܽݒ݅ݑݍmodel
123
- 10. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
framework or model configuration exists with the minimum number of kinds of constraints. The
definition for the minimal constraints sets have been given in the definition 2.
Definition-2: Minimal Constraint Set
Consider, the factor minimum constraint set is represented by ܵܥܯሺܶሻwhich represents the set of
parametric constraints in ܶ ,ܶ ܤܣܥand similarly the variable ܵܩrefers, ܵܩൌ ሼݕܥଵ , ݕܥଶ , … ݕܥ ሽthe
ܽ െ ݁ ݐ݈݊݁ܽݒ݅ݑݍset of model configuration of frameworks for certain ݊ number, in such a way
that,ݕܩ ൌ ሺܶ , ܷܪܴ ,ݏ݊݅ݏݏ݅݉ݎ݁ ݏ݁ܿܿܽ ,ݏ݈ܴ݁ ,ݏݎ݁ݏ ሻ, ݂ ݈ ݏ݈ܾ݁ܽ݅ݎܽݒ ݎൌ 1,2, … ݊.
The minimum constraint set ܵܥܯሺܶ ሻ refers the ܵܥܯof constraints set in case there is no any kind
of other configures asݕܩ ൌ ൫ܶ , ܷܪܴ ,ݏ݊݅ݏݏ݅݉ݎ݁ ݏ݁ܿܿܽ ,ݏ݈ܴ݁ ,ݏݎ݁ݏ ൯. In this mentioned
situation ݈ ݂ בand its ݈ܶܥܯሺܶ_݂ ሻ ܶܥܯ ؿሺܶ_݈ ሻ.
The derived definition states that ܵܥܯis that parameter that poses at least unitary temporal
constraint.It must also be noticed that the presented definition refers towards a fact that user role and
its sets as well as its hierarchical assignments with its structures might be diverse for various system
or model configurations. The results accomplished for minimality results in ܥܣܤܴܧܧܦmodel for
cloud environment with its allied expressions have been given in the following theorems
presentation.
Theorem 1: Minimality of ࡰࡱࡱࡾ model.
In this theorem consider that ݕܩଵ represents the model configuration forܥܣܤܴܧܧܦsystem
architecture in such a way that൛ܩௗ , ܩோ௪ , ܩோ , ܩ , ܩ௧ோ, ܩௗ ൟ ܵܥܯ ؿሺܶଵ ሻ. In this state there is the
probability of existence of ݂ܩଶ system configuration. Theݕܩଶ configuration posses the following
characteristics:
1. ݕܩଵ ൎ ݕܩଶ ,
௫
2. ܵܥܯሺܶଶ ሻ ൌ ൛ܩ , ܩோ௪ , ܩோ , ܩோ , ܩ௧ோ, ܩௗ ൟ,
௫
݊݅ݏݏ݁ݎݔ݁ ݀݁݊݅ݐ݊݁݉ ݁ݒܾܽ ݄݁ݐ ݊ܫሺܥ ሻ .ݏݐ݊݅ܽݎݐݏ݊ ݈݁ݎ ݎ݁ ݂ ݏ݀݊݅݇ ݄݁ݐ ݏݎ݂݁݁ݎ
3. ܵܥܯሺܶଶ ሻIs nothing else but the ܵܥܯfunctional withሼݕܩଵ ሽ ሼݕܩ | ݕܩଵ ൎ ݕܩሽ.
The presented theorem 1 refers that the genuine set of ܥܣܤܴܧܧܦmodelwhich is not the
minimal because of few dominant parameters or factors like default assignments, periodicity in
framework, time constraints for enabling roles and assignment enabling (ܩோ௪ , ܩோ ), constraints for
௫
per role activationሺܩ ሻ, enablesሺܩ௪ ሻ and the expression for constraint enabling ܩௗ could be
effectively employed for representing any policy for access control of entire ܥܣܤܴܧܧܦmodel
constraints.
It can be easily found that the counts of individual roles and its hierarchical complexity
increases by the implementation of the transformation algorithms which do replace the temporal
constraints on assignments by temporal constraints on roles. The fundamental factor and
reasonbehind such model behavior is that the algorithms "ܴܲ_ "ݐݎ݁ݒ݊ܥand ܷܴ_ݐݎ݁ݒ݊ܥgenerate a
new specific role though substituting every temporal obligation. Such characteristics might not be
instinctive and competentas it looks like there would be numerous new user’s roles createddue to the
replacements of temporal assignments.In order to generate similar kind of temporally nonoverlapping responsibilities or roles, it is required to divide ݊ periodic expressions into a temporally
non-overlapping set of periodic expressions. Once the periodic expressions have been divided then in
the ascending step the formal definitions are facilitated and the algorithms are required to create this
set by generating the disjoint periodicity expressions from a cluster of numerous periodicity
expressions. It must be noted that in our proposed minimal model represents itself as a highly robust
model with temporal parametric constraints on numerous role activations by means of creating some
124
- 11. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
other similar minimal model possessing the temporal constraints on the user role assignments or role
permission assignments in spite of role activation. Since, the roles are the fundamentalbody of
ܴܥܣܤframework, here in this work we would emphasize on the minimal model.Being referred as
runtime constraints the parametric constraints on the activation of rolecannot possess any
correspondingillustrationemployingindividual role or permission for role assignments.
Thereforethere could be certain temporal constraints on individual roles even after eliminating the
temporal constraints on role activation.
4.2 Operations on Periodicity Expressions
In this presented section of the manuscript, the fundamental notions ofsuppression,
correspondence, overlapping, and disjunction operationsin between the pairs of periodic expressions
have been discussed.
