British Journal of Applied Science & Technology 8(4): 334-340, 2015, Article no.BJAST.2015.211 ISSN: 2231-0843
SCIENCEDOMAIN international www.sciencedomain.org
Access Control Model for an Electronic Master Plan Maintenance Web-based GIS O. I. Zhukovsky1, Yu. B. Gritsenko1, P. V. Senchenko1 and M. M. Milikhin1* 1
Department of Data Processing Automation, Tomsk State University of Control Systems and Radioelectronics, 40 Lenina Prospect, Tomsk, Russian Federation. Authors’ contributions
This work was carried out in collaboration between all authors. Author OIZ designed the study and managed literature searches. Author YBG studied role-based and mandatory access control models and wrote correspondent chapters of the manuscript. Author PVS studied discretionary access control models and wrote correspondent chapter. Author MMM designed the presented implementation of role-based access control model and wrote correspondent chapter. All authors read and approved the final manuscript. Article Information DOI: 10.9734/BJAST/2015/16844 Editor(s): (1) Xu Jianhua, Depertment of Geography, East China Normal University, China. Reviewers: (1) Anonymous, Hungary. (2) Gabriel Badescu, Department of Land and Measurements and Cadastre, Technical University of Cluj-Napoca, Romania. Complete Peer review History: http://www.sciencedomain.org/review-history.php?iid=1072&id=5&aid=8747
th
Review Article
Received 16 February 2015 Accepted 28th March 2015 th Published 10 April 2015
ABSTRACT Aims: The article is dedicated to give an assessment of the applicability of the popular access control models for designing the information security subsystem of an electronic master plan (EMP) web-based geographic information system. An overview of access control models used for designing and creation of modern information systems is given. The article also contains main features of information security system implementation based on given access control models. Conclusion: The use of role-based access control model as a basis of information security subsystem of the enterprise geographic information system (GIS) can simplify the designing and administration of the given system. Such model corresponds well to the companies with complex organizational and staff structure and provides an opportunity to simulate real enterprise structure with hundreds of employees working simultaneously with different aspects of master plan. The presented implementation of the role-based access control model allowed authors to develop GIS which supports assignment of access permissions to groups of users on each kind of master plan objects, including different map areas, layers and GIS functionality. _____________________________________________________________________________________________________ *Corresponding author: E-mail:
[email protected];
Zhukovsky et al.; BJAST, 8(4): 334-340, 2015; Article no.BJAST.2015.211
Keywords: Electronic master plan; geographic information system; access control model. (RBAC) models [3-9]. We will use the following commonly used concepts:
1. INTRODUCTION Developing of modern geographic information systems (GIS) for maintaining enterprise engineer infrastructure is closely related to the problem of information security. Being a main infrastructure representation form, electronic master plan (EMP) provides a wide variety of enterprise analysis tools (including spatial analysis and decision analysis tools). Such functionality, in addition to a large amount of potential EMP GIS users and master plan data diversity [1], makes the task of providing data processing security very important [2]. The key to resolve security problems is to define and implement formal security models on each life cycle stage of the system. It is also important that such security models should be implemented as a basis of GIS data access control subsystem.
1. A system is considered as a collection of interacting entities of subjects and objects. It is also a common approach for all access control models to divide a set of entities that constitute the system to the sets of subjects and objects, although the definitions of "object" and "subject" in different models can vary significantly. Data processing security is achieved by managing access of subjects to objects in accordance to given set of rules and restrictions (security policy). Hence, the system is considered secure when subjects are unable to break the security policy. 2. All the interactions inside system are represented by relations of special type between subjects and objects. Relation type is defined as a set of operations, that subject can produce to the object. 3. All the operations are controlled by the interaction monitoring subsystem and are prohibited or allowed in accordance with the security policy. 4. Security policy is a set of rules defining all interactions between the subjects and objects. Any prohibited interactions are not allowed. 5. A collection of objects, subjects and relationships between them determines system state. Any system state can be considered as secure or insecure due to the given by assess control model safety criterion. 6. Each access control model should has a proof that the system cannot transit from secure state to insecure one while the given rules and restrictions are followed.
Formal security models define the whole architecture of highly protected GIS and help to develop, certify and analyze EMP GIS within the objectives of system protection against unauthorized data access. The paper is dedicated to study access control models as a part of formal security models. Such models are designed to provide solutions for analysis and synthesis of systems for managing access control to different GIS resources. We separate access control models to an independent class of common security models because access control algorithms are one of the most significant parts of information security systems and the efficiency of these algorithms has a big impact on the efficiency of the whole security system.
