Context-aware role-based access control system and control method thereof

US 8,387,117 B2
Filed: 02/16/2009
Issued: 02/26/2013
Est. Priority Date: 10/22/2008
Status: Active Grant

First Claim

Patent Images

1. A context-aware role-based access control system comprising:

a processor and a memory storing a software, that when executed by the processor performs;

a context-aware user assignment manager (CAUAM) for performing a role assignment function, a role delegation function, or a role revocation function for a user according to a context of the user without intervention from a security manager, based on a preset context request condition including at least one context description connecting a plurality of contexts with the user;

a context-aware permission assignment manager (CAPAM) for performing a permission modification, a permission restoration, and a personalized permission modification for a permission, which the role has, according to changes in the context of the user;

an information repository for storing a user profile and context information;

an access control manager (ACM) for controlling the context-aware user assignment manager, the context-aware permission assignment manager, and the information repository, and processing an access control request; and

a personalized permission modification component (PPMC) for modifying the permission, which the role assigned to the user has, into a permission preferred by the user among permissions for performing an equal operation, by making reference to a user profile.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A context-aware role-based access control system and a control method thereof. The context-aware role-based access control system includes: a context-aware user assignment manager (CAUAM) for performing a role assignment function, a role delegation function, or a role revocation function for a user according to a context of the user, based on a preset context request condition; a context-aware permission assignment manager (CAPAM) for performing a permission modification, a permission restoration, and a personalized permission modification for a permission, which the role has, according to changes in the context of the user; an information repository for storing a user profile and context information; and an access control manager (ACM) for controlling the context-aware user assignment manager, the context-aware permission assignment manager, and the information repository, and processing an access control request. Accordingly, more efficient access control can be achieved in ubiquitous environments where the context of the user dynamically changes.

76 Citations

View as Search Results

16 Claims

1. A context-aware role-based access control system comprising:
- a processor and a memory storing a software, that when executed by the processor performs;
  
  a context-aware user assignment manager (CAUAM) for performing a role assignment function, a role delegation function, or a role revocation function for a user according to a context of the user without intervention from a security manager, based on a preset context request condition including at least one context description connecting a plurality of contexts with the user;
  
  a context-aware permission assignment manager (CAPAM) for performing a permission modification, a permission restoration, and a personalized permission modification for a permission, which the role has, according to changes in the context of the user;
  
  an information repository for storing a user profile and context information;
  
  an access control manager (ACM) for controlling the context-aware user assignment manager, the context-aware permission assignment manager, and the information repository, and processing an access control request; and
  
  a personalized permission modification component (PPMC) for modifying the permission, which the role assigned to the user has, into a permission preferred by the user among permissions for performing an equal operation, by making reference to a user profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 16)
- - 2. The system as claimed in claim 1, wherein the context-aware user assignment manager comprises:
    - an adaptive assignment component (AAC) for assigning the user a role based on a first context request condition, which is preset to grant the user a role according to information on a location and a state of the user;
      
      an adaptive delegation component (ADC) for delegating the role of the user to a different user based on a second context request condition, which is preset for a context in which the role of the user is to be delegated to the different user; and
      
      an adaptive revocation component (ARC) for determining if the assigned or delegated role coincides with the preset context request condition, and revoking the assigned or delegated role when the assigned or delegated role does not coincide with the preset context request condition.
  - 3. The system as claimed in claim 2, wherein the first context request condition is established with the context request conditions, according to a role assignment table (RAT) which is defined in the form of role assignment elements (RAEs).
  - 4. The system as claimed in claim 2, wherein the second context request condition is established with the context request conditions, according to a role delegation table (RDT) in which the context request conditions are defined in the form of role delegation elements (RDEs).
  - 5. The system as claimed in claim 3, wherein the adaptive revocation component checks if the role assignment table and the role delegation table coincides with the first and second context request condition, and revokes a user assignment element from a user assignment table (UAT) when the role assignment table and the role delegation table does not coincide with the first and second context request condition, thereby revoking the assigned or delegated role.
  - 6. The system as claimed in claim 1, wherein the permission assignment manager comprises:
    - an adaptive permission modification component (APMC) for modifying an operation of a permission, which a role granted by the context-aware user assignment manager has, based on a third context request condition preset according to contexts requiring modification; and
      