Definition 3: Relations on periodic expressions.
Consider that ܵܲଵ ൌ ሺܦଵ , ܵሻଵ and ܵܲଶ ൌ ሺܦଶ , ܵଶ ሻbe the periodic expression. The relations between
these two expressions have been given bellow. The figure as mentioned below refers the relationship
between numerous periodic expressions.
It must be noticed that as mentioned in the 4th definition, it is in general referred as the disjoint in
case of the similar end points of two intervals or durations.The pair wise relations could be extended
for defining relationships of the periodic expressions.
The set of periodic expressions are considered as similar if all the considered periodic
expressions are similar.In an ideal world, generally it is expected to estimate disjoint clusters of
intervallic expressions which is minimal so as to associate them with individual roles for making
them temporally distinct.
Definition 4: Minimal Disjoin Set
Consider that ܵܲ ൌ ሼܵܲଵ , ܵܲଶ , … , ܵܲ ሽ represents the se of a random periodic expression then the
minimal disjoint set ሺܵܦܯሻ over periodic expression ሺܵܲሻ can be given as the minimum set of
disjoint periodic expressions, ܵܦܯௌ or in mathematics ܵܦܯௌ ൌ ݉݅݊ ሼܵܲᇱ |1 ݅ ݊ሽ.
In order to accomplish the above mentioned criteria forܵܦܯௌ , the following conditions are required
to be fulfilled.
1. 1 ݂ ݁ݑ݈ܽݒ ݄ܿܽ݁ ݎܨ ݈, ݂ ݊; ݈ ് ݂
ᇱ
ᇱ
2. ܵ ݈ሺܵܲଵ ሻ ݈ܵ ሺܵܲଶ ሻ ݈ܵ … ሺܵܲᇱ ሻ, That means ܵ ݈ሺܵܲଵ ሻ ݈ܵ ሺܵܲଶ ሻ ݈ܵ … ሺܵܲ ሻ
3. ݈ܵ݅݉݅ܽ 1 ݕݎ݁ݒ݁ ݎܨ ,ݕ݈ݎ ݈ ݉, 1 ݂ ݉, and for this it exhibit,
ᇱ
ܵܲᇱ ܲܵ ؿ
In this definition, the conditions mentioned in 1st and 2nd terms illustrates that the minimum
disjoint set encompasses set of periodic expressionswhich is disjoint in nature and even contains the
time instants available in all set of periodic expressions given in ܵܲ . ݑAgain the last condition
makes it sure that individual periodic expressions could be present either in or might be disjoint also
from every ݂ܵܲ .
125
- 12. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
Figure1. Temporal relations between a pair of periodic expressions
Definition 5: Minimum subset (MS) presentation for ࡼࡱ in spite of ࡹࡰࡿ approach
Consider ܵܦܯௌ ൌ ݉݅݊ ሼܵܲᇱ | 1 ݈ ݊ሽ refers the MDS over periodicity expression,
ܵܲ ൌ ሼܵܲଵ , ܵܲଶ , … , ܵܲ ሽ, where n refers certain value.Now, the MS for the considered periodic
expression with condition ܵܲ ܲܵ אover derived ܵܦܯௌ can be presented is the following
expressions:
ᇱ
ᇱ
ᇱ
ܵܦܯௌ ሺܵܦܯௌ ሻ ൌ ሼܵܲగଵ , ܵܲగଶ , … , ܵܲగ ሽ ܵܦܯ كௌ With1 ݊.
This is accomplished only in the case:
• ݉݅݊ ൛ߨ 1| ݈ א ݈ߨ ,ሼ1,2 … , ݊ሽൟ
• for each duration ݈ܵ א ݐሺܵܲ ሻ there exists exact singular set ߚ אሼߨ1, ߨ2 … , ߨሽ in such a
way that it satisfies ݈ܵ א ݐሺܵܲఉ ሻ
Here, it can also be noted that the minimum subset ሺܵܯሻ of ܵܲis nothing else but the MS of
ܵܦܯௌ that encompasses all the duration instants ofܵܲܽ. .
After defining the ܵܯnow we emphasize on the illustrations of certain formal characteristicsthat are
allied with the estimation approaches of ܵܦܯand .ܵܯSince, the expression of the periodicity creates
the set of time instants, therefore the consequences also comes out instantaneously. The algorithms
for generating the ܵܦܯௌ have been given in Algorithm 3.
In the presented algorithm the ݃݊݅ݎ݅ܽܲ_ܵܦܯapproach estimates the ܵܦܯfor certain pairs of ܵܲݑ
and here it can be noted that in case of equivalence in two expressions the generated
ܵܦܯencompasses only one periodic expression. Meanwhile, in case of disjoint expressions the
generated ܵܦܯconsists of both the periodic expressions.
Theorem 2: Generation of ࡹࡰࡿ employing ࢇࢉ_ࡹࡰࡿ algorithm
ᇱ
ᇱ
With certain provided random sets of ܲݏܧthere is always a set ܵܲଵ , ܵܲଶ , … , ܵܲᇱ , existing in such a
way that
ᇱ
ᇱ
• ܵܦܯௌ ൌ ܵܲଵ , ܵܲଶ , … , ܵܲᇱ
This algorithm estimates the ܵܦܯௌ as output after taking periodic expression as input.
The next section discussesthe algorithm for creating system configuration of ܽ െ ݁ ݐ݈݊݁ܽݒ݅ݑݍfor our
proposed model after eliminating the temporal constraints from per user role assignments and
computation of Minimum subset and ܵܦܯfor periodic expressions.
