CFP last date
20 January 2025
Reseach Article

Enhanced Role based Access Control: Integrating Auditing and Authentication

by Kriti, Indu Kashyap
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 72 - Number 2
Year of Publication: 2013
Authors: Kriti, Indu Kashyap
10.5120/12465-8833

Kriti, Indu Kashyap . Enhanced Role based Access Control: Integrating Auditing and Authentication. International Journal of Computer Applications. 72, 2 ( June 2013), 15-22. DOI=10.5120/12465-8833

@article{ 10.5120/12465-8833,
author = { Kriti, Indu Kashyap },
title = { Enhanced Role based Access Control: Integrating Auditing and Authentication },
journal = { International Journal of Computer Applications },
issue_date = { June 2013 },
volume = { 72 },
number = { 2 },
month = { June },
year = { 2013 },
issn = { 0975-8887 },
pages = { 15-22 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume72/number2/12465-8833/ },
doi = { 10.5120/12465-8833 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T21:36:50.286220+05:30
%A Kriti
%A Indu Kashyap
%T Enhanced Role based Access Control: Integrating Auditing and Authentication
%J International Journal of Computer Applications
%@ 0975-8887
%V 72
%N 2
%P 15-22
%D 2013
%I Foundation of Computer Science (FCS), NY, USA
Abstract

In past decade lot of research has been done in RBAC (Role Based Access Control) technology. The industries have also shown great interest in RBAC. Most of the IT vendors are offering products that incorporate some form of RBAC. Today, all major DBMS products support RBAC. RBAC provides easier management of permissions in an organization and hence is most widely used model to control access of legitimate users. However research shows that access control is not a complete solution for securing a database. Most of the breaches are done by insiders. So, access control system must be incorporated with other mechanisms that provide more features than just controlling access of users. Auditing is such a mechanism that can log all the transactions occurring on the database and based on this log an analysis can be done. Auditing is well effective when we have good authentication. Authentication processes are vulnerable to SQL Injection attacks. This paper proposes an enhanced model that increases the capability of RBAC model by integrating Auditing and Authentication in simplest ways. In this way this model not only provides the features of RBAC but also handles common issues of database security.

References
  1. Sandhu, Ravi, David Ferraiolo, and Richard Kuhn, The NIST model for role-based access control: Towards a unified standard. Symposium on Access Control Models and Technologies, Proceedings of the fifth ACM workshop on Role-based access control, Volume 26, No. 28, 2000, pp. 47- 63.
  2. Li N. , J. Byun, and E. Bertino, A critique of the ANSI standard on role-based access control, Security & Privacy, IEEE Volume. 5, no. 6, 2007, pp. 41-49.
  3. R. Sandhu and E. J. Coyne, Role-Based Access Control Models, IEEE Computer, 1996, pp. 38-47.
  4. R. Sandhu and P. Samarati, Access Control: Principles and Practice, IEEE, Communications Magazine, 1994, pp. 40-48.
  5. ANSI, American national standard for information technology – role based access control. ANSI INCITS 359-2004, February 2004.
  6. S. L. Osborn, Role- Based Access Control, Springer, Security, Privacy, and Trust in Modern Data Management, 2007, pp. 55-70.
  7. R. Sandhu, E. J. Coyne H. L. Feinstein and C. E. Youman, Role – Based Access Control Models, IEEE Computer, Volume 29, No. 2, February 1996, pp. 38-47.
  8. D. F. Ferraiolo and R. Kuhn, Role – Based Access Control, 15th National Computer Security Conference, Baltimore, 1992, pp. 554-563.
  9. S. Tripathi and P. Zehnde, Surveys on Vulnerabilities, Threats and Security Methods of DBMS, 3rd Biennial National Conference on Nascent Technologies, 2012, pp. 39-44.
  10. San-Tsai Sun, Ting Han Wei, Stephen Liu, and Sheung Lau, Classification of SQL Injection Attacks, University of British Columbia, 2007, pp. 1-6.
  11. Halfond, W. G. , Jeremy Viegas, and Alessandro Orso, A classification of SQL-injection attacks and countermeasures, In Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA, 2006, pp. 1-11.
  12. S. Kost, An Introduction to SQL Injection Attacks for Oracle Developers, Integrity Corporation, March 2007, pp. 5-25.
  13. S. Thomas , L. Williams and Tao Xie, On Automated Prepared Statement to remove SQL Injection Vulnerabilities, Elsevier, Information & Software Technology, No. 51, 2009, pp. 589-598.
  14. R. P. Mahapatra and S. Khan, A Survey Of Sql Injection Countermeasures, International Journal of Computer Science & Engineering Survey (IJCSES), Volume 3, No. 3, June 2012, pp. 55-74.
  15. Z. Raveshi, S. R. Idate, Investigation and Analysis of SQL Injection Attacks on Web Applications: Survey, International Journal of Engineering and Advanced Technology (IJEAT), Volume-2, Issue-3 February 2013, pp. 182-187.
  16. J. Woo, S. Lee, C. Zoltowiski, Database Auditing.
  17. DB Audit for Oracle, Microsoft SQL Server, Sybase ASE, Sybase ASA, and IBM DB2, SoftTree Technologies.
  18. T. Bednar, Oracle Database Auditing: Performance Guidelines, An Oracle White Paper, August 2010.
  19. Oracle Database, PL/SQL Packages and Types Reference, 10g Release 2 (10. 2), B14258-02, pp. 40(1) – 40(13).
Index Terms

Computer Science
Information Sciences

Keywords

RBAC Auditing SQL Injection DBMS_FGA Authentication Prepared Statements