Abstract

In a multidomain application environment, it is of paramount importance for different organizations to collaborate with each other to facilitate secure interoperation. However, various types of conflicts related to access control constraints may arise as a result of integrating access control policies for individual domains, such as role inheritance violations (RIVs) and separation of duty violations (SoDVs). Current methods solve the conflicts in a centralized way by withdrawing or removing all crossdomain relationships resulting in the violations with the knowledge of all domains. However, these methods are inappropriate for large-scale systems due to their high computational complexity. In this article, we propose a distributed approach to avoid secure conflicts in a multidomain environment. We first model the role inheritance hierarchies of multiple domains as an interoperation graph. We then develop RIVs and SoDVs avoidance algorithms based on the interoperation graph and the communications among different domains. Each domain can execute the algorithms autonomously and in real time by evaluating whether its succeeding activated role can result in RIVs and SoDVs. We show that the new algorithms perform well in contrast to the existing algorithms.