Once ܵܦܯhas been generated we have developed a robust algorithm that generates aܽ െ
݁ ݐ݈݊݁ܽݒ݅ݑݍframework configuration for ܥܣܤܴܧܧܦsystem model by eliminating the temporal
constraints on per user role assignments which was followed by computation of ܵܯand ܵܦܯin
ܵܲ.ݏ
126
- 13. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
Theorem 3: rectifications or correctness ofࡹࡰࡿ_࢜ࢋ࢚࢘.
With the provided input framework configurations ݕܩ possessing only the periodicity constraints
for assignments of per user role, the presented algorithm ,ݐݎ݁ݒ݊ܥ_ܣܦܯgenerates the output
configurationsݕܩ௨௧ :
• ݕܩൎ ݕܩ௨௧ And in this algorithmic approach ݕܩ௨௧ posses no any temporal constraints for
role assignments on users.
4.3 System Complexity and Design Considerations
This is matter of fact that the complexity of the ܥܣܤܴܧܧܦmodel might have various
dimensions like the uncontrolled and unmanaged counts of individual roles in the
model/framework.In spite of these all, the number of temporal constraints also affects the system
characteristics. In the presented scenario we do emphasize of performance and complexity factors
and have proposed for ܥܣܤܴܧܧܦin which the user membership is required to be checked for
estimating whether a specific user has been assigned certain role or not. Hence, the factor temporal
assignments added up some more model complexity as compared to the existing ܴܥܣܤ
mechanism.Here, we implement system without introducing much constraint and especially the
temporal constrains. Here in spite of verifying membership we do introduce the assurance of
temporal validity for a considered membership. In order to simplify the issues and concepts, in our
work we have developed a foundation hierarchy of ܥܣܤܴܧܧܦmodel that posses the similar
expressive power on the basis of the results obtained earlier and the models performance is explored
on higher hierarchy.
In this work we have employed the notations for presenting the complexity parameters and then the
complexities for policy specifications have been analyzed.As discussed in the previous section about
the minimality results, few of the dominant temporal constraints can be included for our proposed
ܥܣܤܴܧܧܦsystem model. These constraints are as follows:
• Constraints of per user role-enabling or activation
• Constraints for periodicity and duration
• Role activation/deactivation constraints
• Event dependencies (ܩ௧ோ ) expressed as ܲଵ,…, ܲ, ܪଵ,…, ܪ ՜ .ݐ∆ ݎ݁ݐ݂ܽ ܲ :ݎ
Algorithm ݃݊݅ݎ݅ܽܲ_ܵܦܯ
Input:ܵܲଵ , ܵܲଶ
Output: MDS of ܵܲଵ , ܵܲଶ
1. IF (ܵܲଵ ൌ ܵܲଶ ) THEN RETURN {ܵܲଵ ,};
2. IF (ܵܲଵ ܵܲଶ ) THEN RETURNሼܵܲଵ ൌ ܵܲଶ ሽ;
3. IF (ܵܲଵ ܲܵ ؿଶ ) THEN
4.
Update ܵܲ ൌ ܵܲଵ ;
5.
Update ܵܲఉ ൌ ܵܲଶ െ ܵܲ ;
6.
RETURN ሼܵܲ ܵܲఉ ሽ;
7. IF (ܵܲଶ ܲܵ كଵ ) THEN
8.
Update ܵܲ ൌ ܵܲଶ ;
9.
Update ܵܲఉ ൌ ܵܲଵ െ ܵܲ ;
10.
RETURNሼܵܲ ܵܲ ሽ;
11. IF (ܵܲଵ ۪ ܵܲଶ ) THEN
12.
Update ܵܲ ൌ ܵܲଵ ܲܵ תଶ ;
13.
Update ܵܲ௬ ൌ ܵܲଶ െ ܵܲఈ ;
14. Updateܵܲఊ ൌ ܲܧଵ െ ܵܲఈ
15. ۼ܀܃܂۳܀ሼܵܲ , ܵܲఉ , ܵܲ ሽ
ఊ
16. ࡱࡺࡰ
Algorithm 3: Algorithm for MDS pairing
127
- 14. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
Algorithm ܵܦܯ_݈ܿܽܥ
Input:ܵܲଵ , ܵܲଶ , … , ܵܲ
Output: MDS of ܵܲଵ , ܵܲଶ , … , ܵܲ
1. Assume that ܵܲ =ሼܵܲଵ , ܵܲଶ , … , ܵܲ ሽ
2. Define ܵ ൌ ܵܦܯ ;ൌ ;
3. ࡵࡲ|ܵܲ| ൌ 1THEN RETURNܵܲ;
4. IF|ܵܲ| ൌ 2THEN RETURN
5. IF|ܵܲ| 2THEN
6.
Update MDS=Calc_MDS(ܵܲଵ , ܵܲଶ , … , ܵܲିଵ );
7.
Let MDS computed be ሺܵܲԢଵ , ܵܲԢଶ , … , ܵܲԢଵ ሻ;
8.
FOR݈ ൌ 1 1݊ ݐDO
9.
Update ݃݊݅ݎ݅ܽܲ_ܵܦܯൌ ܲܵ(݃݊݅ݎ݅ܽܲ_ܵܦܯԢ , ܵܲ , ሻ;
10.
IF|ܲܽ݅ |ܵܦܯݎൌ 1 ۼ۳۶܂
11.
ReturnMDS;
12.
IF|ܲܽ݅ |ܵܦܯݎൌ 2 ۼ۳۶܂
13.
