50120130405015

International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &
ISSN 0976 - 6375(Online), Volume 4, Issue 5, September - October (2013), © IAEME

TECHNOLOGY (IJCET)

ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 4, Issue 5, September – October (2013), pp. 115-137
© IAEME: www.iaeme.com/ijcet.asp
Journal Impact Factor (2013): 6.1302 (Calculated by GISI)
www.jifactor.com

IJCET
©IAEME

DYNAMIC EXPIRATION ENABLED ROLE BASED ACCESS CONTROL
MODEL ሺࡰࡱࡱࡾ࡮࡭࡯ሻ FOR CLOUD COMPUTING ENVIRONMENT
Levina T1, Dr. S C Lingareddy2 and Kashyap Dhruve3
1

2

(Assistant Professor, Alpha College of Engg, Bangalore, India)
(Professor & HOD Dept of CSE, Alpha College of Engg, Bangalore, India)
3
(Technical Director, Planet-i Technologies, Bangalore, India)

ABSTRACT
Cloud computing is one of the most emerging technique for fulfilling service demands in
various forms. The key issue that is considered for its enhancement and optimization is the access
control. In order to fulfill this requirement, here in this paper the author has proposed a robust system
model called, “Dynamic expiration enabled role based access control ሺ‫ܥܣܤܴܧܧܦ‬ሻ system that
facilitates a widespread set of temporal constraints which further provides the fine grained policies
for time-based access control scheme. This paper presents a study of the key issues of expressiveness
and minimality in cloud environment. The presented research work illustrates that even with nonminimalitythe presented model can provide higher flexibility with minimum complexity for
presentation of constraints and efficient role assignments. This makes the proposed system functional
with higher user count and the simultaneous role-permission, even without compromising with the
security issues. The ‫ ܥܣܤܴܧܧܦ‬system is evaluated on the Amazon Cloud, the scalability and
efficient access control mechanism is established proved by the results discussed in this paper.
Keywords: Role based access control system, Cloud computing, Access Control, DEERBAC
I.

INTRODUCTION

Cloud computing is one of the most emerging technologies of present days and a service
infrastructure that facilitates service on demand for calculation, data storage and highly robust
network infrastructures. In this technology, the computation of resources are considered and
provided as the services over the internet. Some other technical societies also states cloud computing
in different definition, like “a technology or system model that functions for providing omnipresent,
expedient, on demand access of defined network to a shared collection of configurable computing
resources and frameworks. In order to accomplish the efficient cloud services over internet it can
115


facilitate a rapid and highly efficient system with minimum resource management activities and least
interaction of service providers.
In cloud computing one of the predominant security issues is the access control of
information and system security. In order to control the various time-sensitive activities numerous
cloud applications like management of workflow and real-time operational databases, the access
control specifications are required to be enhanced with the optimum temporal constraints. The
presented research work has been motivated by the requirement of a highly robust and effective
access control approach that could meet and can alleviatethe security concerns in cloud environment
with raised trust level for numerous cloud based applications and service segments. One of the
predominant and efficient approach for accomplishing cloud security requirements in organization is
ܴ‫ ݈݁݋‬െ ܾܽ‫ ݈݋ݎݐ݊݋ܿ ݏݏ݁ܿܿܽ ݀݁ݏ‬ሺܴ‫ܥܣܤ‬ሻ that fulfills various security requirements [1], [2], [3], [4].
As compared to the existing traditional approaches of discretionary and mandatory access control
ሺ‫ܥܣܯ ݀݊ܽ ܥܣܦ‬ሻ system [5], [2], [6], [7], [8] the ܴ‫ ܥܣܤ‬mechanism can be much fruitful and
effective solution. In case of cloud environment of heterogeneous nature like Internet [9], [11],
ܴ‫ ܥܣܤ‬system framework might be much effective solution for secure interpolation purposes.
On the other hand the time factor plays a vital role for management of time-sensitive
access controls. The user creation with role assignment and its optimization is also a key
aspect of cloud computing which is required to be optimized. Meanwhile, a better example
for time management could be the management of workflow which do encompasses the
critical deadlines for completion of invocations. In order to meet such requirements the
time-based or period oriented techniques are suggested [12] [13], [14], [15]. On the other hand in
order to manage the roles and the user permission a highly effective and efficient system
is required that could manage the users with their respective roles assignment and cloud security.
In order to achieve these all expectations here in this paper we have proposed
a ‫ ݈݁݀݋ܯ ݈݋ݎݐ݊݋ܿ ݏݏ݁ܿܿܣ ݀݁ݏܾܽ ݈݁݋ݎ ݈ܾ݀݁ܽ݊݁ ݊݋݅ݐܽݎ݅݌ݔ݁ ܿ݅݉ܽ݊ݕܦ‬ሺ‫ܥܣܤܴܧܧܦ‬ሻ model that
emphasizes on the highly effective and responsible system constraints as well as time oriented user
creation and role assignment system that could meet the requirement of highly efficient and
productive system model for competitive cloud environment. These all considered constraints
characterize themselves effective with the implementation of orthogonally with every aspects of role
based Access control mechanism such as role creation, user definition, role assignment, activation of
specific roles, defining roles for users, assignment of role permissions.
Specifically, the proposed ‫ ܥܣܤܴܧܧܦ‬system differentiates between the activation or
enabling of roles and the activation of individual roles. In this approach a specific role is defined and
is activated only in the circumstance when a particular user is permitted to get it. An activated role
becomes functional when the user is permitted for access in the duration of defined session. The
roles could not be activated by the users in case of disabled role session. Hence, the considered or
specified model does specify the roles on after enabling or disabling when it can/cannot be assumed
by users.
In the proposed system model we have considered three dominant kinds of hierarchy that
strengthens the system model with higher efficiency and security enhancement. These are
inheritance-only hierarchy ሺ‫ ܫ‬െ ݄݅݁‫ݕ݄ܿݎܽݎ‬ሻ, activation-only hierarchy ሺ‫ ܣ‬െ ݄݅݁‫ݕ݄ܿݎܽݎ‬ሻ and
݄݅݊݁‫ ݁ܿ݊ܽݐ݅ݎ‬െ ܽܿ‫ ݕ݄ܿݎܽݎ݄݁݅ ݊݋݅ݐܽݒ݅ݐ‬ሺ‫ ܣܫ‬െ ݄݅݁‫ݕ݄ܿݎܽݎ‬ሻ. The first hierarchy permits the semantics
for permission-inheritance while the second refers semantics for activation of roles only and the last
considered and developed hierarchy permits both the role activation as well as permission
inheritance. Considering these all, here in this system model we have implemented these all three
hierarchies which have been further divided into two categories called as restricted and unrestricted
kind of hierarchy [16], [17].
In general issues allied with any access control model or frameworks with rich constraint
language are the factor of minimality and its expressiveness where the minimality refers the
116


minimum status of set of constraints and it is a vital criterion that determines the effectives of the
minimal model over the nonminimal models. Here in this paper we have proposed and developed a
highly robust framework that addresses the existing problems of minimality, expressiveness, user
creation, role generation and respective role-permission with the expected minimum expiration
period in ܴ‫ ܥܣܤ‬framework. The proposed ‫ ܥܣܤܴܧܧܦ‬model has performed better in terms of highly
efficient role creation and multiple role assignments per user in defined minimum time even without
violating the security aspects in comparison with ‫ ܥܣܤܴܶܩ‬model [17]. Considering the power of
expressiveness, here in this work we have illustrated that the numerous sets of model constraints
could be used for generating a family of ‫ ܥܣܤܴܧܧܦ‬system model with similar expressive power.
Even being a non-minimal set of constraints in ‫ ܥܣܤܴܧܧܦ‬cloud framework here in this work has
established itself as more beneficial in terms of numerous advantages like least complexity, better
manageability and the feasibility in the characterization of policies of access control management. It
has illustrated that the constraints of timing for individual role assignments for users could be easily
substituted by the temporal constraints for effective role enabling activities.
The proposed and developed system architecture ‫ ܥܣܤܴܧܧܦ‬can be significant for examining
and investigating the performance of the model with minimality factor, expressiveness, and
complexity, feasibility in user creation, highly efficient and optimum user creation, role generation
and role-permission assignments for cloud environment without compromising with the security. The
results obtained for various user sizes and respective role generation with role assignments in the
proposed model and framework architecture establishes itself as the best system forhighly efficient
user managements, role creation and role assignments system for cloud computing environment.
The other sections of the manuscript have been presented as follows: Section II presents the
related work of the considered technologies which is ascended by section III that states ‫ܥܣܤܴܧܧܦ‬
model and its introduction for functionalities. Section IV presents expressiveness of ‫ܥܣܤܴܧܧܦ‬
model and its modeling. This section also presents the operations on periodicity expressions
algorithms, various developed algorithms and the system complexity along with its design
constraints. Section V presents the results obtained and its analysis which is ascended by Section VI
that discusses the conclusions of the developed system model.
II. RELATED WORKS
Considering the requirement of a highly robust and effective solution for access control and
role management in cloud computing environment a number of researches have been induced and
many of them have performed well also. In this way to research process the first scientist group
Bertino et al. introduced TRBAC framework that emphasizes on the dominant constraints of RBAC
system model [14]. The shortcomings of that system model were rooted with the use of temporal
constraints for performing role enabling that limited its performance for multiple service
requirements in cloud environments. At the next phase the predominant work was for ‫ܥܣܤܴܶܩ‬
model [17] the extended form of ܴܶ‫ ܥܣܤ‬model with the difference of inclusion of few extensive set
of constraints.
ܶ‫ ܥܣܤ‬modelwas introduced in [14] that mainly support the temporal authorization and key
deviation principles [14] but still lacks in addressing the roles and its effective assignments. A
number of other researchers have advocated for the implementation of certain significant supporting
constraints in anܴ‫ ܥܣܤ‬model and few dominant works have been done in [18], [13], [5], [17], [19],
[8]. Then while, those research efforts could not address the problem of time-based access
restrictions and effective user creation with role assignment of multiple sizes. This shortcoming was
illuminated in our work. In certain work [15] the researcher came out with a system architecture
based on a logic-oriented constraint specification language that might be employed for specifying the
constraints on individual roles, users and the role-assignments on the users. In [13] a temporal data
117


authorization model ሺܶ‫ܯܣܦ‬ሻwas proposed that could represent the access control policies on the
basis of temporal behaviour of the data [13]. Considering these research gaps and requirements here
in this paper we have proposed a ‫ ܥܣܤܴܧܧܦ‬model that emphasizes on the characteristic of
permission by implementing the dynamic assignments of role-permission with the help of constraints
of periodicity, session constraint and Event dependencies.
In this research work we have tried to implement the unique and highly robust system model
that considers all of the key aspects like minimality, session constraints, expressiveness, user
management and allied role permission facility with optimum performance level and the usability of
access control and management.
III. DEERBCA MODELING AND TEMPORAL ROLE HIERARCHY
3.1 IntroducingDEERBCA Model
In the highly robust and complicated systems of cloud computing the proposed dynamic
expiration enabled role based access control model,‫ ܥܣܤܴܧܧܦ‬plays a significant role in cloud
computing environment and its resource management. The mechanism of ‫ ܥܣܤܴܧܧܦ‬also
accommodates the individual concepts of role provisioning, its activation and even the provision of
environment constraints as well as the event expressions allied with it.
In the proposed ‫ ܥܣܤܴܧܧܦ‬approach the system architecture characterizes a number of set of
constraints. These are as follows:
1. Temporal role enable/disable constraints
Temporal role enabling/disabling constraints are those constraints that permit the characteristics
of intervals and that time durations in which the role of users are enabled. In case of defined
duration constraints the constraint enabling event ignites or initiates the enabling or disabling of a
particular role. This initiation takes place either by enabling functions or by a specific administrator
initiated runtime process.
2. Provision of temporal restraints on individual user’s role and the assignment of its rolepermission
Such kind of restraints permits the characteristics of function intervals and the time duration
in which the role for a specific user or its permission is allotted or issued.
3. Activation constraints
Activation constraints are those constraints that permit the nature of employed restrictions
functional of the activation of a user’s role. These constraints encompasses, the characterization of
the complete time interval for which a defined user can initiate a role or the count
ofcontemporaneous activations of the role defined at a specific time.
4. Runtime proceedings
A combination of runtime events permits the supervisor to vigorouslycommence the
‫ܥܣܤܴܧܧܦ‬procedures, or facilitate the period or commencementrestraints.
Few others combination of runtime procedures permits the users to make certain request for
activating or deactivating the roles.
5. Constraint permissible expressions
The proposed ‫ ܥܣܤܴܧܧܦ‬mechanism encompasses the events which enables or disables the
aforesaidtime duration and activation constraints for individual roles.
6. Event dependencies
The event dependencies in the proposed ‫ܥܣܤܴܧܧܦ‬system represent the expressions of the
inter-dependencies among all the encompassing events.In the development of DEERBAC system
model a number of system constraints have been used. The key constraints are periodicity
constraints, duration constraints, time based role activation constraints, Cardinality constraint on role
118


