Constraints for Permission-Based Delegations

Permission-Based Delegation Model (PBDM) is a flexible model for delegation of authority in RBAC. It supports permission level delegation through temporary delegation roles. Multi-step delegation is also supported. However, constraints for PBDM have not been investigated in the literature, and it is not secure for a system to employ PBDM without constraints considered. We present a Constraints model for user-user Permission-Based Delegation (CPBD) to secure such systems. Delegation roles bring violation of the security based on the constraints specified on regular roles. In CPBD, these constraints are extended to involve delegation roles by the new concept of source regular role, and this extension ensures the security based on constrains. Authorization constraints on delegation roles are also considered to satisfy secure requirements of users. For security administrators to obtain more control of delegations, constraints on permission-based delegation itself are provided, in particular, maximum delegation depth and maximum delegation range.