Let ݃݊݅ݎ݅ܽܲ_ܵܦܯcomputed be ሺܵܲԢ , ܵܲԢఉ ሻ;
14.
Update ܵ ൌ ܵ ሼሺܵܲԢ ሽ;
15.
۳ |ܵܦܯݎ݅ܽܲ|۴ۺ۳܁ۺൌ 3ۼ۳۶܂
ܾ݁ ܵܦܯݎ݅ܽܲ ݐ݁ܮሺܵܲԢ , ܵܲԢఉ , ܵܲԢఊ ሻ;
16.
17.
Update ܵ ൌ ܵ ൛ሺܵܲԢ ܵܲԢ௭ఊ ൟ;
18.
ENDFOR
19.
Let S computed be ሺܵܲ"ଵ , ܵܲ"ଶ , … , ܵܲ"ଶ ሻ;
20.
ܵܲ"ଶାଵ ൌ ሺܵܲ െ ሺሺܵܲ"ଵ "ܲܵ … "ܲܵ ଶ ሻ;
21.
ࡵࡲሺሺܵܲ"ଶାଵ ൌ ሻۼ۳۶܂
Update =ܵܦܯሺܵܲ"ଵ , ܵܲ"ଶ , … , ܵܲ"ଶ , ܵܲ"ଶାଵ ሻ;
22.
23.
۳۳܁ۺ
24.
Update MDS=ሺܵܲ"ଵ , ܵܲ"ଶ , … , ܵܲ"ଶ );
25.
RETURN MDS
26. END
Algorithms 4: Algorithm for ݊݅ݐ݈ܽݑ݈ܿܽܿ ܵܦܯ
Algorithm ݐݎ݁ݒ݊ܥ_ܵܦܯ
Input: ࡳ࢟
Output: ࡳ࢛࢚࢟
1. Define ݕܩ௨௧ ൌ ሼܶ’, ܷܵ’ܪܴ ,ݏ݊݅ݏݏ݅݉ݎ݁ܲ ,’ݏ݈ܴ݁ ,ܴܵܧሽ
Define ݕܩ ൌ ሼܶ’, ܷܵ’ܪܴ ,ݏ݊݅ݏݏ݅݉ݎ݁ܲ ݀݊ܽ ,’ݏ݈ܴ݁ ,ܴܵܧሽ;
2. FOR each R אRoles DO
Let ܵܲ=ሼܵܲଵ , ܵܲଶ , … , ܵܲ } andܷ ൌ ሼ݁ଵ , ݁ଶ , … , ݁ } be such that ሺܵܲ , ݃ݏܣ , ܴ ݁ ݐ ሻ א
ܶᇱ;
3.
Compute MDS of ܵܲ; Let the computed
MDS=ሼܵܲԢଵ , ܵܲԢଶ , … , ܵܲԢ };
4.
FOR݈ ൌ 1 to ݊ DO
5.
Compute ܵܯௌ ݂ܲܵݎ୪
6. ENDFOR
7. FOR݄݁ܽܿܵܲԢ אMDS DO
8.
Create a unique roleܴԢ ;
9.
FOR all ݁ ܷ אsuch that ܵܲԢ ܵܯ אௌ DO
10.
Add default assignment ሺ݃ݏܣ , ܴ ݁ ݐ ሻ in T’.
11.
Add constraintሺܵܲԢ , ܴ ݊ܧ ሻ in T’.
12.
Remove constraint ሺܵܲԢ ݃ݏܣ , ܴ ݁ ݐ ሻfrom T’;
13.
Update Roles’ = Roles’ ሼܴ ሽ;
14. Update RH’ = RH’ ሼܴ غ௨ ܴሽ; // Strongly restricted A-hierarchy
15.
ENDFOR
16. ENDFOR
17. ENDFOR
Algorithm 5 Algorithm for MDS conversion
128
- 15. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
Table 2 presents the complexity parameters and their respective notations.
TABLE 2: Complexity Parameters and its notations
Complexity parameter
Notations
Role
ܥ
Default (simple) assignment
ܫ
Enabling time constraints on
ܭ௨
role
Temporal constraints on
ܭ௨ , ܭ
assignments
Activation time constraints on
ܤ௨ , ܤ
roles
Hierarchy
ܪ
Level
Table 3: A family of DEERBAC models
Model
Constraint Set
2
ܥܣܤܴܶܩଶ
ܶ ൌ ܶூ, ܶ ڂூ, ܶ ڂூ,௪
1
ܥܣܤܴܶܩூ,
ܶூ, ൌ ܶ ڂ൛ܩ௪ோ௪ , ܩ௪ோ ൟ
ܥܣܤܴܶܩூ,
ܶூ, ൌ ܶ ൛ܩோ௪ , ܩோ ൟ
ܥܣܤܴܶܩூ,
௫
௫
௫
௫
ܶூ, ൌ ܶ ൛ܩ௨ோ, ܩ௨ோ, ܩ௨ோ, ܩ௨ோ, ൟ
ܥܣܤܴܶܩ minimal
௫
ܶ ൛ܩ , ܩோ௪ , ܩோ , ܩோ, ܩ௧ோ , ܩ௨ ൟ
0
Figure 2. Family of DEERBAC models
The above mentioned figure (Figure 2) illustrates the minimality framework of the
ܥܣܤܴܧܧܦ for level 0. Now coming up to the level 1, we come across through three frameworks or
models that individually introducea better and highly robust kind of system constraint
toܥܣܤܴܧܧܦ . the proposed ܥܣܤܴܧܧܦdepicts the system model possessing all of its temporal
constraints and the constraints of per-user constraints enabling. Meanwhile, ܥܣܤܴܧܧܦଵ, indicates
the system model possessing all of the constraints and constraints of role enabling on the other hand
the ܥܣܤܴܧܧܦଵ, represents the system model possessing temporal constraints as well as the
129
- 16. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
constraints of role permission and its assignments. Again in the 2nd level we have consideredthe
ܥܣܤܴܧܧܦ,ଶ model that contains all the temporal constraints. In our proposed analysis we have
adopted the similar hierarchy.