activation, Event dependencies and constraints of run time request. In expression the periodicity
constraints for user role assignment is given by (‫݃ݏܣ :ܽݎܲ ,ܵ ,ܦ‬௎ /‫݃ݏܣܦ‬௎ ܴ ‫݁ ݋ݐ‬ሻ while for role
enabling and role permissionሺ‫ ,)ܴ ݃ݏܣܦ/:ܽݎܲ ,ܵ ,ܦ‬ሺ‫݃ݏܣ :ܽݎܲ ,ܲ ,ܫ‬௪ /‫݃ݏܣܦ‬௪ ‫ܴ ݋ݐ‬ሻ expressions are
employed respectively.
For
duration
constraint
the
expressions
ሺሾሺ‫ܵ ,ܦ‬ሻ|‫ܯ‬ሿ, ‫ܯ‬ோ ܲ‫ܴ ܾܦ/݊ܧ :ݎ‬ሻ
and ሺሾሺ‫ܵ ,ܦ‬ሻ|‫ܯ‬ሿ, ‫ܯ‬௎ ܲ‫݃ݏܣܦ :ݎ‬௎ /‫݃ݏܣܦ‬௎ ܴ ‫݁ ݋ݐ‬ሻare used for user-role assignment (‫ܩ‬௎ோ௚ ) and rolepermission assignment‫ܩ‬௉ோ௪ respectively. The sporadic expression implemented in the expressions of
the considered constraints is represented in the form of ሺ‫ܵ ,ܦ‬ሻ [20], in which the variable or entity
ܵrefers the expression representing an infinite combination of periodictime moments, and the
variable entity D refers ‫ ܦ‬ൌ ሾܾ݁݃݅݊, ݁݊݀ሿ is a time duration representing the lower and upper bounds
which are inflicted on instants inentityܵ. On the other hand the expression ܵ‫݈݋‬ሺ‫ܵ ,ܦ‬ሻis employed for
stating all the encompassed time durations in composite function ሺ‫ܵ ,ܦ‬ሻ.
In this paper, we have also implemented a function ܲ ܵ‫݈݋‬ሺ‫ܵ ,ܦ‬ሻthat represents the collection
of the end points present in the intervals in ሺ‫ܵ ,ܦ‬ሻthat states that in case the entity or function ሺ‫ܵ ,ܦ‬ሻ
is represented in the form of a set of durations ሼሺ‫ݐ‬௨ଵ , ‫ݐ‬௧ଵ ሻ, ሺ‫ݐ‬௨ଶ , ‫ݐ‬௧ଶ ሻ, … , ‫ݐ‬௨௡ , ‫ݐ‬௧௡ ሽthen; the function can
be given as follows:
ܲ‫ ݈݋ݏ‬ሺ‫ܵ ,ܦ‬ሻ ൌ ሼሺ‫ݐ‬௨ଵ , ‫ݐ‬௧ଵ ሻ, ሺ‫ݐ‬௨ଶ , ‫ݐ‬௧ଶ ሻ, … , ‫ݐ‬௨௡ , ‫ݐ‬௧௡ ሽ
In these mathematical modeling or expressions the variable ‫ ܦ‬denotes the time interval for a
defined constraint.
3.2 Temporal Role Hierarchies
The overview of the temporal hierarchies of the proposed ‫ܥܣܤܴܧܧܦ‬system model has been
discussed in this section.Table-1 illustrates the predicate notations employed for representing the
semantics of the considered hierarchies. The considered entities like predicate enabled, assigned have
been given be presentation ‫ ݊ܧ‬ሺܴ, ‫ݐ‬ሻ, ‫ ݃ݏܣ‬ሺ݁, ܴ, ‫ݐ‬ሻ and ‫݃ݏܣ‬ሺ‫ݐ ,ܴ ,ݓ‬ሻ. These all notations denote the
status of the roles, roles of user and assignment of role permission at time t, respectively.
The activation of ሺ݁, ܴ, ‫ݐ‬ሻby means of predicate signifies that the specific user ݁might
activate specific role ܴ at certain time period‫ .ݐ‬And further it states that the specific user u is
unconditionally or unequivocally allotted to that specific roleܴ. The other entity ‫ ݐܿܣ‬ሺ݁, ‫ݐ ,ܴ ,ݑ‬ሻstates
the role ܴ is in active state in the specific user’s session or duration ܵ at time instant t, while another
entity ‫ݍܿܣ‬ሺ݁, ‫ݐ ,ݑ ,ݓ‬ሻ illustrates towards the acquisition of permission by ݁ at the session‫.ݑ‬The
predominant relationships among the predicates are in general considered and emphasized by the
axioms as mentioned in Table 1. Even these axioms do identify the acquisition of permission and the
role activation in the proposed ‫ ܥܣܤܴܧܧܦ‬system model.
Predicate
‫݊ܧ‬ሺܴ, ‫ݐ‬ሻ
ሺ݁_‫ ݃ݏܣ‬ሺ݁, ܴ, ‫ݐ‬ሻሻ
ሺ‫ ݃ݏܣ_ݓ‬ሺ‫ݐ ,ܴ ,ݓ‬ሻሻ
ܿܽ݊_‫ݐܿܣ‬ሺ݁, ܴ, ‫ݐ‬ሻ
ܿܽ݊_‫ ݍܿܣ‬ሺ݁, ‫ݐ ,ݓ‬ሻ
ܿܽ݊_ܾ݁_‫ ݍܿܣ‬ሺ‫ݐ ,ܴ ,ݓ‬ሻ

TABLE 1: Status Predicates
Meaning
Role ܴ is enable at time ‫ݐ‬
User ݁ is assigned to role ܴ at time ‫ݐ‬
Permission ‫ ݓ‬is assigned to role ܴ at time ‫ݐ‬
User ݁ can active role ‫ ݎ‬at time ‫ݐ‬
User ݁ can acquire permission ‫ ݓ‬at time ‫ݐ‬
Permission ‫ ݓ‬can be acquire through role ܴ at time ‫ݐ‬

‫ݐܿܣ‬ሺ݁, ܴ, ‫ݐ ,ݑ‬ሻ

Role ܴ is active in user ݁’‫ ݑ‬session ‫ ݑ‬at time ‫ݐ‬

‫ݍܿܣ‬ሺ݁, ‫ݐ ,ݑ ,ݓ‬ሻ

User ݁’ acquires permission ‫ ݓ‬in session ‫ ݑ‬at ‫ݐ‬

119


The axiom 1"‫݃ݏܣ‬ሺ‫ݐ ,ܴ ,ݓ‬ሻ ՜ ܿܽ݊_ܾ݁_‫ݍܿܣ‬ሺ‫ݐ ,ܴ ,ݓ‬ሻ"indicates that in case any person is
allotted to perform a specific role, then the same can be accomplished with the help of that specific
role.Similarly, the second axiom 2 “‫ ݃ݏܣ‬ሺ݁, ܴ, ‫ݐ‬ሻ ՜ ܿܽ݊_‫ݐܿܣ‬ሺ݁, ܴ, ‫ݐ‬ሻ" denotes that all of the
consisting users are facilitated a specific role so that they may activate that specific roles and
function. Axiom 3ܿܽ݊_‫ݐܿܣ‬ሺ݁, ܴ, ‫ݐ‬ሻ ‫ ݍܿܣ_ܾ݁_݊ܽܿ ר‬ሺ‫ݐ ,ܴ ,ݓ‬ሻ ՜ ܿܽ݊_‫ ݍܿܣ‬ሺ݁, ‫ݐ ,ݓ‬ሻ”, it is stated that
in case a particular user u is provided a role ܴ then all the encompassing functionalities or roles r
could be accomplished with the help of that user ‫.ݑ‬
Inthe same way, the ascending axiom 4 ‫ݐܿܣ‬ሺ݁, ܴ, ‫ݐ ,ݓ‬ሻ ‫ ݍܿܣ_ܾ݁_݊ܽܿ ר‬ሺ‫ݐ ,ܴ ,ݓ‬ሻ ՜
‫ݍܿܣ‬ሺ݁, ‫ݐ ,ݑ ,ݓ‬ሻsay that in case a user session or duration in which one has to activate a specific
roleR, in that circumstances the user ݁ accomplishes then all the permissions that could be collected
through the role ܴ. It must be noted that the axioms presented in 1 and 2 illustrates towards the
permission-acquisition and role-activation semantics which are in general governed by overt userrole and the person or privilege of the role assignment.
In general, a particular hierarchy of role ܴ lengthens the extent of the permission-acquisition
and the semantics of the role-activation further than the preciseallocations by means of hierarchical
relations which are predefined among permitted or considered roles. In our proposed ‫ܥܣܤܴܧܧܦ‬
model or framework the predominant three hierarchies are considered. These are: permissioninheritance-only
hierarchy
which
is
also
known
as‫ ܫ‬െ ݄݅݁‫,ݕ݄ܿݎܽݎ‬
‫ ݈݁݋ݎ‬െ ‫ ݐܿܣ‬െ ‫ݕ݄ܿݎܽݎ݄݁݅ ݕ݈݊݋‬or‫ ܣ‬െ ݄݅݁‫ ,ݕ݄ܿݎܽݎ‬and the third and the last hierarchy are referred to
as ܿ‫ ݁ܿ݊ܽݐ݅ݎ݄݁݊݅ ܾ݀݁݊݅݉݋‬െ ‫ݕ݄ܿݎܽݎ݄݁݅ ݐܿܣ‬or ‫ ܣܫ‬െ ݄݅݁‫ .]71[ ,]61[ ݕ݄ܿݎܽݎ‬These all framework
hierarchy might be of any kind, either of restricted or unrestricted kinds.
Among these hierarchies the restricted one might be further classified into two types, weakly
and strongly restricted. The hierarchy of unrestricted type ‫ ܫ‬െ ݄݅݁‫ ܽݕ݄ܿݎܽݎ‬൒௧ ߚthat states that in
case there exists a ൒୲ β, then the role permission or even acquisition permission could be
accomplished with the help of role ‫ݔ‬which encompasses all the approvals or acknowledgements that
could be gained with the help of specific role ‫.ݕ‬In other way, the permissions of the ascenders roles
are in general inherited or ascended by the roles with higher priority. Meanwhile, the condition
which is in relation to the unrestricted A-hierarchy states that in case a user ݁ activates a specific role
‫ ݔ‬with the condition‫ ݔ‬൒௧ ߚ, then that user ݁might also initiate the role ߚwhether being not assigned
toߚ. Furthermore, the user ݁might not get theߚ’‫ ݏ‬permissions only by initiatingܽ. On the other hand,
the permission-inheritance nature is not permitted in an unrestricted A-hierarchy framework. It can
be found that the ‫ ܣܫ‬െ ݄݅݁‫ݕ݄ܿݎܽݎ‬is the specific and of course alone framework that encompasses
both kind of inheritance, like permission inheritance as well as role-activation kind of semantics. The
weakly restricted hierarchy permits the inheritance or the activation semantics in the non-overlapping
activation sessionof the systematically allied roles, on the other hand the hierarchies restricted
strongly permits the inheritance and the activation semantics only in the overlapping causing
sessions.
As per the considered condition for ‫ ܫ‬െ ݄݅݁‫ݕ݄ܿݎܽݎ‬ሺ‫ ܽ݀݁ݐܿ݅ݎݐݏ݁ݎ ݕ݈݇ܽ݁ݓ‬൒௧ ߚሻ is presented,
then only the role is required to be activated at time ‫ ݐ‬so as to implement the inheritance semantics.
The roles or defined role ‫ ݕ‬might or even might not be activated at that specific time then while, in
case of ‫ ܫ‬െ ݄݅݁‫ ݕ݄ܿݎܽݎ‬which is a kind of strongly restricted hierarchy framework, if ܽ ൒௨ ௧ ߚ is
stated then the entities, ܽ and ߚis required to be activated at the specific time ‫ݐ‬so as to employ the
inheritance semantics. The hierarchies like restricted Aand IA are defined in the same way.
IV. EXPRESSIVENESS OF ࡰࡱࡱࡾ࡮࡭࡯ MODEL AND ITS MODELING
The overall system has been introduced in the previous section and has been discuss that the
proposed ‫ ܥܣܤܴܧܧܦ‬modelpermits the characterization of a huge set time-related constraints.
Observing these factors a significant question arises that whether this kind of exhaustive set of
120


