A user-centered, modular authorization service built on an RBAC foundation

Proceedings - IEEE Symposium on Security and Privacy

Volumn 1999-January, Issue , 1999, Pages 57-71

  Zurko, Mary Ellen ^a   Simon, Rich ^a   Sanfilippo, Tom ^b  

^a GNSS Technology for Rail Transportation   (United States)

^b Groove Networks ^*  (United States)

Author keywords

[No Author keywords available]

Indexed keywords

RISK MANAGEMENT;

AUTHORIZATION CONSTRAINTS; AUTHORIZATION LANGUAGES; AUTHORIZATION SERVICES; DISTRIBUTED APPLICATIONS; LEAST PRIVILEGE; LEGACY SERVICES; MODULAR ARCHITECTURES; USABILITY DESIGN;

DESIGN;

EID: 84940100462     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SECPRI.1999.766718     Document Type: Conference Paper

References (52)

1. "Adage System Overview." http://www.memesoft.com/adage/docs/SystemSpec.ps
2. "Adage Software Design Document." http://www.memesoft.com/adage/SWDesignDoc.ps
3. Baldwin, R. W. "Naming and Grouping Privileges to Simplify Security Management in Large Database" Proc. 1990 IEEE Symposium on Security and Privacy, 116-132, May 1990
4. Y. Bai and V. Varadharajan. "A Logic for State Transformations in Authorization Policies." Proc 10th IEEE Computer Security Foundations Workshop, June 1997
5. Bell, D.E., LaPadula, L.J. "Secure Computer Systems: Unified Exposition and Multics Interpretation" MTR-2997 Rev. 1, MITRE Corp., Bedford, MA, March 1976
6. E. Bertino, S. Jajodia and P. Samarati. "Supporting Multiple Access Control Policies in Database Systems." Proc. 1996 IEEE Symposium on Security and Privacy. May 1996
7. W.R. Bevier and W.D. Young. "Principles of Authorization in Adage." http://www.memsoft.com/adage/poa-maribila.ps
8. W.R. Bevier and W.D. Young. "A Constraint Language for Adage" http://www.memesoft.com/adage/al.ps
9. W.R. Bevier and W.D. Young. "Modeling Adage Properties of Authorization in Maribila." http://www.memesoft.com/adage/model-ae.ps
10. H. Beyer and K. Holtzblatt. "Contextual Design: Defining Customer-Centered Systems." Morgan Kaufmann Publishers, Inc. 1998
11. K.J. Biba. "Integrity Considerations for Secure Computer Systems." Air Force Electronic Systems Division, Hanscom AFB, technical report ESD-TR-76-372, 1977
12. M. Blaze, J. Feigenbaum and J. Lacy. "Decentralized Trust Management." Proc. 1996 IEEE Symposium on Security and Privacy, May 1996
13. Brewer, D. F. C., Nash, M. J. "The Chinese Wall Security Policy" Proc. 1989 IEEE Symposium on Security and Privacy, 206-214, May 1989
14. J. Chinitz and S. Sonnenberg. "SnareWorks: A Transparent Security Framework For TCP/IP and Legacy Applications." http://www.isoft.com/snare/snarewp/snarewp1/snarewp1-contents.html, August, 1996
15. L. Constantine. "Essential Modeling: Use Cases for User Interface." Interactions, Vol. II.2, April 1995
16. CORBAServices: Common Object Services Specification. http://www.omg.org/corba/sectrans.htm
17. M. Eisenberg. "Programmable Applications: Interpreter Meets Interface." SIGCHI, Vol. 27, Num. 2, April 1995
18. C.M. Ellison. "SPKI Requirements." http://www.ietf.org/internet-drafts/draft-ietf-spki-cert-req-01.txt
19. W. Emayr, F. Kastner, G. Pernul, S. Preishuber, and A.M. Tjoa, A M. "Access Controls for Federated Database Environments." Proc. Joint IFIP TC 6 and TC 11 Working Conf. on Communications and Multimedia Security, Graz, Austria. 1995. http://www.faw.uni-linz.ac.at/online/papers/95cms/paper.html
20. D. Ferraiolo, J. Cugini, and D.R. Kuhn. "Role-Based Access Control (RBAC): Features and Motivations." Proc. 1995 Computer Security Applications Conference, 241-248, Dec. 1995
21. S. Garfinkel. PGP: Pretty Good Privacy. OReilly and Associates, Inc., 1995
22. S. Garfinkel and G. Spafford. "Practical Unix and Internet Security." OReilly & Assocaits, Inc. 1996