4.3.1 Constraints on Role Enabling and Assignments
As discussed earlier that the incorporating model constraints for role-permission assignment
and role activation can be substituted by temporal constraints, then whilesuch kinds of architectural
transformation might come out a huge counts of roles and/or cause the complicated access control
architecture. Here, in this section we have calculated numerous options for selecting constraints for
their role in role enabling or activation as well as permission. Such kind of estimation is solely based
on the comparison the model or framework complexity by employing Level 1 with respect to
numerous presentations employing proposed minimal framework for representing the similar set of
access permissions.
Considering the algorithm ܷܴ_ ,ݐݎ݁ݒ݊ܥit can be easily found that the model
transformations taking pace with substitution of temporal constraints for role assignments on users
by the temporal constraints is same as it takes place in the transformation to be substitution of the
temporal constraints for permission of roles by the temporal constraints inܷܴ_ .ݐݎ݁ݒ݊ܥThe
transformation of factors like periodicity and duration takes place in the same approach but the
incorporating constraints are replaced by a new role. Therefore, in order to perform the analysis for
complexity the periodicity constraints are applied and it is used in case of duration constrains also.
Therefore, in this research work we have emphasized on the issue of periodicity constraints and have
explored various significant considerations allied with constraints of duration.A temporal constraint
for assignments of user role refers that the specific user can enable a particular role for the specific
time periods but only in the case of activated roles. In spite of using the constraintfor assignment of
roles on users, here in this we have enforcedthe expected access control mechanism by implementing
the temporal constraints for activation of roles. In the further phases the complexity problems related
to the presentation of the set of access need employing ܥܣܤܴܧܧܦ and ܥܣܤܴܧܧܦଵ, system models.
Representation ofࡰࡱࡱࡾ
ଵ
In order to represent the ܥܣܤܴܧܧܦ system model we have used ܷܴ_ ݐݎ݁ݒ݊ܥalgorithm with the
specific ܥܣܤܴܧܧܦଵ, representation in the form of model input. Now, according to this presentation,
a specific role is formed and the assignment of periodic constraint takes place on the newly created
role. For example, for a defined constraint set, a roleݑ is created and is added with a newly created
constraint referred as ሺܵܲ , ݑ ݊ܧ ሻ.In alternation the minimal disjoint set mechanism is implemented
by employing ݐݎ݁ݒ݊ܥ_ܵܦܯalgorithm.
Mathematically,
ܵܦܯሼௌ,ௌ,ௌ,ௌ,ௌாሽ
ᇱᇱᇱ
ᇱᇱᇱ
ᇱᇱᇱ
ᇱᇱᇱ ሽ
= ሼܵܲଵ , ܵܲଶ , ܵܲଷ , ܵܲସ
Now, a specific user role is generated for individual ܵܲof ܵܦܯሼௌ,ௌ,ௌ,ௌ,ௌாሽ .as
หܵܦܯሼௌ,ௌ,ௌ,ௌ,ௌாሽ ห
Each user is allotted a set of new roles in corresponding to the ܵܲs that comprise the Minimal
Subsetof ܵܲs allied with user.
ᇱᇱᇱ
ᇱᇱᇱ
ܶܫௌ ൫ܵܦܯሼௌ,ௌ,ௌ,ௌ,ௌாሽ ൯ ൌ ሼܵܲଵ , ܵܲଶ ሽ,And the user is allotted to the specific roles
ᇱᇱᇱ
ᇱᇱᇱ
corresponding to ܵܲଵ andܵܲଶ . It happens only because the specific roles retain their originality in
transformations. It should be noted that for ܥܣܤܴܧܧܦଵ, model presentation.
The presentation or analysis of complexities which is allied with the substitutepresentation with the
proposed ܥܣܤܴܧܧܦ system model has been given as follows:
130
- 17. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
Theorem 4 Expression for complexity in ࡰࡱࡱࡾ andࡰࡱࡱࡾ .
Consider݊ refers the number of users which are assigned with individual roleܴ. Let the periodic
expression for the user role assignment is ܵܲ ൌ ܵܲଵ , ܵܲଶ , … , ܵܲ for ݑusers. In general the
ଵ
ଶ
complexity expressions forܥܣܤܴܧܧܦ and ܥܣܤܴܧܧܦ can also be presented as follows:
ଵ
1. ܥܣܤܴܧܧܦ Representation:
ܽ. ܦ ܽ. ܭோ ܽ. ܥ ܽ. ,ܤ
ଶ
2. ܥܣܤܴܧܧܦ Representation:
ܫ .݉ݏ ݅݉. ܭோ ݅݉. ܥ ,ܤ .݊ݏ
݁ݎ݄݁ݓ
ܵ ൌ |ܵܯாଵ ሺܵܦܯௌଵ ሻ| |ܵܯௌଶ ሺܵܦܯௌ ሻ| … |ܵܯௌ ሺܵܦܯௌ ሻ|,
And ݀ ൌ |ܵܦܯௌଵ ሻ|.