temporal constraints is required or is there a minimal combination of constraintswhich posses’
similar expressive capability or capability of expressiveness with all the significant constraint of the
proposed model‫ .ܥܣܤܴܧܧܦ‬Here, in this presented section, it would be illustrated that all the
encompassing constraints of proposed model are not minimal. Implementing or even considering the
notion of activity-equivalence or a-equivalence, it has been depicted that there exists a negligible set
of system constraint that could have an expressive power equivalent of the proposed ‫ܥܣܤܴܧܧܦ‬
constraint. In the proposed approach and system model we have demonstrated an analysis that in
spite of minimum value, the set representing the non-minimal system constraints facilitates the better
option and efficiency for representing the cloud access constraints. Specifically, this kind of options
and alternatives do permit the users highly robust and convenient system mechanism with
comparatively minimum complexity. Additionally, thehuge sum of access restraints present in
‫ ܥܣܤܴܧܧܦ‬system facilitates better functional feasibility along with the proper selection of a
semantically apparent characteristicby implementing optimization measures for enhancing the
usability of the model. The following algorithm represents the algorithm presentation for conversion
of the role permission.
Algorithm ܴܲ_‫ݐݎ݁ݒ݊݋ܥ‬
Input: ‫ݕܩ‬௜௡ ; ࡻ࢛࢚࢖࢛࢚ ‫ݕܩ ׷‬௢௨௧
1. ‫ݕܩ‬௢௨௧ ൌ ሼܶ ᇱ , ܷ‫ ݏ݈݁݋ܴ ,ݏݎ݁ݏ‬ᇱ , ܲ݁‫ ܪܴ ,ݏ݊݋݅ݏݏ݅݉ݎ‬ᇱ ሽ ൌ
2. ‫ݕܩ‬௜௡ ൌ ሼܶ, ܷ‫ܪܴ ,ݏ݊݋݅ݏݏ݅݉ݎ݁ܲ ,ݏ݈݁݋ܴ ,ݏݎ݁ݏ‬ሽ;
3. ۴‫ ݀ ࡴ࡯࡭ࡱ܀۽‬ൌ ሼࣛ, ‫݃ݏܣ :ݎ݌‬௪ /‫݃ݏܣ‬௪ ‫ܴ ݋ݐ ݓ‬ሽ ‫ ࣛ ݁ݎ݄݁ݓ ,ܶ א‬ൌ
ሼሺ‫ܷ ,ܯ‬ሻ, ሺሾ‫ܯ ,|ܷ ,ܯ‬௔ ሿ, ‫ܯ‬ሻሽ ۲‫ܗ‬
4.
Generate a speciϐic roleܴ௜ ;
5.
Substitute all occurrences of ሼࣛ, ‫݃ݏܣ :ݎ݌‬௪ /‫݃ݏܣܦ‬௪ ‫ܴ ݋ݐ ݓ‬ሽ byሼࣛ, ‫݊ܧ :ݎ݌‬௪ /
ܾ݀௪ ܴ௜ in T’
஺௦௚ೢ
6.
Perform (add default assignment “஽஺௦௚ ‫ܴ ݋ݐ ݓ‬௜ ” to T’
ೢ

7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.

۴‫ࡴ࡯࡭ࡱ܀۽‬Event
‫ ܶ א‬ᇱ , ‫ ܴݐ ݁ݎ݄݁ݓ‬ൌ "ܲԢଵ , … , ܲԢ௠ , ‫ܩ‬Ԣଵ , … , ‫ܩ‬Ԣ௢ ՜
‫ܲ :ݎ݌‬௠ାଵ after ∆௧ " ‫݋ܦ‬
Replace ‫ܲ"= ’ܴݐ ݕܾ ܴݐ‬Ԣଵ , … , ܲԢ௠ , ‫ܩ‬Ԣଵ , … , ‫ܩ‬Ԣ௢ ՜ ‫ܲ :ݎ݌‬Ԣ௠ାଵ after ∆௧ ”, such that,
݈ ൌ 1 ‫ ݉ ݋ݐ‬൅ 1, ݂ ൌ 1 ‫݋ ݋ݐ‬ሻ
IFሺܲ௟ ൌൌ "‫݃ݏܣ‬௪ /‫݃ݏܣܦ‬௪ ‫"ܴ ݋ݐ ݓ‬ሻTHEN‫’ܩ‬௙ ൌ ‫݊ܧ‬௪ /ܾ݀௪ ܴ௟ ";
ELSE update ܲ’௟ ‫’ܧ‬௟ ൌ ܲ௟ ;
IFሺ‫ܩ‬௙ ൌൌ "‫"ܴ ݋ݐ ݓ ݃ݏܣܦ/݃ݏܣ‬ሻTHEN‫’ܩ‬௙ ൌ ‫ܴ ܾ݀/݊ܧ‬௟ ";
ELSE update‫’ܩ‬௙ ൌ ‫ܩ‬௙ ;
ENDFOR
Update Roles’=Roles’ ‫ ׫‬ሼܴ௟ ሽ;
FOR each role ܴ௟ ‫ ݐ݄ܽݐ ݄ܿݑݏ ݏ݈݁݋ܴ א‬ሼܴ ൒ ܴ௙ ሽDO
Update ܴ‫ ܪ‬ᇱ ൌ ܴ‫ܪ‬ᇱ ‫ ׫‬൛ܴ௟ ൒ ܴ௙ ൟ; ܴ‫ ܪ‬ᇱ ൌ ܴ‫ܪ‬ᇱ െ ൛ܴ ൒଼ ܴ௙ ൟ
ENDFOR
Update ܴ‫ ܪ‬ᇱ ൌ ܴ‫ܪ‬ᇱ ‫ ׫‬ሼܴ ൒଼ ܴ௟ ሽ;
ENDFOR

Algorithm 1: ܴܲ_‫ݐݎ݁ݒ݊݋ܥ‬
4.1 Minimality of DEERBAC
With a considered ‫ ܥܣܤܴܧܧܦ‬model, all of its system constraints are referred to as Temporal
Constraint and Activation base ሺܶ‫ܤܣܥ‬ሻ.this set of constraints, ܶ‫ ܤܣܥ‬can be presented as follows:
௫
௫
௫
௫
௫
௫
௫
௫
ܶ ൌ ሺ‫ܩ‬௎ோೢ , ‫ܩ‬ோೢ, , ‫ܩ‬௪ோೢ , ‫ܩ‬௎ோ೒ , ‫ܩ‬ோ೒, ,‫ܩ‬௪ோ೒ , ‫ܩ‬ௗோ , ‫ܩ‬௚௘ோ , ‫ܩ‬௡ோ , , ‫ܩ‬௡௘ோ , ‫ܩ‬௠ோ ,
‫ܩ‬௠௘ோ , ‫ܩ‬௠௡ோ , ‫ܩ‬௠௡௘ோ , ‫ܩ‬௧ோ , ‫ܩ‬ௗ
In this manuscript and the proposed model, we have employed the name as constraint that
refers towards the combination encompassing the periodicity constraint of specific kinds. For
121


example, ‫ܩ‬௎ோೢ represents user a periodicity constraint which states a role assignment on individual
user’s role and it is expressed asሺ‫݃ݏܣ :ܽݎܲ ,ܵ ,ܦ‬௎ /‫݃ݏܣܦ‬௎ ܴ ‫݁ ݋ݐ‬ሻ. The periodicity constraints cover
the user role assignments‫ܩ‬௎ோ௪ , role enabling‫ܩ‬ோ௪ and role permission assignment
‫ܩ‬௉௥௪ .
In the subsequent sections, a short term like ܶ ൌ ሺ‫ܩ‬௎ோೢ , ‫ܩ‬ோೢ, ሻ has been employed in the
specific case of non-empty constraints ‫ܩ‬ோೢ, ሺா௫௣௥௘௦௦௜௢௡ ሺ஽,ௌ,௉௥௔:஽஺௦௚ ோሻ୤୭୰ ୰୭୪ୣ ୣ୬ୟୠ୪୧୬୥ሻ and‫ܩ‬௎ோೢ . In fact
the nature of a ‫ ܥܣܤܴܧܧܦ‬model depends on variableܶ, the clusters of users, their individual roles,
the set of roles and the set of specific permissions as well as the role hierarchyܴ‫ .ܪ‬That’s why; here
in this manuscript the tuple has been employed for presenting a set ofܶ, users, roles and permission
as well as role hierarchy that depicts a complete ‫ ܥܣܤܴܧܧܦ‬model.
ௗ௬

In this work a notation ሺ݁ ሳ ‫ݓ‬ሻ has been defined for reading ݁ ‫ .ݏݎ݁ݏݑ ݎ݋‬The considered
ሰ
notation achieves the permission ‫ ݓ‬at the time instant ‫ ݐ‬under the function ‫ .ݕܩ‬Nowafter defining the
notations the notions of ܽ െ ݁‫ ݐ݈݊݁ܽݒ݅ݑݍ‬in between two ‫ ܥܣܤܴܧܧܦ‬frameworks or configurations
are defined. Few of the dominant notations have been definedas follows:
Definition 1: Activity-equivalence or ࢇ െ ࢋ࢛ࢗ࢏࢜ࢇ࢒ࢋ࢔ࢉࢋ
In
the
defined
‫ܥܣܤܴܧܧܦ‬
framework,
the
two
configurations
ሺܶଵ , ܷ‫ݏ݈݁݋ܴ ,ݏݎ݁ݏ‬ଵ , ܲ݁‫ܪܴ ,ݏ݊݋݅ݏݏ݅݉ݎ‬ଵ ሻand ‫ݕܩ‬ଶ ൌ ሺܶଶ , ܷ‫ݏ݈݁݋ܴ ,ݏݎ݁ݏ‬ଶ , ܲ݁‫ܪܴ ,ݏ݊݋݅ݏݏ݅݉ݎ‬ଶ ሻሻ
(‫ݕܩ‬ଵ ൌ
can represents ܽܿ‫ ݈݁ܿ݊݁ܽݒ݅ݑݍ݁ ݕݐ݅ݒ݅ݐ‬only in the situation when the pairs ሺ݁, ‫ݓ‬ሻsatisfies the
conditions݁ ‫ ݏݎ݁ݏܷ א‬and‫ .ݏ݊݋݅ݏݏݏ݅݉ݎ݁ܲ א ݓ‬Again, in case Gyଵ ൎ Gyୟ and Gyୟ ൎ Gyଶ the
equivalence condition Gyଵ ൎ Gyଶ is accomplished which exhibits the transitivity property.
In the proposed ‫ ܥܣܤܴܧܧܦ‬model ܽ െ ݁‫ ݈݁ܿ݊݁ܽݒ݅ݑݍ‬refers that a particular user could
efficiently exhibit the similar combination of accesses under the two configurations.Therefore, after
replacing the system configurations of ‫ݕܩ‬ଵ by another configurationGyଶ the accesses which are not
permitted for a particular or even individual user, is not altered.It must be noted that in the
considered case as we have takenthe similar set of users and their individual permissions therefore
ܽ െ ݁‫ ݈݁ܿ݊݁ܽݒ݅ݑݍ‬is not must to be implied with that policy equivalence which states that in any
case the two system configurations it is required to consider only similar rule sets. In this work we
have emphasized on illustrating the dissimilar model configurations of constraints as well as roles of
multiple range. This feature permits the similar set of assigned users for accomplishing the same
permission sets and after that it analyzes the configurationally complexities. It makes the system to
perform user role generation and role permission efficiently.
In the ascending research phasewe have illustrated that the constraint sets of ‫ܥܣܤܴܧܧܦ‬is not
minimal. These characteristics states that few kinds of constraints can be efficiently removed without
compromising or minimizing the expressive power of ‫ ܥܣܤܴܧܧܦ‬model.
Implementing the aforementioned ܽ െ ݁‫݈݁ܿ݊݁ܽݒ݅ݑݍ‬relations over a set of ‫ ܥܣܤܴܧܧܦ‬model, in this
work we have to present that there exists a minimal presentations which employs only periodicity
and the duration constraints. These all constraints are functional on roles and are activated on perrole basis.‫ܥܣܤܴܧܧܦ‬also considers default assignments for assigning the permissions and users to
the specific roles without characterizing any temporal restrictions.
In the ascending research phase we have presented certain robust algorithms that could be
employed for generating a-equivalent model or framework for a certain defined model or
configuration.The first algorithm ሺܴܲ_‫ݐݎ݁ݒ݊݋ܥ‬ሻgenerates a highly robust and effective ܽ െ
݁‫ݐ݈݊݁ܽݒ݅ݑݍ‬framework for a specific ‫ ܥܣܤܴܧܧܦ‬system configuration, while considering all the
temporal constraints functional on assignments of role-permission displaced by those for enabling
the role. Meanwhile, another algorithm called ܷܴ_‫ ݐݎ݁ݒ݊݋ܥ‬comes up with new framework tothe
input arrangement‫ ݕܩ‬where all the incorporating or participating assignments of role and the
122