23. L. Giuri. "A New Model for Role-Based Access Control." 11th Annual Computer Security Applications Conference, December 1995
24. V.D. Gligor, S.I. Gavrila, and D. Ferraiolo. "On the Formal Definition of Separation-of-Duty Policies and their Composition." Proc. IEEE Symposium on Security and Privacy, May 1998
25. S.J.Greenwald. "A New Security Policy for Distributed Resource Management and Access Control." Proc. New Security Paradigms Workshop, September 1996
26. Information Assurance Program. http://www.darpa.mil/iso/ia/
27. S. Jajodia, P. Samarati and V.S. Subrahmanian. "A Logical Language for Expressing Authorizations." Proc. 1997 IEEE Symposium on Security and Privacy, May 1997
28. N.D. Jones, "Computability and Complexity." The MIT Press, 1997
29. H.F. Korth and A. Silberschatz. "Database Systems Concepts." McGraw-Hill Inc., 1991
30. B.W. Lampson. "Protection." Operating Systems Review, 8(1):18-24, January 1974
31. J. Linn. "Privacy-Enhanced Electronic Mail: From Architecture to Implementation." Proc. IFIP TC11 Seventh International Conference on Information Security, Brighton, UK, May 1991
32. W.E. Mackay. "Triggers and barriers to customizing software." Proc. CHI 91
33. Nash, M. J., Poland, K. R. "Some Conundrums Concerning Separation of Duty" Proc. 1990 IEEE Symposium on Security and Privacy, 201-207, May 1990
34. J. Nielsen. "Usability Engineering." Academic Press, Inc. 1993
35. D.A. Norman. "The Design of Everyday Things." Doubleday, 1988
36. J.K. Ousterhout, "Tcl and the Tk Tookit." Addison-Wesley, 1994
37. HP Praesidium/Authorization Server White Paper. http://www.hp.com/security/products/authorization-server/papers/whitepaper/
38. R. Rivest and B. Lampson. "SDSI -A Simple Distributed Security Infrastructure." http://theory.lcs.mit.edu/~rivest/sdsi11.html
39. W. Rosenberry, D. Kenney and G. Fisher. "Understanding DCE." OReilly & Associates, Inc, 1992
40. Saltzer, J.H., and Schroeder, M.D. "The Protection of Information in Computer Systems, " Proceedings of IEEE, 63(9), 1278-1308, 1975
41. Sandhu, R. "A Lattice Interpretation of the Chinese Wall Policy" Proc. of the 15th NIST-NCSC National Computer Security Conference, 221-235, October 1992
42. R.S. Sandhu, E.J. Coyne, H.L. Feinstein and C.E. Youman. "Role-Based Access Control Models." IEEE Computer, Vol. 29, Num. 2, February 1996, pages 38-47
43. T. Sanfilippo. "Pledge Home Page." http://www.memesoft.com/pledge/
44. R.T. Simon and M.E. Zurko. "Separation of Duty in Role-Based Environments." Proc. Foundations of Computer Security Workshop, July 1997
45. A. Sundaram. "An Introduction to Intrusion Detection." ACM Crossroads, Vol. 2, No. 4, April 1996. http://www.acm.org/crossroads/xrds2-4/intrus.html
46. Software Engineering Institute. Carnegie-Mellon University. "Software Technology Review: Statistical-Based Intrusion Detection." http://www.sei.cmu.edu/technology/str/descriptions/sbid.html
47. R.K. Thomas and R.S. Sandhu. "Conceptual Foundations for a Model of Task-based Authorizations." Proc. Computer Security Foundations Workshop VIII, June 1994
48. D. Thomsen, R. O'Brien, J. Bogle. "Role Based Access Control Framework for Network Enterprises, " Proceedings of the 14th Annual Computer Security Applications Conference, December 1998
49. M.E. Zurko and R.T. Simon. "User Centered Security." Proc. New Security Paradigms Workshop, September 1996
50. M.E. Zurko. "Adage Usability Test Plan." http://www.memesoft.com/adage/ut-plan.ps
51. M.E. Zurko. "Adage Usability Testing Results: Contextual Interviews." http://www.memesoft.com/adage/contextover. ps
52. M.E. Zurko. "Adage Usability Testing Results: Formal Testing Affinity Mapping and Questionnaire." http://www.memesoft.com/adage/affinity.ps