Authorization algorithms for the mobility of user-role relationship

Abstract

The mobility of user-role relationship is a new feature relative to their counterparts in user-role assignments. When an administrative role assigns a role to a user with a mobile membership, this allows the user to use the permissions of the role and to be further added other roles by administrators. Immobile membership grants the user the authority to use the permissions, but does not make the user eligible for further role assignment. Two types of problems may arise in user-role assignment with the mobility of user-role relationship. One is related to authorization granting process. When a role is granted to a user, this role may be in conflict with other roles of the user or together with this role; the user may have or derive a high level of authority. Another is related to authorization revocation. When a role is revoked from a user, the user may still have the role from other roles. In this paper, we discuss granting and revocation models related to mobile and immobile memberships between users and roles, then provide proposed authorization granting, weak revocation and strong revocation algorithms that are based on relational algebra and operations. We also describe how to use the new algorithms with an anonymity scalable payment scheme. Finally, comparisons with other related work are made.