constraints ofper-user-role activation is replaced by the considered role enabling and per-role
activation, respectively.
Algorithm ܷܴ_‫ݐݎ݁ݒ݊݋ܥ‬
Input:‫ݕܩ‬௜௡ ; ܱ‫ݕܩ ׷ ݐݑ݌ݐݑ‬௢௨௧
1. ‫ݕܩ‬௢௨௧ ൌ ‫ݕܩ‬௜௡ ሺ݅. ݁. , ሼܶ ᇱ , ܷ‫ ݏ݈݁݋ܴ ,ݏݎ݁ݏ‬ᇱ , ܲ݁‫ ܪܴ ,݊݋݅ݏݏ݅݉ݎ‬ᇱ ሽ ൌ
ሼܶ, ܷ‫ܪܴ ,݊݋݅ݏݏ݅݉ݎ݁ܲ ,ݏ݈݁݋ܴ ,ݏݎ݁ݏ‬ሽሻ; ܷ ൌ ‫׎‬
2. ࡲࡻࡾࡱ࡭࡯ࡴ ݀ ൌ ሼࣛ, ‫݃ݏܣ :ݎ݌‬௎ /‫݃ݏܣ‬௎ ݁ ‫ܴ݋ݐ‬ሽ ‫ ࣛ ݁ݎ݄݁ݓ ,ܶ א‬ൌ
ሼሺ‫ܷ ,ܯ‬ሻ, ሺሾ‫ܯ ,|ܷ ,ܯ‬௔ ሿ, ‫ܯ‬ሻሽࡰ࢕
3. ܿ‫ܴ ݈݁݋ݎ ݁ݑݍ݅݊ݑ ݔ ݁ݐܽ݁ݎ‬௟ ܽ݊݀ ‫ݏݎ݁ݏݑ ݈ ݎ݋݂ ݏ݈݁݋ݎ ݂݋ ݐ݁ݏ‬
4. Replace all occurrences of ሼࣛ, ‫݃ݏܣ :ݎ݌‬௎ /‫݃ݏܣܦ‬௎ ݁ ‫ܴ ݋ݐ‬ሽ byሼࣛ, ‫ܴ ܾ݀/݊ܧ :ݎ݌‬௟ ሽ in T’
5. Add default assignment “‫ܴ ݋ݐ ݁ ݃ݏܣܦ/݃ݏܣ‬௟ ” to T’
6. FOR
each Event dependencies‫ ܶ א ܴݐ‬ᇱ , ‫ ܴݐ ݁ݎ݄݁ݓ‬ൌ "ܲԢଵ , … , ܲԢ௠ , ‫ܩ‬Ԣଵ , … , ‫ܩ‬Ԣ௢ ՜
‫ܲ :ݎ݌‬௠ାଵ after ∆௧ " ‫݋ܦ‬
7. Replace ‫ ’ܴݐ ݕܾ ܴݐ‬where tR’=ൌ "ܲԢଵ , … , ܲԢ௠ , ‫ܩ‬Ԣଵ , … , ‫ܩ‬Ԣ௞ ՜ ‫ܲ :ݎ݌‬Ԣ௠ାଵafter∆௧ ”, such that
8. IFሺܲ௟ ൌൌ "‫݃ݏܣ‬௎ /‫݊݃ݏܣܦ‬௎ ݁ ‫"ܴ ݋ݐ‬ሻ THEN upate ܲ’௟ : ൌ ‫݊ܧ‬௪ /ܾ݀௪ ܴ௟ ";
9. ELSEܲ’௟ ൌ ܲ௟ ;
10. IFሺ‫ܩ‬௙ ൌൌ "‫݃ݏܣܦ/݃ݏܣ‬௎ ݁ ‫"ܴ ݋ݐ‬ሻ THEN ‫’ܩ‬௙ : ൌ "‫ܴ ܾ݀/݊ܧ‬௟ ";
11. ELSE Update ‫’ܩ‬௙ ൌ ‫ܩ‬௙ ;
12. ENDFOR
13. Update Roles’=Roles’ ‫ ׫‬ሼܴ௟ ሽ;
14. FOR each role ܴ௟ ‫ ݐ݄ܽݐ ݄ܿݑݏ ݏ݈݁݋ܴ א‬ሼܴ ‫ܴ غ‬௙ ሽDO
15. ܴ‫ ܪ‬ᇱ ൌ ܴ‫ ܪ‬ᇱ ‫ ׫‬൛ܴ௙ ‫غ‬௨ ܴ௟ ൟ; ܴ‫ ܪ‬ᇱ ൌ ܴ‫ ܪ‬ᇱ െ ሼܴ ‫غ‬௨ ܴሽ;
//this is strongly restricted Ahierarchy
16. ENDFOR
17. Update ܴ‫ ܪ‬ᇱ ൌ ܴ‫ ܪ‬ᇱ ‫ ׫‬ሼܴ ൒଼ ܴ௟ ሽ;
18. ENDFOR
19. ܴ‫ ܪ‬ᇱ ൌ ܴ‫ ܪ‬ᇱ ‫ ׫‬൛ܴ௙ ‫غ‬௨ ܴൟ;
20. ENDFOR
21. ࡲࡻࡾࡱ࡭࡯ࡴ ‫ ݎ݅ܽ݌‬ሺ݁, ܴሻ
22. ‫ݐܿܣ‬௎௏ ൌ ሼ‫ݐܿܣ‬௎ோ೟೚೟ೌ೗ , ‫ݐܿܣ‬௎ோ_௠௔௫ , ‫ݐܿܣ‬௎ோ೙ , ‫ݐܿܣ‬௎ோ_௖௢௡ ሽDO
23. IFሺܴ௟ Ԣ ൌ ݃݁‫݁ܵݐ‬௟ ሺ‫ܴ ,݁ ,ݑ‬ሻ ൌൌ ܰ‫ܮܫ‬ሻܶ‫ܴ ݈݁݋ݎ ݁ݑݍ݅݊ݑ ܽ ݁ݐܽ݁ݎܥ ܰܧܪ‬௟ ,
//݃݁‫݁ܵݐ‬௟ ሺ‫ܴ ,݁ ,ݑ‬ሻ ൌൌ ܰ‫ݐ݄ܽݐ ݏ݊ܽ݁݉ ܮܫ‬
24. FOR each ݀ ൌ ሺࣛ, ࣜ௘ , ݁, ‫ݐܿܣ‬௎ࣜ ܴሻ߳ܶԢ DO
25. Replace d in T’ by d’ where ݀’ ൌ ሺࣛ, ࣜ௘ , ‫ݐܿܣ‬௎ࣜ ܴ௟ ሻ;
26. ENDFOR
27. IF (ܴ௟ ‫ )42 ݁݊݅ܮ ݊݅ݓ݁݊ ݀݁ݐܽ݁ݎܿ ݏܽݓ‬THEN
28. Role’=Role’‫ܴ{ ׫‬௟ };
29. FOR each role ܴ௙ ‫ܴ ݐ݄ܽݐ ݄ܿݑݏ ݏ݈݁݋ܴ א‬௙ ‫ذ‬௨ ܴ௟ DO
30. ܴ‫ ܪ‬ᇱ ൌ ܴ‫ ܪ‬ᇱ ‫ ׫‬൛ܴ௙ ‫ذ‬௦ ܴ௟ ൟ; ܴ‫ ܪ‬ᇱ ൌ ܴ‫ ܪ‬ᇱ െ ൛ܴ௙ ‫ذ‬௨ ܴൟ;
31. ENDFOR
32. ܴ‫ ܪ‬ᇱ ൌ ܴ‫ ܪ‬ᇱ ‫ ׫‬ሼܴ௟ ‫غ‬௨ ܴሽ;
33. ܴ݁‫ ݎ݁݌ ݈݁ܿܽ݌‬െ ‫ ݕܾ ݐ݊݅ܽݎݐݏ݊݋ܿ ݊݋݅ݐܽݒ݅ݐܿܽ ݈݁݋ݎ‬൫0, ‫ݐܿܣ‬ோ೘ ܴ൯݅݊ ܶԢ
34. ENDFOR

Algorithm 2: ܷܴ_‫ݐݎ݁ݒ݊݋ܥ‬
In the proposed system architecture the algorithm developed depicts that after substituting the
temporal constraints on rolepermissions the minimized system model with similar expressiveness
could be obtained on individual roles and constraints of per-user role. Here theminimal constraint set
(MCS) has been employed for exhibiting the details and reality whether ܽ െ ݁‫ݐ݈݊݁ܽݒ݅ݑݍ‬model
123