The representation of ܿܣܤܴܧܧܦଵ, refers the most optimum selection choice in terms of
complexity. It is because of the minimum roles, negligible overload due to hierarchy, and no default
role assignments. Additionally, such kind of presentation illustrates complexity free model
architecture that ultimately becomes convenient. The dominant dissimilarity between the models
ଵ
ଶ
ଶ
ܥܣܤܴܧܧܦ and ܥܣܤܴܧܧܦ is that is that the ܥܣܤܴܧܧܦ presentation often creates individual roles
that are in general disjoint in nature that are temporally disjoint. On the other hand the proposed
ܥܣܤܴܧܧܦframework representation is allied to single role for individual user with a constraint for
temporal assignment constraint.
ଶ
ଵ
In general the presentation of ܥܣܤܴܧܧܦ is same as that of ܥܣܤܴܧܧܦ in the first case.
ଶ
The representation of ܥܣܤܴܧܧܦ is better than ܥܣܤܴܧܧܦଵ, if theܵܲ ൌ ܵܲ for all ܽ, ݂ ൌ 1
with ݊ being large. The fact behind this is that the processing costs in the temporal constraints are
more than the default constraints. The original role and the new role created can be combined. If
ଶ
we look at the ܥܣܤܴܧܧܦ representation the worst case is represented by the third part which is
ሻ
ܱሺ2 in terms of the new roles which are created, the number of hierarchical nodes and the
temporal constraints on role, and in the default assignment the number ofܱሺ2 ሻ. Following
design guidelines can be visualized from the above observation:
ଵ
1. The ܥܣܤܴܧܧܦ representation is not preferable when compared to the
ܥܣܤܴܧܧܦଵ, representation as of the several factor like number of hierarchical relations,
temporal constraints and the number of roles are less complex.
2. Since there are some common periodic expressions in bothܥܣܤܴܧܧܦଵ, and
ଵ
ܥܣܤܴܧܧܦ which may lead to the unnecessary temporal constraints.
3. If we use the representation in the cases illustrated above then it results into same periodic
constraints on the different role since the algorithm which we used ሺܷܴ_ݐݎ݁ݒ݊ܥሻ is unable
to minimize the number of constraints which is based upon the common periodic expression.
ଶ
For such complications ܥܣܤܴܧܧܦ would be a good solution.
4. In ܥܣܤܴܧܧܦa small ܴܰܯset is used for determining the newly created roles. But somehow
if all periodic expressions are pair wise disjoint then both the representation become
equivalent.
5. If we look at the access specification then the ܥܣܤܴܧܧܦଵ, representation is highly flexible.
On the basis of user-role assignment it supports the temporal constraints also in addition with
the role enabling constraints.
6. In case these all constraints are employed then the roles can be kept by enabling times fixed
in a system and the individual user requirement is expressed using that periodic constraints.
ଶ
7. Any advantage may not be offered by the ܥܣܤܴܧܧܦ representation if there are per-user-role
activation constraints. In the developed model each user is having multiple roles, if in a case
if the constraint for each user is per-user-role then during the transformed representation extra
131
- 18. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
steps would be required. To create a hierarchy which has strongly restricted activation
between the new roles and the original roles ܵܦܯconversion process is required which is
fulfilled by ݐݎ݁ݒ݊ܥ_ܵܦܯalgorithm in developed ܥܣܤܴܧܧܦmodule. Thus if in the
transformed representation the per-user-role is left unaltered then the per-user-role will still
be defined in original role but the new representation will still be valid as the users which are
assigned to the newer role will have to activate it explicitly but such are not so effective as
the users are assigned to original role. Thus in the presence of per-user-role constraints
ଵ
theܥܣܤܴܧܧܦ and ܥܣܤܴܧܧܦଵ, representations proved to be better than the 2nd level of
ଶ
ܥܣܤܴܧܧܦ representation.
8. If the duration constraints on user-role assignment get replaced by the duration constraints on
role enabling then it makes it less flexible unlike the periodicity constraints. A duration
constraint on user-role assignment may get replaced but first is should be taken into
consideration that dependency semantic should not be lost.
ଶ
Thus ܥܣܤܴܧܧܦ has better complexity in some terms where as ܥܣܤܴܧܧܦଵ, provides the best
representation in terms of semantic clarity, higher user creation with efficient role generation and
permission, least complexity and better convenience.
i.
Activation Constraints
On the basis of expensiveness when the same set of limitations are taken into consideration,
the comparison of DEERBAC0and DEERBAC01has been made in this section. In addition to the
limitations of 0ܥܣܤܴܧܧܦit is taken into assumption that ܥܣܤܴܧܧܦଵ, contains total active duration
constraints for the simplicity. In the complexity expressions the original role or any of the associated
per-role is not included.As the per-role and the original role constraints remain same throughout so,
it is not used. In terms of the minimized number of roles the ܥܣܤܴܧܧܦଵ, gives a better
representation among the two cases illustrated above. Activation constraints among the cases
illustrated above remains same and the common per-user-role values used in theabove case can
provide better representation than the two cases presented before. The theorem discussed next shows
how complex is the representation by using the common values.
Theorem 5 (Expression forࡰࡱࡱࡾ andࡰࡱࡱࡾ ).
Suppose if the number of users assigned to role ܴ be ݊ and the total active duration be ܯൌ
ᇱ ᇱ
ᇱ
൛݃ଵ, ݃ଶ, … , ݃ ⁄݃ ൟ and the ith user is allowed this duration over roleܴ. ܯ ൌ ൛݃ଵ, ݃ଶ, … , ݃, ൟ ܯ كis
the set of distant element .ܯSupposeܩ ൌ ሺ݃ሻbe the number of time d occurs in .ܯThe
complexities of the two representations can be explained as follows:
Representation of ࡰࡱࡱࡾ,
1. ሺ݉ఈ െ ݉ఉ ሻ. ܴܷܣ ݊ఉ . ܴܣ ܿ. ൫݄. ݉ఉ 1൯. ሺ ܥ ܤሻ.
