• virtualization;
  • RBAC;
  • policy conflict;
  • description logic;
  • colored petri net


In the last 10 years, virtualization has become a widespread technique in cloud computing; however, few of the access control models have ever addressed the security issue of multi-domain and virtualized network management; this paper enhanced the classic role-based access control model through two concepts: domain and virtual machine. We defined a new model named VRBAC in which authorized users can migrate or copy virtual machines from one domain to another without causing a conflict. Domain users or groups are allowed to share permissions of not only resources like shared files but also virtual machines with others either from the same or a different domain. Three kinds of VRBAC policy conflicts are defined in forms of ontologies, which provide extra access to description logic reasoning and facilitate the policy conflict detection. The experimental results based on Microsoft Active Directory and VMware vSphere suggest that all policy conflicts can be detected effectively and efficiently. Moreover, the generated reports can provide conflict details such as conflict types, positions, and causes, which will serve as guidance for further resolution of the improper authorizations and access violations. Copyright © 2014 John Wiley & Sons, Ltd.