framework or model configuration exists with the minimum number of kinds of constraints. The
definition for the minimal constraints sets have been given in the definition 2.
Definition-2: Minimal Constraint Set
Consider, the factor minimum constraint set is represented by ‫ ܵܥܯ‬ሺܶሻwhich represents the set of
parametric constraints in ܶ‫ ,ܶ ܤܣܥ‬and similarly the variable ‫ ܵܩ‬refers, ‫ ܵܩ‬ൌ ሼ‫ݕܥ‬ଵ , ‫ݕܥ‬ଶ , … ‫ݕܥ‬௡ ሽthe
ܽ െ ݁‫ ݐ݈݊݁ܽݒ݅ݑݍ‬set of model configuration of frameworks for certain ݊ number, in such a way
that,‫ݕܩ‬௟ ൌ ሺܶ௟ , ܷ‫ܪܴ ,ݏ݊݋݅ݏݏ݅݉ݎ݁݌ ݏ݁ܿܿܽ ,ݏ݈݁݋ܴ ,ݏݎ݁ݏ‬௜ ሻ, ݂‫ ݈ ݏ݈ܾ݁ܽ݅ݎܽݒ ݎ݋‬ൌ 1,2, … ݊.
The minimum constraint set ‫ ܵܥܯ‬ሺܶ௟ ሻ refers the ‫ ܵܥܯ‬of constraints set in case there is no any kind
of other configures as‫ݕܩ‬௙ ൌ ൫ܶ௙ , ܷ‫ܪܴ ,ݏ݊݋݅ݏݏ݅݉ݎ݁݌ ݏ݁ܿܿܽ ,ݏ݈݁݋ܴ ,ݏݎ݁ݏ‬௙ ൯. In this mentioned
situation ݈ ‫ ݂ ב‬and its ݈‫ܶܥܯ‬ሺܶ_݂ ሻ ‫ܶܥܯ ؿ‬ሺܶ_݈ ሻ.
The derived definition states that ‫ ܵܥܯ‬is that parameter that poses at least unitary temporal
constraint.It must also be noticed that the presented definition refers towards a fact that user role and
its sets as well as its hierarchical assignments with its structures might be diverse for various system
or model configurations. The results accomplished for minimality results in ‫ ܥܣܤܴܧܧܦ‬model for
cloud environment with its allied expressions have been given in the following theorems
presentation.
Theorem 1: Minimality of ࡰࡱࡱࡾ࡮࡭࡯ model.
In this theorem consider that ‫ݕܩ‬ଵ represents the model configuration for‫ܥܣܤܴܧܧܦ‬system
௔
architecture in such a way that൛‫ܩ‬ௗ , ‫ܩ‬ோ௪ , ‫ܩ‬ோ௚ , ‫ܩ‬௥ , ‫ܩ‬௧ோ, ‫ܩ‬ௗ ൟ ‫ܵܥܯ ؿ‬ሺܶଵ ሻ. In this state there is the
probability of existence of ‫݂ܩ‬ଶ system configuration. The‫ݕܩ‬ଶ configuration posses the following
characteristics:
1. ‫ݕܩ‬ଵ ൎ ‫ݕܩ‬ଶ ,
௫
2. ‫ܵܥܯ‬ሺܶଶ ሻ ൌ ൛‫ܩ‬௚ , ‫ܩ‬ோ௪ , ‫ܩ‬ோ௚ , ‫ܩ‬ோ , ‫ܩ‬௧ோ, ‫ܩ‬ௗ ൟ,
௫
‫݊݋݅ݏݏ݁ݎ݌ݔ݁ ݀݁݊݋݅ݐ݊݁݉ ݁ݒ݋ܾܽ ݄݁ݐ ݊ܫ‬ሺ‫ܥ‬௥ ሻ ‫.ݏݐ݊݅ܽݎݐݏ݊݋ ݈݁݋ݎ ݎ݁݌ ݂݋ ݏ݀݊݅݇ ݄݁ݐ ݏݎ݂݁݁ݎ‬
3. ‫ܵܥܯ‬ሺܶଶ ሻIs nothing else but the ‫ ܵܥܯ‬functional withሼ‫ݕܩ‬ଵ ሽ ‫ ׫‬ሼ‫ݕܩ | ݕܩ‬ଵ ൎ ‫ ݕܩ‬ሽ.
The presented theorem 1 refers that the genuine set of ‫ ܥܣܤܴܧܧܦ‬modelwhich is not the
minimal because of few dominant parameters or factors like default assignments, periodicity in
framework, time constraints for enabling roles and assignment enabling (‫ܩ‬ோ௪ , ‫ܩ‬ோ௚ ), constraints for
௫
per role activationሺ‫ܩ‬௥ ሻ, enablesሺ‫ܩ‬௪௥ ሻ and the expression for constraint enabling ‫ܩ‬ௗ could be
effectively employed for representing any policy for access control of entire ‫ ܥܣܤܴܧܧܦ‬model
constraints.
It can be easily found that the counts of individual roles and its hierarchical complexity
increases by the implementation of the transformation algorithms which do replace the temporal
constraints on assignments by temporal constraints on roles. The fundamental factor and
reasonbehind such model behavior is that the algorithms "ܴܲ_‫ "ݐݎ݁ݒ݊݋ܥ‬and ܷܴ_‫ݐݎ݁ݒ݊݋ܥ‬generate a
new specific role though substituting every temporal obligation. Such characteristics might not be
instinctive and competentas it looks like there would be numerous new user’s roles createddue to the
replacements of temporal assignments.In order to generate similar kind of temporally nonoverlapping responsibilities or roles, it is required to divide ݊ periodic expressions into a temporally
non-overlapping set of periodic expressions. Once the periodic expressions have been divided then in
the ascending step the formal definitions are facilitated and the algorithms are required to create this
set by generating the disjoint periodicity expressions from a cluster of numerous periodicity
expressions. It must be noted that in our proposed minimal model represents itself as a highly robust
model with temporal parametric constraints on numerous role activations by means of creating some
124


other similar minimal model possessing the temporal constraints on the user role assignments or role
permission assignments in spite of role activation. Since, the roles are the fundamentalbody of
ܴ‫ܥܣܤ‬framework, here in this work we would emphasize on the minimal model.Being referred as
runtime constraints the parametric constraints on the activation of rolecannot possess any
correspondingillustrationemployingindividual role or permission for role assignments.
Thereforethere could be certain temporal constraints on individual roles even after eliminating the
temporal constraints on role activation.
4.2 Operations on Periodicity Expressions
In this presented section of the manuscript, the fundamental notions ofsuppression,
correspondence, overlapping, and disjunction operationsin between the pairs of periodic expressions
have been discussed.
Definition 3: Relations on periodic expressions.
Consider that ܵܲଵ ൌ ሺ‫ܦ‬ଵ , ܵሻଵ and ܵܲଶ ൌ ሺ‫ܦ‬ଶ , ܵଶ ሻbe the periodic expression. The relations between
these two expressions have been given bellow. The figure as mentioned below refers the relationship
between numerous periodic expressions.
It must be noticed that as mentioned in the 4th definition, it is in general referred as the disjoint in
case of the similar end points of two intervals or durations.The pair wise relations could be extended
for defining relationships of the periodic expressions.
The set of periodic expressions are considered as similar if all the considered periodic
expressions are similar.In an ideal world, generally it is expected to estimate disjoint clusters of
intervallic expressions which is minimal so as to associate them with individual roles for making
them temporally distinct.
Definition 4: Minimal Disjoin Set
Consider that ܵܲ ൌ ሼܵܲଵ , ܵܲଶ , … , ܵܲ௡ ሽ represents the se of a random periodic expression then the
minimal disjoint set ሺ‫ܵܦܯ‬ሻ over periodic expression ሺܵܲሻ can be given as the minimum set of
disjoint periodic expressions, ‫ܵܦܯ‬ௌ௉ or in mathematics ‫ܵܦܯ‬ௌ௉ ൌ ݉݅݊௡ ሼܵܲ௟ᇱ |1 ൑ ݅ ൑ ݊ሽ.
In order to accomplish the above mentioned criteria for‫ܵܦܯ‬ௌ௉ , the following conditions are required
to be fulfilled.
1. ‫ 1 ݂݋ ݁ݑ݈ܽݒ ݄ܿܽ݁ ݎ݋ܨ‬൑ ݈, ݂ ൑ ݊; ݈ ് ݂
ᇱ
ᇱ
2. ܵ‫ ݈݋‬ሺܵܲଵ ሻ ‫ ݈݋ܵ ׫‬ሺܵܲଶ ሻ ‫݈݋ܵ ׫ … ׫‬ሺܵܲᇱ ሻ, That means ܵ‫ ݈݋‬ሺܵܲଵ ሻ ‫ ݈݋ܵ ׫‬ሺܵܲଶ ሻ ‫݈݋ܵ ׫ … ׫‬ሺܵܲ௠ ሻ
௡
3. ݈ܵ݅݉݅ܽ‫ 1 ݕݎ݁ݒ݁ ݎ݋ܨ ,ݕ݈ݎ‬൑ ݈ ൑ ݉, 1 ൑ ݂ ൑ ݉, and for this it exhibit,
ᇱ
ܵܲ௟ᇱ ‫ܲܵ ؿ‬௙
In this definition, the conditions mentioned in 1st and 2nd terms illustrates that the minimum
disjoint set encompasses set of periodic expressionswhich is disjoint in nature and even contains the
time instants available in all set of periodic expressions given in ܵܲ௟ ‫. ݑ‬Again the last condition
makes it sure that individual periodic expressions could be present either in or might be disjoint also
from every ݂ܵܲ .

125


Figure1. Temporal relations between a pair of periodic expressions
Definition 5: Minimum subset (MS) presentation for ࡼࡱ in spite of ࡹࡰࡿ approach
Consider ‫ܵܦܯ‬ௌ௉ ൌ ݉݅݊௡ ሼܵܲ௟ᇱ | 1 ൑ ݈ ൑ ݊ሽ refers the MDS over periodicity expression,
ܵܲ ൌ ሼܵܲଵ , ܵܲଶ , … , ܵܲ ሽ, where n refers certain value.Now, the MS for the considered periodic
௡
expression with condition ܵܲ௙ ‫ ܲܵ א‬over derived ‫ܵܦܯ‬ௌ௉ can be presented is the following
expressions:
ᇱ
ᇱ
ᇱ
‫ܵܦܯ‬ௌ௉ ௙ ሺ‫ܵܦܯ‬ௌ௉ ሻ ൌ ሼܵܲగଵ , ܵܲగଶ , … , ܵܲగ௢ ሽ ‫ܵܦܯ ك‬ௌ௉ With1 ൑ ‫ ݋‬൑ ݊.
This is accomplished only in the case:
• ݉݅݊௞ ൛ߨ‫ 1|݋‬൑ ݈ ൑ ‫ א ݈ߨ ,݋‬ሼ1,2 … , ݊ሽൟ
• for each duration ‫݈݋ܵ א ݐ‬ሺܵܲ ሻ there exists exact singular set ߚ ‫ א‬ሼߨ1, ߨ2 … , ߨ‫݋‬ሽ in such a
௔
way that it satisfies ‫݈݋ܵ א ݐ‬ሺܵܲఉ ሻ
Here, it can also be noted that the minimum subset ሺ‫ܵܯ‬ሻ of ܵܲis nothing else but the MS of
‫ܵܦܯ‬ௌ௉ that encompasses all the duration instants ofܵܲܽ. .
After defining the ‫ ܵܯ‬now we emphasize on the illustrations of certain formal characteristicsthat are
allied with the estimation approaches of ‫ܵܦܯ‬and‫ .ܵܯ‬Since, the expression of the periodicity creates
the set of time instants, therefore the consequences also comes out instantaneously. The algorithms
for generating the ‫ܵܦܯ‬ௌ௉ have been given in Algorithm 3.
In the presented algorithm the ‫ ݃݊݅ݎ݅ܽܲ_ܵܦܯ‬approach estimates the ‫ ܵܦܯ‬for certain pairs of ܵܲ‫ݑ‬
and here it can be noted that in case of equivalence in two expressions the generated
‫ ܵܦܯ‬encompasses only one periodic expression. Meanwhile, in case of disjoint expressions the
generated ‫ܵܦܯ‬consists of both the periodic expressions.
Theorem 2: Generation of ࡹࡰࡿ employing ࡯ࢇ࢒ࢉ_ࡹࡰࡿ algorithm
ᇱ
ᇱ
With certain provided random sets of ܲ‫ݏܧ‬there is always a set ܵܲଵ , ܵܲଶ , … , ܵܲᇱ , existing in such a
௡
way that
ᇱ
ᇱ
• ‫ܵܦܯ‬ௌ௉ ൌ ܵܲଵ , ܵܲଶ , … , ܵܲᇱ
௡
This algorithm estimates the ‫ܵܦܯ‬ௌ௉ as output after taking periodic expression as input.
The next section discussesthe algorithm for creating system configuration of ܽ െ ݁‫ ݐ݈݊݁ܽݒ݅ݑݍ‬for our
proposed model after eliminating the temporal constraints from per user role assignments and
computation of Minimum subset and ‫ ܵܦܯ‬for periodic expressions.
Once ‫ ܵܦܯ‬has been generated we have developed a robust algorithm that generates aܽ െ
݁‫ ݐ݈݊݁ܽݒ݅ݑݍ‬framework configuration for ‫ ܥܣܤܴܧܧܦ‬system model by eliminating the temporal
constraints on per user role assignments which was followed by computation of ‫ ܵܯ‬and ‫ ܵܦܯ‬in
ܵܲ‫.ݏ‬
126


