Framework for Role-based Delegation Models

FRAMEWORK FOR ROLE-BASED DELEGATION MODELS Ezedin S. Barka, Ph.D. George Mason University, 2002 Dissertation Director: Dr. Ravi S. Sandhu The basic idea behind delegation is that some active entity in a system delegates authority to another active entity in order to carry out some functions on behalf of the former. Delegation can take many forms: human to human, human to machine, machine to machine, and perhaps even machine to human. In this dissertation, I focus on the human to human form of delegation. Specifically, I consider the ability of a user who is a member of a role to delegate his or her role to another user who belongs to some other role. For example, a professor in a university who is also a member in an advising committee role can delegate his/her membership in the advising committee role to another professor who belongs to another committee role. This delegation can take the form of being either permanent or temporary delegation. Moreover, the same professor can delegate only part of his/her professor role (i.e. instructor) to his/her assistant. This delegation can be only temporary. In this dissertation, I present a comprehensive approach to role-based delegation. More specifically, I identify the characteristics related to delegation, which can be used to develop delegation models; I use a systematic approach to reduce a large number of possible cases to smaller sensible ones; and I formally define and derive some delegation models using roles based on those cases. The thesis of this research is as follows: It is possible, by adding a can-delegate relation to the RBAC model in conjunction with constraints, to produce a framework for role-based delegation models. The research approach used to produce a framework for role-based delegation models is an exploratory approach. In this dissertation, the scope of my work is to address user-to-user delegation based on RBAC96. I use the RBAC96 family of models as the base for my research. I first consider temporary delegation within the framework of RBAC96-Flat-Roles (or RBAC0). Then I evolve the model to address other variations of delegation that include delegation based on role hierarchies, permanent delegation, partial delegation, delegation based on the administrator of the actual delegation, and so forth. I also address some issues that deal with revocation. In particular, I consider cascading revocation and grantindependent revocation. I chose this approach in order to work out a simple but useful model in complete detail and then to extend this model gradually to introduce other aspects to add functionality in an incremental manner. This dissertation shows that by adding a can-delegate relation to the RBAC model in conjunction with constraints, it is possible to produce a framework for role-based delegation models.