Representation and Reasoning on RBAC: A Description Logic Approach

  • Chen Zhao
  • Nuermaimaiti Heilili
  • Shengping Liu
  • Zuoquan Lin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3722)


Role-based access control (RBAC) is recognized as an excellent model for access control in large-scale networked applications. Formalization of RBAC in a logical approach makes it feasible to reason about a specified policy and verify its correctness. We propose a formalization of RBAC by the description logic language \(\mathcal{ALCQ}\). We also show that the RBAC constraints can be captured by \(\mathcal{ALCQ}\). Furthermore, we demonstrate how to make access control decision, perform the RBAC functions as well as check the consistency of RBAC via the description logic reasoner RACER.


Access Control Description Logic Access Control Policy Access Control Model Atomic Concept 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29, 38–47 (1996)Google Scholar
  2. 2.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramoli, R.: Proposed nist standard for role-based access control. ACM Transactions on Information and System Security (TISSEC) 4, 224–274 (2001)CrossRefGoogle Scholar
  3. 3.
    Koch, M., Mancini, L.V., Parisi-Presicce, F.: A formal model for role-based access control using graph transformation. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 122–139. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Koch, M., Mancini, L.V., Parisi-Presicce, F.: A graph-based formalism for rbac. ACM Transactions on Information and System Security (TISSEC) 5, 332–365 (2002)CrossRefGoogle Scholar
  5. 5.
    Woo, T.Y., Lam, S.S.: Authorization in distributed systems: A new approach. Journal of Computer Security 2, 107–136 (1993)Google Scholar
  6. 6.
    Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems 15, 706–734 (1993)CrossRefGoogle Scholar
  7. 7.
    Massacci, F.: Reasoning about security: A logic and a decision method for role-based access control. In: Proceeding of the International Joint Conference on Qualitative and Quantitative Practical Reasoning (ECSQARU/FAPR 1997), pp. 421–435 (1997)Google Scholar
  8. 8.
    Appel, A.W., Felten, E.W.: Proof-carrying authentication. In: Proceedings of the 6th ACM Conference on Computer and Communications Security, Singapore (1999)Google Scholar
  9. 9.
    Jajodia, S., Samarati, P., Sapino, M., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Transactions on Database Systems 26, 214–260 (2001)zbMATHCrossRefGoogle Scholar
  10. 10.
    Bacon, J., Moody, K., Yao, W.: A model of oasis role-based access control and its support for active security. ACM Transactions on Information and System Security (TISSEC) 5, 492–540 (2002)CrossRefGoogle Scholar
  11. 11.
    Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. ACM Transactions on Information and System Security (TISSEC) 6, 71–127 (2003)CrossRefGoogle Scholar
  12. 12.
    Crescini, V.F., Zhang, Y.: A logic based approach for dynamic access control. In: Webb, G.I., Yu, X. (eds.) AI 2004. LNCS (LNAI), vol. 3339, pp. 623–635. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Gligor, V.D., Gavrila, S.I., Ferrailolo, D.: On the formal definition of separation-of-duty policies and their composition. In: Proccedings of IEEE Symposium on Security and Privacy, Oakland, California, pp. 172–185 (1998)Google Scholar
  14. 14.
    Mossakowski, T., Drouineaud, M., Sohr, K.: A temporal-logic extension of role-based access control covering dynamic separation of duties. In: Proceedings of the 4th International Conference on Temporal Logic, pp. 83–90 (2003)Google Scholar
  15. 15.
    Ahn, G.J., Sandhu, R.: Role-based authorization constraints specification. ACM Transactions on Information and System Security (TISSEC) 3, 207–226 (2000)CrossRefGoogle Scholar
  16. 16.
    Baader, F., McGuinness, D.L., Nardi, D., Patel-Schneider, P.F.: The Description Logic Handbook: Theory, Implementation and Applications. Cambridge University Press, Cambridge (2002)Google Scholar
  17. 17.
    Giacomo, G.D., Lenzerini, M.: A uniform framework for concept definitions in description logics. Journal of Artificial Intelligence Research 6, 87–110 (1997)zbMATHMathSciNetGoogle Scholar
  18. 18.
    Schmidt-SchauB, M., Smolka, G.: Attributive concept descriptions with complements. Artifical Intelligence 48, 1–26 (1991)CrossRefGoogle Scholar
  19. 19.
    Haarslev, V., Moller, R.: RACER system description. In: Goré, R.P., Leitsch, A., Nipkow, T. (eds.) IJCAR 2001. LNCS (LNAI), vol. 2083, pp. 701–723. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Haarslev, V., Moller, R.: Description of the RACER system and its applications. In: International Workshop on Description Logics (DL 2001), Stanford, USA (2001)Google Scholar
  21. 21.
    RICE (RACER Interactive Client Environment),

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Chen Zhao
    • 1
  • Nuermaimaiti Heilili
    • 1
  • Shengping Liu
    • 1
  • Zuoquan Lin
    • 1
  1. 1.LMAM, Department of Informatics, School of Math.Peking UniversityBeijingChina

Personalised recommendations