Theorem 3: rectifications or correctness ofࡹࡰࡿ_࡯࢕࢔࢜ࢋ࢚࢘.
With the provided input framework configurations ‫ݕܩ‬௜௡ possessing only the periodicity constraints
for assignments of per user role, the presented algorithm‫ ,ݐݎ݁ݒ݊݋ܥ_ܣܦܯ‬generates the output
configurations‫ݕܩ‬௢௨௧ :
• ‫ݕܩ‬௜௡ൎ ‫ݕܩ‬௢௨௧ And in this algorithmic approach ‫ݕܩ‬௢௨௧ posses no any temporal constraints for
role assignments on users.
4.3 System Complexity and Design Considerations
This is matter of fact that the complexity of the ‫ ܥܣܤܴܧܧܦ‬model might have various
dimensions like the uncontrolled and unmanaged counts of individual roles in the
model/framework.In spite of these all, the number of temporal constraints also affects the system
characteristics. In the presented scenario we do emphasize of performance and complexity factors
and have proposed for ‫ܥܣܤܴܧܧܦ‬in which the user membership is required to be checked for
estimating whether a specific user has been assigned certain role or not. Hence, the factor temporal
assignments added up some more model complexity as compared to the existing ܴ‫ܥܣܤ‬
mechanism.Here, we implement system without introducing much constraint and especially the
temporal constrains. Here in spite of verifying membership we do introduce the assurance of
temporal validity for a considered membership. In order to simplify the issues and concepts, in our
work we have developed a foundation hierarchy of ‫ ܥܣܤܴܧܧܦ‬model that posses the similar
expressive power on the basis of the results obtained earlier and the models performance is explored
on higher hierarchy.
In this work we have employed the notations for presenting the complexity parameters and then the
complexities for policy specifications have been analyzed.As discussed in the previous section about
the minimality results, few of the dominant temporal constraints can be included for our proposed
‫ ܥܣܤܴܧܧܦ‬system model. These constraints are as follows:
• Constraints of per user role-enabling or activation
• Constraints for periodicity and duration
• Role activation/deactivation constraints
• Event dependencies (‫ܩ‬௧ோ ) expressed as ܲଵ,…, ܲ௡, ‫ܪ‬ଵ,…, ‫ܪ‬௞ ՜ ‫.ݐ∆ ݎ݁ݐ݂ܽ ܲ :ݎ݌‬
Algorithm ‫݃݊݅ݎ݅ܽܲ_ܵܦܯ‬
Input:ܵܲଵ , ܵܲଶ
Output: MDS of ܵܲଵ , ܵܲଶ
1. IF (ܵܲଵ ൌ ܵܲଶ ) THEN RETURN {ܵܲଵ ,};
2. IF (ܵܲଵ ܵܲଶ ) THEN RETURNሼܵܲଵ ൌ ܵܲଶ ሽ;
3. IF (ܵܲଵ ‫ܲܵ ؿ‬ଶ ) THEN
4.
Update ܵܲ௔ ൌ ܵܲଵ ;
5.
Update ܵܲఉ ൌ ܵܲଶ െ ܵܲ௔ ;
6.
RETURN ሼܵܲ௔ ܵܲఉ ሽ;
7. IF (ܵܲଶ ‫ܲܵ ك‬ଵ ) THEN
8.
Update ܵܲ௔ ൌ ܵܲଶ ;
9.
Update ܵܲఉ ൌ ܵܲଵ െ ܵܲ௔ ;
10.
RETURNሼܵܲ ܵܲ௔ ሽ;
௤
11. IF (ܵܲଵ ۪ ܵܲଶ ) THEN
12.
Update ܵܲ௔ ൌ ܵܲଵ ‫ܲܵ ת‬ଶ ;
13.
Update ܵܲ௬ ൌ ܵܲଶ െ ܵܲఈ ;
14. Updateܵܲఊ ൌ ܲ‫ܧ‬ଵ െ ܵܲఈ
15. ‫ ۼ܀܃܂۳܀‬ሼܵܲ௔ , ܵܲఉ , ܵܲ ሽ
ఊ
16. ࡱࡺࡰ

Algorithm 3: Algorithm for MDS pairing
127

Algorithm ‫ܵܦܯ_݈ܿܽܥ‬
Input:ܵܲଵ , ܵܲଶ , … , ܵܲ௡
Output: MDS of ܵܲଵ , ܵܲଶ , … , ܵܲ௡
1. Assume that ܵܲ =ሼܵܲଵ , ܵܲଶ , … , ܵܲ௡ ሽ
2. Define ܵ ൌ ‫ ܵܦܯ ;׎‬ൌ ‫;׎‬
3. ࡵࡲ|ܵܲ| ൌ 1THEN RETURNܵܲ;
4. IF|ܵܲ| ൌ 2THEN RETURN
5. IF|ܵܲ| ൐ 2THEN
6.
Update MDS=Calc_MDS(ܵܲଵ , ܵܲଶ , … , ܵܲ௠ିଵ );
7.
Let MDS computed be ሺܵܲԢଵ , ܵܲԢଶ , … , ܵܲԢ௡ଵ ሻ;
8.
FOR݈ ൌ 1 ‫1݊ ݋ݐ‬DO
9.
Update ‫ ݃݊݅ݎ݅ܽܲ_ܵܦܯ‬ൌ ‫ܲܵ(݃݊݅ݎ݅ܽܲ_ܵܦܯ‬Ԣ௟ , ܵܲ , ሻ;
௠
10.
IF|ܲܽ݅‫ |ܵܦܯݎ‬ൌ 1 ‫ۼ۳۶܂‬
11.
ReturnMDS;
12.
IF|ܲܽ݅‫ |ܵܦܯݎ‬ൌ 2 ‫ۼ۳۶܂‬
13.
Let ‫ ݃݊݅ݎ݅ܽܲ_ܵܦܯ‬computed be ሺܵܲԢ௔ , ܵܲԢఉ ሻ;
14.
Update ܵ ൌ ܵ ‫ ׫‬ሼሺܵܲԢ௔ ሽ;
15.
۳‫ |ܵܦܯݎ݅ܽܲ|۴ۺ۳܁ۺ‬ൌ 3‫ۼ۳۶܂‬
‫ ܾ݁ ܵܦܯݎ݅ܽܲ ݐ݁ܮ‬ሺܵܲԢ௔ , ܵܲԢఉ , ܵܲԢఊ ሻ;
16.
17.
Update ܵ ൌ ܵ ‫ ׫‬൛ሺܵܲԢ௔ ܵܲԢ௭ఊ ൟ;
18.
ENDFOR
19.
Let S computed be ሺܵܲ"ଵ , ܵܲ"ଶ , … , ܵܲ"௡ଶ ሻ;
20.
ܵܲ"௡ଶାଵ ൌ ሺܵܲ௠ െ ሺሺܵܲ"ଵ ‫"ܲܵ ׫ … ׫ "ܲܵ ׫‬௡ଶ ሻ;
21.
ࡵࡲሺሺܵܲ"௡ଶାଵ ൌ ‫׎‬ሻ‫ۼ۳۶܂‬
Update ‫=ܵܦܯ‬ሺܵܲ"ଵ , ܵܲ"ଶ , … , ܵܲ"௡ଶ , ܵܲ"௡ଶାଵ ሻ;
22.
23.
۳‫۳܁ۺ‬
24.
Update MDS=ሺܵܲ"ଵ , ܵܲ"ଶ , … , ܵܲ"௡ଶ );
25.
RETURN MDS
26. END

Algorithms 4: Algorithm for ‫݊݋݅ݐ݈ܽݑ݈ܿܽܿ ܵܦܯ‬
Algorithm ‫ݐݎ݁ݒ݊݋ܥ_ܵܦܯ‬
Input: ࡳ࢟࢏࢔
Output: ࡳ࢟࢕࢛࢚
1. Define ‫ݕܩ‬௢௨௧ ൌ ሼܶ’, ܷܵ‫’ܪܴ ,ݏ݊݋݅ݏݏ݅݉ݎ݁ܲ ,’ݏ݈݁݋ܴ ,ܴܵܧ‬ሽ
Define ‫ݕܩ‬௜௡ ൌ ሼܶ’, ܷܵ‫’ܪܴ ,ݏ݊݋݅ݏݏ݅݉ݎ݁ܲ ݀݊ܽ ,’ݏ݈݁݋ܴ ,ܴܵܧ‬ሽ;
2. FOR each R ‫ א‬Roles DO
Let ܵܲ=ሼܵܲଵ , ܵܲଶ , … , ܵܲ௡ } andܷ ൌ ሼ݁ଵ , ݁ଶ , … , ݁௡ } be such that ሺܵܲ௟ , ‫݃ݏܣ‬௎ , ܴ ‫݁ ݋ݐ‬௜ ሻ ‫א‬
ܶᇱ;
3.
Compute MDS of ܵܲ; Let the computed
MDS=ሼܵܲԢଵ , ܵܲԢଶ , … , ܵܲԢ௡ };
4.
FOR݈ ൌ 1 to ݊ DO
5.
Compute ‫ܵܯ‬ௌ௉௟ ݂‫ܲܵݎ݋‬୪
6. ENDFOR
7. FOR݄݁ܽܿܵܲԢ௟ ‫ א‬MDS DO
8.
Create a unique roleܴԢ௟ ;
9.
FOR all ݁௢ ‫ ܷ א‬such that ܵܲԢ௟ ‫ܵܯ א‬ௌ௉଴ DO
10.
Add default assignment ሺ‫݃ݏܣ‬௎ , ܴ௟ ‫݁ ݋ݐ‬௢ ሻ in T’.
11.
Add constraintሺܵܲԢ௟ , ‫ܴ ݊ܧ‬௟ ሻ in T’.
12.
Remove constraint ሺܵܲԢ௟ ‫݃ݏܣ‬௎ , ܴ ‫݁ ݋ݐ‬௟ ሻfrom T’;
13.
Update Roles’ = Roles’ ‫ ׫‬ሼܴ௟ ሽ;
14. Update RH’ = RH’ ‫ ׫‬ሼܴ௟ ‫غ‬௨ ܴሽ; // Strongly restricted A-hierarchy
15.
ENDFOR
16. ENDFOR
17. ENDFOR

Algorithm 5 Algorithm for MDS conversion
128


Table 2 presents the complexity parameters and their respective notations.
TABLE 2: Complexity Parameters and its notations
Complexity parameter
Notations
Role
‫ܥ‬
Default (simple) assignment
‫ܫ‬
Enabling time constraints on
‫ܭ‬௨
role
Temporal constraints on
‫ܭ‬௨௥ , ‫ܭ‬௥௣
assignments
Activation time constraints on
‫ܤ‬௘௨ , ‫ܤ‬௥
roles
Hierarchy
‫ܪ‬

Level

Table 3: A family of DEERBAC models
Model
Constraint Set

2

‫ܥܣܤܴܶܩ‬ଶ

ܶ ൌ ܶூ,஻ ‫ܶ ڂ‬ூ,௎ ‫ܶ ڂ‬ூ,௪

1

‫ܥܣܤܴܶܩ‬ூ,௉

ܶூ,௉ ൌ ܶ௢ ‫ ڂ‬൛‫ܩ‬௪ோ௪ , ‫ܩ‬௪ோ௚ ൟ

‫ܥܣܤܴܶܩ‬ூ,௎

ܶூ,௎ ൌ ܶ௢ ‫ ׫‬൛‫ܩ‬௎ோ௪ , ‫ܩ‬௎ோ௚ ൟ

‫ܥܣܤܴܶܩ‬ூ,஺

௫
௫
௫
௫
ܶூ,஺ ൌ ܶ௢ ‫ ׫‬൛‫ܩ‬௚௨ோ, ‫ܩ‬௡௨ோ, ‫ܩ‬௠௨ோ, ‫ܩ‬௠௡௨ோ, ൟ

‫ܥܣܤܴܶܩ‬଴ minimal

௫
ܶ௢ ൛‫ܩ‬௚ , ‫ܩ‬ோ௪ , ‫ܩ‬ோ௚ , ‫ܩ‬ோ, ‫ܩ‬௧ோ , ‫ܩ‬௨ ൟ

0

Figure 2. Family of DEERBAC models
The above mentioned figure (Figure 2) illustrates the minimality framework of the
‫ܥܣܤܴܧܧܦ‬଴ for level 0. Now coming up to the level 1, we come across through three frameworks or
models that individually introducea better and highly robust kind of system constraint
to‫ܥܣܤܴܧܧܦ‬଴ . the proposed ‫ܥܣܤܴܧܧܦ‬depicts the system model possessing all of its temporal
constraints and the constraints of per-user constraints enabling. Meanwhile, ‫ܥܣܤܴܧܧܦ‬ଵ,௎ indicates
the system model possessing all of the constraints and constraints of role enabling on the other hand
the ‫ܥܣܤܴܧܧܦ‬ଵ,௉ represents the system model possessing temporal constraints as well as the
129


