A legal information flow (LIF) scheduler based on role-based access control model

Information systems have to be consistent and secure in presence of multiple conflicting transactions. The role-based access control (RBAC) model is widely used to keep information systems consistent and secure. A role shows a job function in an enterprise and is a set of access rights (permissions). Here, a subject s is allowed to issue a method op to an object o only if an access right 〈o, op〉 is included in the roles granted to the subject s. A subject is granted one or more than one role and issues a transaction to multiple objects. The transaction is assigned with some roles of the subject which is referred to as purpose. Even if every access request issued by every subject is authorized in the roles, illegal information flow might occur as well known confinement problem. In this paper, we define a legal information flow (LIF) relation (R1 ⪯IR2) among a pair of role families R1 and R2 to prevent illegal information flow. Here, an LIF relation R1 ⪯IR2 shows that no illegal information flow occur if a transaction T1 with a role family R1 is performed prior to another transaction T2 with a role family R2. In addition, it is significant to discuss which transaction to be performed prior to another transaction if the both transactions manipulate the same object in a conflicting way. In this paper, we define a significantly precedent relation R1 ⪯sR2 among role families R1 and R2 which implies that the role family R2 is more significant than R1. Suppose a pair of transactions T1 and T2 with role families R1 and R2 issue conflicting methods op1 and op2, respectively, to an object o. If R1 ⪯sR2, op2 is performed on the object o prior to op1. The more significant a transaction is, the more prior it is performed. We discuss a legal information flow (LIF) scheduler to synchronize transactions so as to prevent illegal information flow and to serialize conflicting methods from multiple transactions in terms of significancy and information flow relation of roles families. We evaluate the LIF scheduler in terms of how much illegal information flow can be prevented compared with the other scheduler.