2. STATEMENT OF THE PROBLEM Despite the fairly high level of theoretical research in the field of formal access control models, their practical implementation encounters significant difficulties associated with features of the system being developed and the subject of informatization. In the paper we will consider the applicability of the most popular access control models for developing web-based EMP GIS. The basic formal access control models currently used in information systems are mandatory (MAC), discretionary (DAC) and role-based
In the next chapters we will consider possibility of implementation of the basic access control models for developing GIS information security subsystem.
3. ACCESS CONTROL MODELS 3.1 Discretionary Access Control Model Discretionary models are used to provide discretionary access control based on given set of access relationships. An example of classical discretionary model is Harrison-Ruzzo-Ullman
335
Zhukovsky et al.; BJAST, 8(4): 334-340, 2015; Article no.BJAST.2015.211
[5,10] model, which implements an arbitrary control of access of subjects to objects and managing the spread of access rights. Interaction monitoring subsystem in the given model is represented by a collection of active subjects (S) that performs access to the data, passive objects (O) that contains protected data and a set of rules (R), defining permissions to appropriate actions (such as reading, writing or executing). In order to implement modeling of all system's relations, any subject can be also considered as an object. The behavior of the system is modeled using the concept of the state. A space of system states is produced by a Cartesian multiplication of sets of subjects, objects and access rights. The current system's state Q is a triple which consists of the set of subjects, the set of objects and the access rights matrix M – Q(S, O, M). Rows of the matrix M corresponds to system's subjects and columns to system's objects. As the set of system's subjects is a subset of system's objects, M is a rectangular matrix. Each cell of the matrix M[s, o] contains a set of access permissions of subject S to the object O, which is a subset of R. Discretionary models relies on the object owner to control access: the owner can set an access control mechanism to allow or deny access to an object, regardless of any existing global policies. The behavior of the system over time is modeled through transitions between different states. The transitions are implemented by making changes to the matrix M using commands. Each command consists of sequence of basic operations and a list of conditions. The sequence of basic operations will be executed only if all given conditions are fulfilled. There are six basic operations in original Harrison-Ruzzo-Ullman model: enter right r R into M; delete r from M; create subject S; delete subject S; create object O; delete object O. The safety criterion for model is the following: initial state Qo = (So, Oo, Mo) of the given system is safe regarding the right r, if there is no applicable command sequence to place r into the cell of M, where r was missing in state Qo. Harrison-Ruzzo-Ullman model is easy to implement and is rather efficient, as it does not require any complex algorithms and allows managing user privileges up to operations on the objects. The security criterion also guaranties unavailability of certain information for users who are not initially provided with appropriate authority.
However, the authors of the model showed that, in general case, there is no algorithm that can for an arbitrary system with the initial state of Qo = (So, Oo, Mo) and common right r to decide whether the given configuration is safe. Hence Harrison-Ruzzo-Ullman model cannot guaranty system's safety. In addition, all discretionary models are vulnerable to the "Trojan horse" attack, since they control only access of subjects to objects, and not the information flow among them. This fact greatly complicates using of discretionary models for information security systems oriented to work in Internet/Intranet, which exactly is a specific feature of Web GIS systems. Another disadvantage of discretionary access policy is that in the information system with a large number of objects and subjects of access, such as large industrial enterprise GIS having data about engineering networks that contains tens of thousands of individual objects, system administration becomes quite a tedious task. In accordance to a given disadvantages of discretionary models we consider them as inappropriate for using as a basis of web-based GIS.
3.2 Mandatory Access Control Model Mandatory models are used to provide mandatory access control based on given rules complex, which is defined on the set of subjects' and objects' security attributes. Mandatory models usually use Bella-LaPudula and secret document flow rules as their basis [3,4,7]. The main part of such policies is assigning a special label, called the security level, to all participants of the processing of protected information and documents. Unlike the DAC models the MAC models doesn't allow subjects to modify access rights to objects directly. Access control is based on system-wide policy and performed in accordance to the security levels of the communication participants on the basis of two simple rules:
336
1). The authorized person (subject) is allowed to read only the documents with the security level that equals or lower subject's own level;
Zhukovsky et al.; BJAST, 8(4): 334-340, 2015; Article no.BJAST.2015.211
2). The authorized person (subject) is allowed to fill information only in the documents with the security level that equals or greater subject's own level.
models to control access permissions in a Webbased GIS is not usually worthwhile.
Hence, while access control in discretionary models is provided by giving users an authority to carry out specific operations on specific objects, in mandatory models access control is provided with defining all allowed interactions indirectly by giving security levels to all entities. Thus, there is no any difference between two entities with the same security level in terms of access control model and there are no restrictions on their interactions.
Role-based model is based on Harrison-RuzzoUllman model. However, as the model uses matrix of access permissions for roles and uses and rules, that regulates assignment of roles to users as well as their activation during sessions, it cannot be classified as either discretionary or mandatory model [11].
