Using fuzzy logic for adaptive role based access control for database security

Abstract

One of the focuses of access control is protecting sensitive resources in the database of a system by determining whether or not a user is authorized to access those resources. The set of resources are usually static, and an access control policy associated with each resource specifies who is authorized to access the resource. Recently Role-Based Access Control (RBAC) was found to be among the most attractive solutions for providing access control for database security. Possibility of using RBAC approach to an environment with multiple policy domains further justifies the tremendous momentum seen in RBAC research in the recent years. The main objective of this research is to present a new RBAC model that provides additional level of security checks by extending an existing RBAC model, using Fuzzy logic concepts. The proposed model allows modeling of vague organizational security policies using fuzzy parameters. Also in contrast to current notion of RBAC, it provides both static and dynamic permission assignment. Every user requests to perform an operation on the database resources is validated through a Fuzzy Policy Evaluator. The Fuzzy Policy Evaluator determines whether a request to perform an operation on the database should be granted based on information such as the sensitivity level of the data being affected by the request, the type of request being made, and the need to write or read on those resources of the user making the request. Usually, such information is very difficult to determine precisely since the information depends on other attributes that are themselves imprecise or only partially known requiring a fuzzy approach. The report presents an algorithm for generating such fuzzy information based on their dependent attributes. The method is based on using fuzzy linguistic variables and some straightforward fuzzy decision-making.