2. ܥܣܤܴܧܧܦ representation: ݉ఈ . ܴܣ ݉ఈ . ܥ ݉ఈ . ܤ
Where
• ݉ఈ ൌ |ܯ | ܽ݊݀ ݉ఉ ൌ |ܯᇱ | such that 1ሻ ܯᇱ ܯ ك and 2ሻ ݂݅ ݃ ܯ אᇱ , ܩ ݄݊݁ݐ ሺ݃ ሻ 1.
• ݄ ൌ 1 ݂݅ ሺ݉ ݉ఈ ሻ; ݄ ൌ 0 .݁ݏ݅ݓݎ݄݁ݐ
• ݀ ൌ 1 ݂݅ ሺ݉ ݉ఈ 0ሻ; ݀ ൌ 0 .݁ݏ݅ݓݎ݄݁ݐ
Thus, it is clear from all the observation that the representation of ܥܣܤܴܧܧܦଵ, has several
advantages over the representation ofܥܣܤܴܧܧܦ .
Considering these all mathematical development and system modeling with respect to the problem of
role assignment and per-user role permission, the developed ܥܣܤܴܧܧܦsystem model presents an
optimum solution for access control system with multiple users having huge roles and even without
compromising with the security aspects of the role or users in cloud environment. The results
obtained for different user creation and respective role permission have been presented in the
132
- 19. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
following section and the respective analysis with respect to the time efficiency and robustness have
been given in the next section.
V.
RESULTS AND ANALYSIS
In this research work a dynamic expiration enabled role based access control “”ܥܣܤܴܧܧܦ
system has been proposed for cloud computing environment. The system model has been developed
with C# programs and Visual Basic 2010 framework. The overall system has been developed and
implemented with Amazon S3 cloud platform. The developed system has been simulated for different
performance parameters like induction of roles and user creation. The relative study for these all
factors has been performed.
Figure 3 represents the comparative graphs for role initialization and time consumed for role
assignment.
Figure: 3. User initialization with 5 role assignments
Figure: 4. User initialization with 50 role assignments
From above mentioned figure 4 it can be visualized that the user creation time increases as
per the increase in roles and even the creation time is decreasing as per increase in users from 200
counts. Comparing it with the previous results, it is clear that the ܥܣܤܴܧܧܦcauses higher user
generation even with minimum assignment time.
133
- 20. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
Figure:5. User initialization with 150 role assignments
Figure:6. User initialization with 250 role assignments
The above mentioned figures 5, 6 illustrates that the role assignment time is lower as the
cloud user counts is even increasing. In case of more users creation also the role assignment time is
lower. This characteristic illustrates that the proposed system is highly robust for higher role
assignments to more number of cloud users. The user count and the time of role assignments become
uniform after certain role counts. These characteristics exhibits that the proposed ܥܣܤܴܧܧܦsystem
performs better for higher users count and role to be assigned in the competitive cloud environment.
Analyzing the above mentioned figures it can be found that in practical with the proposed
mechanism the user creation is more time consuming as compared to simultaneous role assignments
for multiple users. It can be analyzed that the proposed approach can be fruitful for highly efficient
role assignments even without violating the security aspects.
134
- 21. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
ROLE GENERATION
ROLE GENERATION (s)
70
60
50
40
30
20
10
0
10
50
150
NUMBER OF ROLES
250
Figure:7. Role generation Vs Number of Roles
EXECUTION TIME (s)
0.4
CLOUD USER CREATION
USER
INITILIZATION - 5ROLE ASSIGNMENT
ROLE
ASSIGNED PER USER
0.2
0
10
30
50
100 150
NUM CLOUD USERS
200
250
Figure: 8. Cloud role initialization for 5 roles per users
EXECUTION TIME (s)
1.5
1
CLOUD USERUSER CREATION
ROLE ASSIGNMENT
INITILIZATION - 25 ROLES
ASSIGNED PER USER
0.5
0
10
30
50
100
150
NUM CLOUD USERS
200
250
Figure: 9. Cloud role initialization fro 25 roles per users
135
- 22. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
CLOUD USERUSER CREATION
INITILIZATION - 150ROLE ASSIGNMENT
ROLES
3
ASSIGNED
EXECUTION TIME (s)
4
2
1
0
10
30
50
100
150
NUM CLOUD USERS
200
250
Figure:10. Cloud user initialization for 150 roles
EXECUTION TIME (s)
10
CLOUD USERUSER CREATION
INITILIZATION - 250ROLE ASSIGNMENT
ROLES
ASSIGNED
5
0
10
30
50
100
150
NUM CLOUD USERS
200
250
Figure: 11. Cloud user initialization for 250 roles
Considering the above mentioned figures it is clear that the proposed ܥܣܤܴܧܧܦscheme
facilitates the cloud environment to perform efficiently for user-role assignments even with higher
user as well as role counts.
VI.