In accordance to Bella-LaPudula model [5] the system is considered as a set of subjects S, objects O and access permissions to read and write documents. Security levels for system's subjects and objects are specified using the security level function F: S ∪ O → L. The function assigns security level belonging to the set of security levels L to each object and subject. There is a formal proof of safety of the system with mandatory access control. However, we should note some difficulties associated with the use of mandatory models in practice. All mandatory models support only two types of access rights – permission to read data (“read”) and permission to write data (“write”). But information systems provide users more operations such as creation, deletion or transferring data and etc. Hence, we need to set up a correspondence between read-write access permissions and the operations implemented in a particular system. Defining such correspondence is not a trivial task, as it is usually impossible to use the unidirectional flow of information going strictly from subject to object or vice versa. Therefore, all interactions in MAC systems are considered at a sufficiently high level of abstraction and particular system implementation details are not affect access control. Therefore, all interactions in the system with mandatory policies are considered only at a sufficiently high level of abstraction at which details of access control model are not considered. In addition, the specificity of EMP Web GIS assumes managing access rights to system's functionality, what is not explicitly provided by mandatory model. Thus, using of mandatory
3.3 Role-based Access Control Model
The classical notion of "subject" in the role-based model is replaced with the concepts of "user" and "role". User is a person working with the system and performing certain official duties. Role is an active abstract entity which is related to a constraint, logical set of privileges, which are necessary to perform certain activities. This approach is close to real life, where people perform certain official duties. Therefore, rolebased model grants access rights not to a real person, but to an abstract role, which represents a participant of a specific data automation process – master plan user in case of EMP GIS. Access rights can be granted directly by the system owner or indirectly by appropriate roles as delegated by system owner. Managing access rights is performed in two steps: 1) Each role is specified with a collection of permissions that represents a set of access rights to system's objects; 2) Roles are assigned to users. System is considered as the sets of users (U), roles (R) and permissions (P), represented, for example, as an access rights matrix, and a set of user sessions in the system (S). We can determine some relations for the given sets:
PA P R - maps a set of permissions to the set of roles. This relation determines access permissions of each role. 2. UA U R - maps a set of users to the set of roles. This relation determines each user roles. 1.
Access control rules in RBAC are defined by the following functions:
337
1. User: S U . The function determines a user interacting with the system for each session S.
Zhukovsky et al.; BJAST, 8(4): 334-340, 2015; Article no.BJAST.2015.211
4. Map layouts. Each MP consists of multiple maps. Map layout combines maps with GIS functions, such as navigation, scaling, printing and EMP functions, such as generating and viewing master plan reports. 5. Map areas. Each role can have restrictions in accessing some map areas. Such areas can be limited by a polygon or a circle of a given radius. 6. System privileges. System privileges control access to system objects (projects and system modules) and functionality that can be used by different GIS modules, such as ability to modify spatial objects descriptions. Hence, system privileges can apply additional restrictions to EMP functions.
2. Roles: S R . The function determines a subset of roles from R, which can be simultaneously available to the user in the session. 3. Permissions: S P . The function specifies a range of available permissions in the session as a sum of all permissions of all roles available for the given session. The following rule is used as safety criterion: system is considered safe if user working with session S may perform actions, that require permissions P only if P permissions (S). Role-based security policy is an essential part of modern access control subsystems within information systems in the companies with complex organizational and staff structure [12] and a large number of users performing certain functions within their duties and endowed therefore various rights. The use of RBAC models can simplify the designing and administration of information systems that are designed to model nontrivial enterprise processes like the ones in EMP GIS [2]. In addition, RBAC fairly well corresponds to the peculiarities of service-oriented information systems architecture, which is used as a basis for the EMP Web-GIS [13].
4. IMPLEMENTATION OF ROLE-BASED ACСESS CONTROL MODEL IN WEBGIS SECURITY SUBSYSTEM The arguments given above formed the basis for a choice of a role-based access control model as a basic model for information security EMP WebGIS subsystem. RBAC model implies that system should store sets of users, roles, system objects and each role privileges. Within EMP GIS domain authors suggests uniting of all master plan GIS objects into several groups or types: 1. Maps. Each object of that kind represents single master plan map or drawing. 2. Layers. Each map consists of layers. Users with different roles have permissions to view and edit some layers and don't have permissions to access other ones. 3. Functions. Functions provide users access to EMP data and all supported spatial data analysis tools, reports, searching tools and different kinds of data presentation views.
