Incremental Information Flow Analysis of Role Based Access Control

Role-Based Access Control (RBAC) has been widely used for expressing access control policies. Although RBAC provides flexible mechanisms to control the access to information, it does not control how the information propagates after it is obtained. Formally analyzing information flows resulting from an RBAC policy helps administrators understand the policy and detect potential flaws in the policy. Further, RBAC policies tend to evolve incrementally over time and it would be inefficient to perform analysis from scratch upon every change to the policies. Incremental analysis is useful in situations where small changes to the policy lead to small or no changes to the analysis result. In this paper, we present the first algorithms for incrementally analyzing information flows whenever a change is made to an RBAC policy. The performance results show that our incremental algorithms significantly outperform our non-incremental algorithm in terms of execution time while requiring only moderately larger disk space.