CONCLUSIONS
In this paper a robust system model for cloud environment called
“ ݈ݎݐ݊ܿ ݏݏ݁ܿܿܽ ݀݁ݏܾܽ ݈݁ݎ ݈ܾ݀݁ܽ݊݁ ݊݅ݐܽݎ݅ݔ݁ ܿ݅݉ܽ݊ݕܦሺܥܣܤܴܧܧܦሻ”has been developed that
considered its optimization for few dominant issues like minimality, complexity of constraints,
efficient role activation and assignments withleast threat in cloud. The developed and implemented
system has exhibited system function with high flexibility and spontaneousselection for numerous
constraints expressions. In this research work few guidelines have been proposed that could be
efficiently employed for assisting security policies in selecting more expedient and less complex
system constraintexpressions. The developed system has exhibited optimum performance for higher
count of roles per users even with minimum time duration. On the other hand a dominant
contribution of this work is the inclusion of security issues that aims to perform better in competitive
cloud environment without compromising with the security issues related to role assignments and
user creation or even user-role assignments.
136
- 23. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
D.F. Ferraiolo, D.M. Gilbert, and N. Lynch, “An Examination of Federal and Commercial Access
Control Policy Needs,” Proc. NISTNCSC Nat’l Computer Security Conf., pp. 107-116, Sept. 1993.
J.B.D. Joshi, A. Ghafoor, W. Aref, and E.H. Spafford, “Digital Government Security Infrastructure
Design Challenges,” Computer, vol. 34, no. 2, pp. 66-72, Feb. 2001.
M. Nyanchama and S. Osborn, “The Role Graph Model and Conflict of Interest,” ACM Trans.
Information and System Security, vol. 2, no. 1, pp. 3-33, 1999.
R. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, “RoleBased Access Control Models,”
Computer, vol. 29, no. 2, pp. 38-47, Feb. 1996.
J.B.D. Joshi, W.G. Aref, A. Ghafoor, and E.H. Spafford, “Security Models for Web-Based
Applications,” Comm. ACM, vol. 44, no. 2, pp. 38-72, Feb. 2001.
S. Osborn, R. Sandhu, and Q. Munawer, “Configuring Role-Based Access Control to Enforce
Mandatory and Discretionary Access Control Policies,” ACM Trans. Information and System
Security, vol. 3, no. 2, pp. 85-106, May 2000.
R. Sandhu, “Separation of Duties in Computerized Information Systems,” Database Security IV:
Status and Prospects, pp. 179-189, 1991.
R. Simon and M.E. Zurko, “Separation of Duty in Role-Based Environments,” Proc. 10th IEEE
Computer Security Foundations Workshop, June 1997.
E. Ferrari and B. Thuraisingham, “Security and Privacy for Web Databases and Services,” Proc. Int’l
Conf. Extending Database Technology, pp. 17-28, 2004.
J.S. Park, R. Sandhu, and G.J. Ahn, “Role-Based Access Control on the Web,” ACM Trans.
Information and System Security (TISSEC), vol. 4, no. 1, pp. 37-71, Feb. 2001.
B.M. Thuraisingham, C. Clifton, A. Gupta, E. Bertino, and E. Ferrari, “Directions for Web and ECommerce Applications Security,” Proc. Int’l Workshops Enabling Technologies: Infrastructures for
Collaborative Enterprises, pp. 200-204, 2001.
J. Joshi, E. Bertino, U. Latif, and A. Ghafoor, “Generalized Temporal Role Based Access Control
Model,” IEEE Trans. Knowledge and Data Eng., vol. 17, no. 1, pp. 4-23, Jan. 2005.
V. Atluri and A. Gal, “An Authorizaion Model for Temporal and Derived Data: Securing Information
Portals,” ACM Trans. Information and System Security, vol. 5, no. 1, pp. 62-94, Feb. 2002.
E. Bertino, P.A. Bonatti, and E. Ferrari, “TRBAC: A Temporal Role-Based Access Control Model,”
ACM Trans. Information and System Security, vol. 4, no. 4, 2001.
E. Bertino, E. Ferrari, and V. Atluri, “The Specification and Enforcement of Authorization
Constraints in Workflow Management Systems,” ACM Trans. Information and System Security, vol.
2, no. 1, pp. 65-104, 1999.
J.B.D. Joshi, E. Bertino, and A. Ghafoor, “Temporal Hierarchy and Inheritance Semantics for
GTRBAC,” Proc. Seventh ACM Symp. Access Control Models and Technologies, June 2002.
J. Joshi, E. Bertino, U. Latif, and A. Ghafoor, “Generalized Temporal Role Based Access Control
Model,” IEEE Trans. Knowledge and Data Eng., vol. 17, no. 1, pp. 4-23, Jan. 2005.
G. Ahn and R. Sandhu, “Role-Based Authorization Constraints Specification,” ACM Trans.
Information and System Security, vol. 3, no. 4, Nov. 2000.
A. Kumar, N. Karnik, and G. Chafle, “Context Sensitivity in RoleBased Access Control,” ACM
SIGOPS Operating Systems Rev., vol. 36, no. 3, pp. 53-66, July 2002.
M. Niezette and J. Stevenne, “An Efficient Symbolic Representation of Periodic Time,” Proc. First
Int’l Conf. Information and Knowledge Management, 1992.
GK Srinivasa Gowda, CV Srikrishna and Kashyap Dhruve, “Measurement of End to End Delays in
Ad Hoc 802.11 Networks”, International Journal of Computer Engineering & Technology (IJCET),
Volume 4, Issue 4, 2013, pp. 100 - 115, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.
Ruksar Fatima, Dr.Mohammed Zafar Ali Khan, Dr. A. Govardhan and Kashyap Dhruve, “Detecting
In-Situ Melanoma using Multi Parameter Extraction and Neural Classification Mechanisms”,
International Journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 1, 2013,
pp. 16 - 33, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.
137