constraints of role permission and its assignments. Again in the 2nd level we have consideredthe
‫ܥܣܤܴܧܧܦ‬஼,ଶ model that contains all the temporal constraints. In our proposed analysis we have
adopted the similar hierarchy.
4.3.1 Constraints on Role Enabling and Assignments
As discussed earlier that the incorporating model constraints for role-permission assignment
and role activation can be substituted by temporal constraints, then whilesuch kinds of architectural
transformation might come out a huge counts of roles and/or cause the complicated access control
architecture. Here, in this section we have calculated numerous options for selecting constraints for
their role in role enabling or activation as well as permission. Such kind of estimation is solely based
on the comparison the model or framework complexity by employing Level 1 with respect to
numerous presentations employing proposed minimal framework for representing the similar set of
access permissions.
Considering the algorithm ܷܴ_‫ ,ݐݎ݁ݒ݊݋ܥ‬it can be easily found that the model
transformations taking pace with substitution of temporal constraints for role assignments on users
by the temporal constraints is same as it takes place in the transformation to be substitution of the
temporal constraints for permission of roles by the temporal constraints inܷܴ_‫ .ݐݎ݁ݒ݊݋ܥ‬The
transformation of factors like periodicity and duration takes place in the same approach but the
incorporating constraints are replaced by a new role. Therefore, in order to perform the analysis for
complexity the periodicity constraints are applied and it is used in case of duration constrains also.
Therefore, in this research work we have emphasized on the issue of periodicity constraints and have
explored various significant considerations allied with constraints of duration.A temporal constraint
for assignments of user role refers that the specific user can enable a particular role for the specific
time periods but only in the case of activated roles. In spite of using the constraintfor assignment of
roles on users, here in this we have enforcedthe expected access control mechanism by implementing
the temporal constraints for activation of roles. In the further phases the complexity problems related
to the presentation of the set of access need employing ‫ܥܣܤܴܧܧܦ‬଴ and ‫ܥܣܤܴܧܧܦ‬ଵ,௎ system models.
Representation ofࡰࡱࡱࡾ࡮࡭࡯૚
૙
ଵ
In order to represent the ‫ܥܣܤܴܧܧܦ‬଴ system model we have used ܷܴ_‫ ݐݎ݁ݒ݊݋ܥ‬algorithm with the
specific ‫ܥܣܤܴܧܧܦ‬ଵ,௎ representation in the form of model input. Now, according to this presentation,
a specific role is formed and the assignment of periodic constraint takes place on the newly created
role. For example, for a defined constraint set, a role‫ݑ‬஻ is created and is added with a newly created
constraint referred as ሺܵܲ஻ , ‫ݑ ݊ܧ‬஻ ሻ.In alternation the minimal disjoint set mechanism is implemented
by employing ‫ ݐݎ݁ݒ݊݋ܥ_ܵܦܯ‬algorithm.
Mathematically,
‫ܵܦܯ‬ሼௌ௉஺,ௌ௉஻,ௌ௉஼,ௌ௉஽,ௌ௉ாሽ
ᇱᇱᇱ
ᇱᇱᇱ
ᇱᇱᇱ
ᇱᇱᇱ ሽ
= ሼܵܲଵ , ܵܲଶ , ܵܲଷ , ܵܲସ
Now, a specific user role is generated for individual ܵܲof ‫ܵܦܯ‬ሼௌ௉஺,ௌ௉஻,ௌ௉஼,ௌ௉஽,ௌ௉ாሽ .as
ห‫ܵܦܯ‬ሼௌ௉஺,ௌ௉஻,ௌ௉஼,ௌ௉஽,ௌ௉ாሽ ห
Each user is allotted a set of new roles in corresponding to the ܵܲs that comprise the Minimal
Subsetof ܵܲs allied with user.
ᇱᇱᇱ
ᇱᇱᇱ
ܶ‫ܫ‬ௌ௉஼ ൫‫ܵܦܯ‬ሼௌ௉஺,ௌ௉஻,ௌ௉஼,ௌ௉஽,ௌ௉ாሽ ൯ ൌ ሼܵܲଵ , ܵܲଶ ሽ,And the user is allotted to the specific roles
ᇱᇱᇱ
ᇱᇱᇱ
corresponding to ܵܲଵ andܵܲଶ . It happens only because the specific roles retain their originality in
transformations. It should be noted that for ‫ܥܣܤܴܧܧܦ‬ଵ,௎ model presentation.
The presentation or analysis of complexities which is allied with the substitutepresentation with the
proposed ‫ܥܣܤܴܧܧܦ‬଴ system model has been given as follows:
130


Theorem 4 Expression for complexity in ࡰࡱࡱࡾ࡮࡭࡯૚ andࡰࡱࡱࡾ࡮࡭࡯૛ .
૙
૙
Consider݊ refers the number of users which are assigned with individual roleܴ. Let the periodic
expression for the user role assignment is ܵܲ ൌ ܵܲଵ , ܵܲଶ , … , ܵܲ௡ for ‫ ݑ‬users. In general the
ଵ
ଶ
complexity expressions for‫ܥܣܤܴܧܧܦ‬଴ and ‫ܥܣܤܴܧܧܦ‬଴ can also be presented as follows:
ଵ
1. ‫ܥܣܤܴܧܧܦ‬଴ Representation:
ܽ. ‫ ܦ‬൅ ܽ. ‫ܭ‬ோ ൅ ܽ. ‫ ܥ‬൅ ܽ. ‫,ܤ‬
ଶ
2. ‫ܥܣܤܴܧܧܦ‬଴ Representation:
‫ ܫ .݉ݏ‬൅ ݅݉. ‫ܭ‬ோ ൅ ݅݉. ‫ ܥ‬൅ ‫,ܤ .݊ݏ‬
‫݁ݎ݄݁ݓ‬
ܵ௡ ൌ |‫ܵܯ‬௉ாଵ ሺ‫ܵܦܯ‬ௌ௉ଵ ሻ| ൅ |‫ܵܯ‬ௌ௉ଶ ሺ‫ܵܦܯ‬ௌ௉ ሻ| ൅ … ൅ |‫ܵܯ‬ௌ௉௡ ሺ‫ܵܦܯ‬ௌ௉ ሻ|,
And ݀௡ ൌ |‫ܵܦܯ‬ௌ௉ଵ ሻ|.
The representation of ‫ܿܣܤܴܧܧܦ‬ଵ,௎ refers the most optimum selection choice in terms of
complexity. It is because of the minimum roles, negligible overload due to hierarchy, and no default
role assignments. Additionally, such kind of presentation illustrates complexity free model
architecture that ultimately becomes convenient. The dominant dissimilarity between the models
ଵ
ଶ
ଶ
‫ܥܣܤܴܧܧܦ‬଴ and ‫ܥܣܤܴܧܧܦ‬଴ is that is that the ‫ܥܣܤܴܧܧܦ‬଴ presentation often creates individual roles
that are in general disjoint in nature that are temporally disjoint. On the other hand the proposed
‫ ܥܣܤܴܧܧܦ‬framework representation is allied to single role for individual user with a constraint for
temporal assignment constraint.
ଶ
ଵ
In general the presentation of ‫ܥܣܤܴܧܧܦ‬଴ is same as that of ‫ܥܣܤܴܧܧܦ‬଴ in the first case.
ଶ
The representation of ‫ܥܣܤܴܧܧܦ‬଴ is better than ‫ܥܣܤܴܧܧܦ‬ଵ,௎ if theܵܲ ൌ ܵܲ௙ for all ܽ, ݂ ൌ 1
௔
with ݊ being large. The fact behind this is that the processing costs in the temporal constraints are
more than the default constraints. The original role and the new role created can be combined. If
ଶ
we look at the ‫ܥܣܤܴܧܧܦ‬଴ representation the worst case is represented by the third part which is
௡ሻ
ܱሺ2 in terms of the new roles which are created, the number of hierarchical nodes and the
temporal constraints on role, and in the default assignment the number ofܱሺ2௡ ሻ. Following
design guidelines can be visualized from the above observation:
ଵ
1. The ‫ܥܣܤܴܧܧܦ‬଴ representation is not preferable when compared to the
‫ܥܣܤܴܧܧܦ‬ଵ,௎ representation as of the several factor like number of hierarchical relations,
temporal constraints and the number of roles are less complex.
2. Since there are some common periodic expressions in both‫ܥܣܤܴܧܧܦ‬ଵ,௎ and
ଵ
‫ܥܣܤܴܧܧܦ‬଴ which may lead to the unnecessary temporal constraints.
3. If we use the representation in the cases illustrated above then it results into same periodic
constraints on the different role since the algorithm which we used ሺܷܴ_‫ݐݎ݁ݒ݊݋ܥ‬ሻ is unable
to minimize the number of constraints which is based upon the common periodic expression.
ଶ
For such complications ‫ܥܣܤܴܧܧܦ‬଴ would be a good solution.
4. In ‫ ܥܣܤܴܧܧܦ‬a small ‫ ܴܰܯ‬set is used for determining the newly created roles. But somehow
if all periodic expressions are pair wise disjoint then both the representation become
equivalent.
5. If we look at the access specification then the ‫ܥܣܤܴܧܧܦ‬ଵ,௎ representation is highly flexible.
On the basis of user-role assignment it supports the temporal constraints also in addition with
the role enabling constraints.
6. In case these all constraints are employed then the roles can be kept by enabling times fixed
in a system and the individual user requirement is expressed using that periodic constraints.
ଶ
7. Any advantage may not be offered by the ‫ܥܣܤܴܧܧܦ‬଴ representation if there are per-user-role
activation constraints. In the developed model each user is having multiple roles, if in a case
if the constraint for each user is per-user-role then during the transformed representation extra

131


steps would be required. To create a hierarchy which has strongly restricted activation
between the new roles and the original roles ‫ ܵܦܯ‬conversion process is required which is
fulfilled by ‫ ݐݎ݁ݒ݊݋ܥ_ܵܦܯ‬algorithm in developed ‫ ܥܣܤܴܧܧܦ‬module. Thus if in the
transformed representation the per-user-role is left unaltered then the per-user-role will still
be defined in original role but the new representation will still be valid as the users which are
assigned to the newer role will have to activate it explicitly but such are not so effective as
the users are assigned to original role. Thus in the presence of per-user-role constraints
ଵ
the‫ܥܣܤܴܧܧܦ‬଴ and ‫ܥܣܤܴܧܧܦ‬ଵ,௎ representations proved to be better than the 2nd level of
ଶ
‫ܥܣܤܴܧܧܦ‬଴ representation.
8. If the duration constraints on user-role assignment get replaced by the duration constraints on
role enabling then it makes it less flexible unlike the periodicity constraints. A duration
constraint on user-role assignment may get replaced but first is should be taken into
consideration that dependency semantic should not be lost.
ଶ
Thus ‫ܥܣܤܴܧܧܦ‬଴ has better complexity in some terms where as ‫ܥܣܤܴܧܧܦ‬ଵ,௎ provides the best
representation in terms of semantic clarity, higher user creation with efficient role generation and
permission, least complexity and better convenience.
i.