      an adaptive permission restoration component (APRC) for checking if the modified permission coincides with the third context request condition, and restoring the operation of the modified permission to an original state when the modified permission does not coincide with the third context request condition.
  - 7. The system as claimed in claim 6, wherein the third context request condition is established with the context request conditions, according to a permission management table (PMT) which is defined in the form of permission management elements (PMEs) for contexts requiring modification.
  - 8. The system as claimed in claim 6, wherein when the modified permission does not coincide with the third context request condition, the adaptive permission restoration component reads the pre-modification permission from a permission queue, and updates the permission assignment table (PAT), thereby restoring the operation of the permission to an original state.
  - 9. The system as claimed in claim 6, wherein the personalized permission modification component (PPMC) updates a permission assignment table with a permission highly preferred by the user, among permissions for performing an equal operation, by making reference to the user profile, thereby modifying the permission into a personalized permission.
  - 10. The system as claimed in claim 1, wherein the information repository comprises:
    - a user profile repository (UPR) for storing a state history of the user, and preference information of the user; and
      
      a context information repository (CIR) for storing the context information acquired from a ubiquitous environment.
  - 11. The system as claimed in claim 1, wherein the access control manager transmits the context information, which is updated, to the information repository.
  - 16. The system as claimed in claim 4, wherein the adaptive revocation component checks if the role assignment table and the role delegation table coincides with the first and second context request condition, and revokes a user assignment element from a user assignment table (UAT) when the role assignment table and the role delegation table does not coincide with the first and second context request condition, thereby revoking the assigned or delegated role.

12. A control method of a context-aware user assignment manager (CAUAM) in a context-aware role-based access control system including a processor, the method comprising the steps of:
- assigning, by the processor, a role to a user based on a first context request condition, which is preset to grant the user a role according to at least one context description connecting a plurality of contexts with the user, the plurality of contexts including information on a location and a state of the user;
  
  checking, by the processor, if a second context request condition, which is preset for a context in which the role of the user is to be delegated to a different user, is satisfied;
  
  creating, by the processor, a user assignment element (UAE) which includes delegator information and a delegator'"'"'s role when the second context request condition is satisfied as a result of the check;
  
  updating, by the processor, a user assignment table (UAT) with the created user assignment element, and delegating the role to the different user;
  
  determining, by the processor, if the assigned or delegated role coincides with the preset context request condition;
  
  revoking, by the processor without intervention from a security manager, the assigned or delegated role when the assigned or delegated role does not coincide with the preset context request condition as a result of the determination; and
  
  modifying, by the processor, a permission, which a role assigned to the user has, into a permission preferred by the user among permissions for performing an equal operation, by making reference to a user profile.
- View Dependent Claims (13)
- - 13. The method as claimed in claim 12, wherein the first context request condition is established with the context request conditions, according to a role assignment table (RAT) which is defined in the form of role assignment elements (RAEs);
    - and the second context request condition is established with the context request conditions, according to a role delegation table (RDT) in which the context request conditions are defined in the form of role delegation elements (RDEs).

14. A control method of a context-aware permission assignment manager (CAPAM) in a context-aware role-based access control system including a processor, the method comprising the steps of:
- assigning or delegating, by a context-aware user assignment manager without intervention from a security manager, a role suitable for a context of a user;
  
  checking, by the processor, if an operation of a permission, which the assigned or delegated role has, corresponds to a third context request condition which is preset according to contexts requiring modification, the third context request condition including at least one context description connecting a plurality of contexts with the user;
  
  modifying, by the processor, the operation of the permission according to the third context request condition, when the operation of the permission corresponds to the third context request condition as a result of the check;
  
  determining, by the processor, if the modified permission coincides with the third context request condition;
  
  reading, by the processor, the pre-modification permission from a permission queue (PQ), when the modified permission does not coincide with the third context request condition as a result of the determination;
  
  updating, by the processor, a permission assignment table with the pre-modification permission, and restoring the operation of the permission to an original state; and
  
  modifying, by the processor, a permission, which a role assigned to the user has, into a permission preferred by the user among permissions for performing an equal operation, by making reference to a user profile.
- View Dependent Claims (15)
- - 15. The method as claimed in claim 14, wherein the third context request condition is established with the context request conditions, according to a permission management table (PMT) which is defined in the form of permission management elements (PMEs) for contexts requiring modification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Discovery Co., Ltd.
Original Assignee
Sungkyunkwan University Foundation For Corporate Collaboration (SungKyunKwan University)
Inventors
Eom, Young-Ik, Choi, Jung-Hwan, Jang, Hyun-Su, Kim, Youn-Woo, Kang, Dong-Hyun, Song, Chang-Hwan
Primary Examiner(s)
Gelagay, Shewaye

Application Number

US12/371,670
Publication Number

US 20100100941A1
Time in Patent Office

1,471 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2137   Time limited access, e.g. t...

Context-aware role-based access control system and control method thereof

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Context-aware role-based access control system and control method thereof

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others