IEEE Access (Jan 2019)
A Dynamic Access Control Model Using Authorising Workflow and Task-Role-Based Access Control
Abstract
Access control is fundamental and prerequisite to govern and safeguard information assets within an organisation. Organisations generally use web enabled remote access coupled with applications access distributed on the various networks facing various challenges including increase operation burden, monitoring issues due to the dynamic and complex nature of security policies for access control. The increasingly dynamic nature of collaborations means that in one context a user should have access to sensitive information and not applicable for another context. The current access control models are static and lack of Dynamic Segregation of Duties (SoD), Task instance level of Segregation and decision making in real time. This paper addresses the limitations and supports access management in borderless network environment with dynamic SoD capability at real time access control decision making and policy enforcement. This research makes three contributions: i) Defining an Authorising Workflow Task Role Based Access Control using the existing task and workflow concepts. It integrates the dynamic SoD considering the task instance restriction to ensure overall access governance and accountability. It enhances the existing access control models such as RBAC by dynamically granting users access right and providing Access governance. ii) Extended the OASIS standard of XACML policy language to support the dynamic access control requirements and enforce the access control rules for real time decision making to mitigate risk relating to access control such as escalation of privilege in broken access control and insufficient logging and monitoring iii) The model is implemented using open source Balana policy engine to demonstrate its applicability to a real industrial use case from a financial institution. The results show that, AW-TRBAC is scalable consuming relatively large number of complex request and able to meet the requirements of dynamic access control characteristics.
Keywords