Activation Constraints
On the basis of expensiveness when the same set of limitations are taken into consideration,
the comparison of DEERBAC0and DEERBAC01has been made in this section. In addition to the
limitations of ‫0ܥܣܤܴܧܧܦ‬it is taken into assumption that ‫ܥܣܤܴܧܧܦ‬ଵ,஺ contains total active duration
constraints for the simplicity. In the complexity expressions the original role or any of the associated
per-role is not included.As the per-role and the original role constraints remain same throughout so,
it is not used. In terms of the minimized number of roles the ‫ܥܣܤܴܧܧܦ‬ଵ,஺ gives a better
representation among the two cases illustrated above. Activation constraints among the cases
illustrated above remains same and the common per-user-role values used in theabove case can
provide better representation than the two cases presented before. The theorem discussed next shows
how complex is the representation by using the common values.
Theorem 5 (Expression forࡰࡱࡱࡾ࡮࡭࡯૙ andࡰࡱࡱࡾ࡮࡭࡯૚ ).
Suppose if the number of users assigned to role ܴ be ݊ and the total active duration be ‫ ܯ‬ൌ
ᇱ ᇱ
ᇱ
൛݃ଵ, ݃ଶ, … , ݃௠ ⁄݃௔ ൟ and the ith user is allowed this duration over roleܴ. ‫ܯ‬௡ ൌ ൛݃ଵ, ݃ଶ, … , ݃௡, ൟ ‫ܯ ك‬is
the set of distant element ‫ .ܯ‬Suppose‫ܩ‬௠ ൌ ሺ݃ሻbe the number of time d occurs in‫ .ܯ‬The
complexities of the two representations can be explained as follows:
Representation of ࡰࡱࡱࡾ࡮࡭࡯૚,࡭
1. ሺ݉ఈ െ ݉ఉ ሻ. ‫ ܴܷܣ‬൅ ݊ఉ . ‫ ܴܣ‬൅ ܿ. ൫݄. ݉ఉ ൅ 1൯. ሺ‫ ܥ‬൅ ‫ܤ‬ሻ.
2. ‫ܥܣܤܴܧܧܦ‬଴ representation: ݉ఈ . ‫ ܴܣ‬൅ ݉ఈ . ‫ ܥ‬൅ ݉ఈ . ‫ܤ‬
Where
• ݉ఈ ൌ |‫ܯ‬௡ | ܽ݊݀ ݉ఉ ൌ |‫ܯ‬ᇱ | such that 1ሻ ‫ܯ‬ᇱ ‫ܯ ك‬௡ and 2ሻ ݂݅ ݃ ‫ܯ א‬ᇱ , ‫ܩ ݄݊݁ݐ‬௡ ሺ݃ ሻ ൐ 1.
• ݄ ൌ 1 ݂݅ ሺ݉ ൐ ݉ఈ ሻ; ݄ ൌ 0 ‫.݁ݏ݅ݓݎ݄݁ݐ݋‬
• ݀ ൌ 1 ݂݅ ሺ݉ ൐ ݉ఈ ൐ 0ሻ; ݀ ൌ 0 ‫.݁ݏ݅ݓݎ݄݁ݐ݋‬
Thus, it is clear from all the observation that the representation of ‫ܥܣܤܴܧܧܦ‬ଵ,஺ has several
advantages over the representation of‫ܥܣܤܴܧܧܦ‬଴ .
Considering these all mathematical development and system modeling with respect to the problem of
role assignment and per-user role permission, the developed ‫ ܥܣܤܴܧܧܦ‬system model presents an
optimum solution for access control system with multiple users having huge roles and even without
compromising with the security aspects of the role or users in cloud environment. The results
obtained for different user creation and respective role permission have been presented in the
132


following section and the respective analysis with respect to the time efficiency and robustness have
been given in the next section.
V.

RESULTS AND ANALYSIS

In this research work a dynamic expiration enabled role based access control “‫”ܥܣܤܴܧܧܦ‬
system has been proposed for cloud computing environment. The system model has been developed
with C# programs and Visual Basic 2010 framework. The overall system has been developed and
implemented with Amazon S3 cloud platform. The developed system has been simulated for different
performance parameters like induction of roles and user creation. The relative study for these all
factors has been performed.
Figure 3 represents the comparative graphs for role initialization and time consumed for role
assignment.

Figure: 3. User initialization with 5 role assignments

Figure: 4. User initialization with 50 role assignments
From above mentioned figure 4 it can be visualized that the user creation time increases as
per the increase in roles and even the creation time is decreasing as per increase in users from 200
counts. Comparing it with the previous results, it is clear that the ‫ ܥܣܤܴܧܧܦ‬causes higher user
generation even with minimum assignment time.
133


Figure:5. User initialization with 150 role assignments

Figure:6. User initialization with 250 role assignments

The above mentioned figures 5, 6 illustrates that the role assignment time is lower as the
cloud user counts is even increasing. In case of more users creation also the role assignment time is
lower. This characteristic illustrates that the proposed system is highly robust for higher role
assignments to more number of cloud users. The user count and the time of role assignments become
uniform after certain role counts. These characteristics exhibits that the proposed ‫ ܥܣܤܴܧܧܦ‬system
performs better for higher users count and role to be assigned in the competitive cloud environment.
Analyzing the above mentioned figures it can be found that in practical with the proposed
mechanism the user creation is more time consuming as compared to simultaneous role assignments
for multiple users. It can be analyzed that the proposed approach can be fruitful for highly efficient
role assignments even without violating the security aspects.

134


ROLE GENERATION

ROLE GENERATION (s)

70
60
50
40
30
20
10
0

10

50
150
NUMBER OF ROLES

250

Figure:7. Role generation Vs Number of Roles

EXECUTION TIME (s)

0.4

CLOUD USER CREATION
USER
INITILIZATION - 5ROLE ASSIGNMENT
ROLE
ASSIGNED PER USER

0.2

0
10

30

50
100 150
NUM CLOUD USERS

200

250

Figure: 8. Cloud role initialization for 5 roles per users

EXECUTION TIME (s)

1.5

1

CLOUD USERUSER CREATION
ROLE ASSIGNMENT
INITILIZATION - 25 ROLES
ASSIGNED PER USER

0.5

0
10

30

50
100
150
NUM CLOUD USERS

200

250

Figure: 9. Cloud role initialization fro 25 roles per users

135


ROLES
3
ASSIGNED

EXECUTION TIME (s)

4

2
1
0
10

30

50
100
150
NUM CLOUD USERS

200

250

Figure:10. Cloud user initialization for 150 roles

EXECUTION TIME (s)

10

ROLES
ASSIGNED

5

0
10

30

50
100
150
NUM CLOUD USERS

200

250

Figure: 11. Cloud user initialization for 250 roles
Considering the above mentioned figures it is clear that the proposed ‫ ܥܣܤܴܧܧܦ‬scheme
facilitates the cloud environment to perform efficiently for user-role assignments even with higher
user as well as role counts.
VI.

CONCLUSIONS

In this paper a robust system model for cloud environment called
“‫ ݈݋ݎݐ݊݋ܿ ݏݏ݁ܿܿܽ ݀݁ݏܾܽ ݈݁݋ݎ ݈ܾ݀݁ܽ݊݁ ݊݋݅ݐܽݎ݅݌ݔ݁ ܿ݅݉ܽ݊ݕܦ‬ሺ‫ܥܣܤܴܧܧܦ‬ሻ”has been developed that
considered its optimization for few dominant issues like minimality, complexity of constraints,
efficient role activation and assignments withleast threat in cloud. The developed and implemented
system has exhibited system function with high flexibility and spontaneousselection for numerous
constraints expressions. In this research work few guidelines have been proposed that could be
efficiently employed for assisting security policies in selecting more expedient and less complex
system constraintexpressions. The developed system has exhibited optimum performance for higher
count of roles per users even with minimum time duration. On the other hand a dominant
contribution of this work is the inclusion of security issues that aims to perform better in competitive
cloud environment without compromising with the security issues related to role assignments and
user creation or even user-role assignments.

136


REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]

[7]
[8]
[9]
[10]
[11]

[12]
[13]
[14]
[15]

[16]
[17]
[18]
[19]
[20]
[21]

[22]

D.F. Ferraiolo, D.M. Gilbert, and N. Lynch, “An Examination of Federal and Commercial Access
Control Policy Needs,” Proc. NISTNCSC Nat’l Computer Security Conf., pp. 107-116, Sept. 1993.
J.B.D. Joshi, A. Ghafoor, W. Aref, and E.H. Spafford, “Digital Government Security Infrastructure
Design Challenges,” Computer, vol. 34, no. 2, pp. 66-72, Feb. 2001.
M. Nyanchama and S. Osborn, “The Role Graph Model and Conflict of Interest,” ACM Trans.
Information and System Security, vol. 2, no. 1, pp. 3-33, 1999.
R. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, “RoleBased Access Control Models,”
Computer, vol. 29, no. 2, pp. 38-47, Feb. 1996.
J.B.D. Joshi, W.G. Aref, A. Ghafoor, and E.H. Spafford, “Security Models for Web-Based
Applications,” Comm. ACM, vol. 44, no. 2, pp. 38-72, Feb. 2001.
S. Osborn, R. Sandhu, and Q. Munawer, “Configuring Role-Based Access Control to Enforce
Mandatory and Discretionary Access Control Policies,” ACM Trans. Information and System
Security, vol. 3, no. 2, pp. 85-106, May 2000.
R. Sandhu, “Separation of Duties in Computerized Information Systems,” Database Security IV:
Status and Prospects, pp. 179-189, 1991.
R. Simon and M.E. Zurko, “Separation of Duty in Role-Based Environments,” Proc. 10th IEEE
Computer Security Foundations Workshop, June 1997.
E. Ferrari and B. Thuraisingham, “Security and Privacy for Web Databases and Services,” Proc. Int’l
Conf. Extending Database Technology, pp. 17-28, 2004.
J.S. Park, R. Sandhu, and G.J. Ahn, “Role-Based Access Control on the Web,” ACM Trans.
Information and System Security (TISSEC), vol. 4, no. 1, pp. 37-71, Feb. 2001.
B.M. Thuraisingham, C. Clifton, A. Gupta, E. Bertino, and E. Ferrari, “Directions for Web and ECommerce Applications Security,” Proc. Int’l Workshops Enabling Technologies: Infrastructures for
Collaborative Enterprises, pp. 200-204, 2001.
J. Joshi, E. Bertino, U. Latif, and A. Ghafoor, “Generalized Temporal Role Based Access Control
Model,” IEEE Trans. Knowledge and Data Eng., vol. 17, no. 1, pp. 4-23, Jan. 2005.
V. Atluri and A. Gal, “An Authorizaion Model for Temporal and Derived Data: Securing Information
Portals,” ACM Trans. Information and System Security, vol. 5, no. 1, pp. 62-94, Feb. 2002.
E. Bertino, P.A. Bonatti, and E. Ferrari, “TRBAC: A Temporal Role-Based Access Control Model,”
ACM Trans. Information and System Security, vol. 4, no. 4, 2001.
E. Bertino, E. Ferrari, and V. Atluri, “The Specification and Enforcement of Authorization
Constraints in Workflow Management Systems,” ACM Trans. Information and System Security, vol.
2, no. 1, pp. 65-104, 1999.
J.B.D. Joshi, E. Bertino, and A. Ghafoor, “Temporal Hierarchy and Inheritance Semantics for
GTRBAC,” Proc. Seventh ACM Symp. Access Control Models and Technologies, June 2002.
J. Joshi, E. Bertino, U. Latif, and A. Ghafoor, “Generalized Temporal Role Based Access Control
Model,” IEEE Trans. Knowledge and Data Eng., vol. 17, no. 1, pp. 4-23, Jan. 2005.
G. Ahn and R. Sandhu, “Role-Based Authorization Constraints Specification,” ACM Trans.
Information and System Security, vol. 3, no. 4, Nov. 2000.
A. Kumar, N. Karnik, and G. Chafle, “Context Sensitivity in RoleBased Access Control,” ACM
SIGOPS Operating Systems Rev., vol. 36, no. 3, pp. 53-66, July 2002.
M. Niezette and J. Stevenne, “An Efficient Symbolic Representation of Periodic Time,” Proc. First
Int’l Conf. Information and Knowledge Management, 1992.
GK Srinivasa Gowda, CV Srikrishna and Kashyap Dhruve, “Measurement of End to End Delays in
Ad Hoc 802.11 Networks”, International Journal of Computer Engineering & Technology (IJCET),
Volume 4, Issue 4, 2013, pp. 100 - 115, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.
Ruksar Fatima, Dr.Mohammed Zafar Ali Khan, Dr. A. Govardhan and Kashyap Dhruve, “Detecting
In-Situ Melanoma using Multi Parameter Extraction and Neural Classification Mechanisms”,
International Journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 1, 2013,
pp. 16 - 33, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.

137

50120130405015

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Viewers also liked

Viewers also liked (9)

Similar to 50120130405015

Similar to 50120130405015 (20)

More from IAEME Publication

More from IAEME Publication (20)

Recently uploaded

Recently uploaded (20)

50120130405015