A formal graph based framework for supporting authorization delegations and conflict resolutions

Authorization delegations and negations are two important features of a flexible access control model. When a system allows both authorization delegation and negation, conflict problems can become crucial since multiple administrators greatly increase the chance of conflicts. However the problem of handling conflicts in authorization delegations has not been explored by researchers. The existing conflict resolution methods seem limited for certain applications and cyclic authorizations can even lead to undesirable situations. This paper presents an authorization framework that can support authorization delegation for both positive and negative authorizations. A conflict resolution method based on the underlying grant-connectivity relation is proposed, which gives higher priorities to the predecessors to achieve controlled delegation. For conflicts where grantors are not grant-connected, our model supports multiple resolution policies so that users can select the specific one that best suits their requirements. In addition, cyclic authorizations are avoided and cascade overriding is supported when an administrative privilege is overridden. We give a formal description of our model and describe in detail the algorithms to implement the model. Our model is represented using labeled digraphs that provide a formal basis for proving the semantic correctness of our model.