A legal information flow (LIF) scheduler based on role-based access control model

Information systems have to be consistent and secure in presence of multiple conflicting transactions. The role-based access control (RBAC) model is widely used to keep information systems consistent and secure. A role shows a job function in an enterprise and is a set of access rights (permissions). Here, a subject s is allowed to issue a method op to an object o only if an access right < o, op > is included in the roles granted to the subject s. A subject is granted one or more than one role and issues a transaction to multiple objects. The transaction is assigned with some roles of the subject which is referred to as purpose. Even if every access request issued by every subject is authorized in the roles, illegal information flow might occur as well known confinement problem. In this paper, we define a legal information flow (LIF) relation (R-1 <=(1) R-2) among a pair of role families R-1 and R-2 to prevent illegal information flow. Here, an LIF relation R-1 <=(1) R-2 shows that no illegal information flow occur if a transaction T-1 with a role family R-1 is performed prior to another transaction T-2 with a role family R-2. In addition, it is significant to discuss which transaction to be performed prior to another transaction if the both transactions manipulate the same object in a conflicting way. In this paper, we define a significantly precedent relation R-1 <=(1) R-2 among role families R-1 and R-2 which implies that the role family R-2 is more significant than R-1. Suppose a pair of transactions T-1 and T-2 with role families R-1 and R-2 issue conflicting methods op(1) and op(2), respectively, to an object o. If R-1 <=(s) R-2, op(2) is performed on the object o prior to op(1). The more significant a transaction is, the more prior it is performed. We discuss a legal information flow (LIF) scheduler to synchronize transactions so as to prevent illegal information flow and to serialize conflicting methods from multiple transactions in terms of significancy and information flow relation of roles families. We evaluate the LIF scheduler in terms of how much illegal information flow can be prevented compared with the other scheduler. (C) 2008 Published by Elsevier B.V.