Map layout elements and map areas are considered as master plan objects, as they define components of a single given master plan, while system privileges considered as software objects and define access permissions to objects, which are the same for all master plans. Access control subsystem of EMP GIS, thus, should provide tools to control user permissions to access map layout's elements and system privileges. Data model fragment for such subsystem is given on Fig. 1. Implemented data model has several basic entities. User roles represented by EMP_role entity. Each role can have a permission (EMP_permission entity) to use corresponded privilege (Privilege entity) to access master plan objects (EMP_object entity) or software object (GIS_object entity). Every privilege defines access rights to a single selected type of software (GIS_object_type entity) or master plan (EMP_object_type entity) objects. Each master plan user (User entity) could have multiple roles (EMP_role entity) in system as shown in Fig. 2. Roles can also inherit permissions from each other (Role_relation entity). Given role-based model provides an opportunity to simulate real enterprise structure with hundreds of employees working simultaneously with different aspects of master plan. Basic tasks that need to be implemented in order to control user's permissions are creation and modifying users and their system roles and creation and assignment of privileges using represented permissions model.
338
Zhukovsky et al.; BJAST, 8(4): 334-340, 2015; Article no.BJAST.2015.211
Fig. 1. Access control subsystem data model fragment
Fig. 2. Modeling users and roles •
5. CONCLUSION The use of role-based access control model allowed authors to develop and build information security subsystem of EMP Web-GIS with the following features. •
Management of user permissions to access spatial data and functionality of Web-GIS.
339
•
•
Providing a role-based access to objects, groups of objects, features and map areas, defined by system administrator. Assignment of access permissions to groups of users on elements of Web-GIS client graphical user interface such as map layers, data analysis reports, GIS tools. Assignment of access permissions on objects in two modes: assigning access rights on a given object and assigning access rights to a given role.
Zhukovsky et al.; BJAST, 8(4): 334-340, 2015; Article no.BJAST.2015.211
Therefore, each user is determined as a users group member and system administrator can assign access permissions on objects of any kind and functions to each group. 7.
COMPETING INTERESTS Authors have interests exist.
REFERENCES
declared
that
no
competing
8.
1.
management». Accessed 10 February 2015. Available:http://www.iso.org/iso/iso_catalo gue/catalogue_tc/catalogue_detail.htm?Cs number=33441 Lapadula Leonard J, Bell D. Elliott secure computer systems: A mathematical model. Mitre corporation technical report 2547. 1973;2. Accessed 10 February 2015. Available:http://www.albany.edu/acc/cours es/ia/classics/belllapadula1.pdf Mclean John. Security models. Encyclopedia of software engineering; 1994. Accessed 10 September 2012. Available:http://citeseerx.ist.psu.edu/viewd oc/summary?doi=10.1.1.34.8561 Mclean John. The specification and modeling of computer security. Computer. 1990;23(1):9-16. Accessed 10 February 2015. Available:http://users.cis.fiu.edu/~nemo/cot 6930/mclean90specification.pdf Harrison M, Ruzzo W. Monotonic protection systems. Foundation of computation secure. Academic press. 1978;337-363. Sandhu Ravi S. The typed access matrix model / / proceedings of IEEE symposium on security and privacy. - Oakland, California. 1992;122-136. Ehlakov Yu. Colored Petri nets in modeling socio-economic systems. Publishing House of Tusur. 2013;3(29):8392. Russian. Zhukovsky O, Rybalov N, Oshchepkov S, applying service-oriented architecture for the development of geographic information systems. Scientific Technical Statements SPSU. 2009;1:16-21. Russian.
Vishnyakov V, Gritsenko Yu, Zhukovsky O. The data model for the topology relations representation in the engineering networks. Sibcon-2007. 2007; Proceedings 9. 4233283:256-89. DOI:10.1109/sibcon.2007.371304. 2. Gritsenko Yu, Ehlakov Yu, Zhukovsky O. Geoinformation technology monitoring utilities: Monograph. Publishing House of Tusur; 2010. Russian. 3. Zegzhda D. Principles and methods for 10. establishing secure information processing systems: the dissertation of the doctor Tehn. Sciences: 05.13.19. - st. Petersburg; 11. 2002. -380c.-rslod,71:04-5/168-4. Russian. 4. Gaydamakin N. Differentiation of access to information in computer systems. Yekaterinburg: Ural State University. 2003; 12. 328. Russian. 5. Ferraiolo DF, Kuhn DR. Introduced formal th model for role based access control. 15 National Computer Security Conference. 1992;554-563. Accessed 10 February 13. 2015. Available:http://csrc.nist.gov/groups/sns/rb ac/documents/role_based_access_control1992.html 6. ISO / IEC 17799:2000 « Information technology information security _________________________________________________________________________________
© 2015 Zhukovsky et al.; This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Peer-review history: The peer review history for this paper can be accessed here: http://www.sciencedomain.org/review-history.php?iid=1072&id=5&aid=8747
340