The
above figure explains the components of the PBACC model. They are as follows.
·
The
Subjects, which are active users initiating the process with the system.
·
The
Actions representing the executable operations onto the data objects.
·
The
Objects representing all the data pieces which are stored and used in the
system.
·
The
Dependency List possess all system specific data in pair form (Dependency Name,
Dependency Path)
·
The
Contextual Information captures the state values related to the main components
of the request.
·
The
Provenance Data hold the base user transactions in a graph structure
The
Base Provenance Data represents associations among request components.
The
Attribute Provenance data represents more detailed information related to
Subjects, Actions, Objects
A Provenance-based
Access Control Model for Dynamic Separation of Duties
In
the context of operating financial transactions, the Dynamic Separation of Duties
(DSOD) plays a key role in assigning jobs to the individuals. DSOD is an
important concept as far as cyber security is concerned. As there is lineage
existing in cyber transactions, the DSOD needs provenance to be incorporated in
the process, for deriving different contexts of data required. For providing
the access permissions for the individuals, the Provenance Based Access Control
(PBAC) mechanisms were formulated, extending the same a base PBAC was also
proposed.
Scholars
at Institute for Cyber Security University of Texas at San Antonio proposed an
enhanced model, extending the PBAC and base PBAC named PBACC to investigate
different DSOD policy classes. One of the widely used and popular concepts for
averting unauthorized systems access is Separation of Duties (SOD). The two important distinctions in SOD are
Static SOD (SSOD) and the other one Dynamic SOD (DSOD) with respect to role
based access control mechanisms. The
SSOD is limited to role assignments and cannot look after dynamic active
sessions, which DSOD can perform. However, DSOD also is limited to role
activations. These challenges led to newer approaches in SOD concepts namely
Object-based DSOD, Operational-based DSOD and History-based DSOD.
As
the role assignments and role activations are concerned, the DSOD concepts
depend on lineage of the process events. Though the origin and path of the data
are available, the exact requirements in capturing and availing the data are
inconsistent. The provenance data provides such kind of information required to
carry out the specified process. To explore through the deeper DSOD policies
and address issued related, provenance data is utilized.
The
already existing models, PBAC and PBACB are
not completely operational towards DSOD. They are not advantageous in handling
all the types of data. They are also limited in addressing conventional and
enhanced characteristics DSOD features. A new model named PBACC was introduced to
resolve afore mentioned issues related to provenance data and DSOD.
One
of the good traditional approaches which addresses the DSOD issues, is
Transaction Control Expression (TCE). It also covers many DSOD
characteristics in all variations. TCE assigns every subtask an integer value
called as weight which is later compared with a weight threshold to determine
conflicts.
