Sejong Oh
Ravi Sandhu
Abstract
Role-based access control (RBAC) is a well-accepted model for access control in an enterprise environment. When we apply RBAC model to large enterprises, effective role administration is a major issue. ARBAC97 is a well-known solution for decentralized RBAC administration. ARBAC97 authorizes administrative roles by means of role ranges and prerequisite conditions, where prerequisite conditions effectively work as a restricted pool for administrative roles to pick users or permissions. Although attractive and elegant in their own right, these mechanisms have significant shortcomings. In this paper, we propose an improved role administration model named ARBAC02 to overcome the weaknesses of ARBAC97. ARBAC02 introduces the concept of organization structure for defining user and permission pools independent of roles and role hierarchies, with a refined prerequisite condition specification. In addition, we present a bottom-up approach of permission-role administration in contrast to the top-down approach in ARBAC97. As a general solution, we illustrate the applications of organization structured-based security administration with other access control models, such as access control list model and lattice-based access control model.
- Biba, K. J. 1977. Integrity Considerations for Secure Computer Systems. Mitre Corp. Report No.TR3153, Bedford, MA. (Also available through Nat'l Technical Information Service, Springfield, Va., Report No. NTIS AD--A039324.)Google Scholar
- Bell, D. E. and Lapadula, L.J. 1975. Secure Computer Systems: Mathematical Foundations and Model. Mitre Corp. Report No. M74-244, Bedford, MA. (Also available through Nat'l Technical Information Service, Springfield, VA, Report No. NTIS AD-771543.)Google Scholar
- Cramton, J. and Loizou, G. 2002. Administrative scope and role hierarchy operations. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies (SACMAT2002). Monterey, CA. Google ScholarDigital Library
- Ids share. Aris house. http://www.ids-scheer.comGoogle Scholar
- Joshi, J. B. D., Aref, W. G., Ghafoor, A., and Spafford, E. H. 2001. Security models for web-based applications. Communications of the ACM, 44, 2. Google ScholarDigital Library
- Moffett, J. D. 1998. Control principles and role hierarchies. In Proceedings of the 3rd ACM Workshop on Role-Based Access Control. Fairfax, VA. Google ScholarDigital Library
- Moffett, J. D. and Lupu, E. C. 1999. The use of role hierarchies in access control. In Proceedings of the 4th ACM Workshop on Role-Based Access Control. Fairfax, VA. Google ScholarDigital Library
- Nyanchama, M. and Osborn, S. 1999. The role graph model and conflict of interest. ACM Transactions on Information and System Security, 2, 1, 3--33. Google ScholarDigital Library
- Oh, S. and Park, S. 2001. An improved administration method on role-based access control in the enterprise environment. Journal of Information Science and Engineering 17, 921--944.Google Scholar
- Osborn, S. and Guo, Y. 2000. Modeling users in role-based access control. In Proceedings of Fifth ACM Workshop on Role-Based Access Control, 2000. Google ScholarDigital Library
- Osborn, S., Sandhu, R., and Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security, 3, 2, 85--106. Google ScholarDigital Library
- Perwaiz, N. and Sommerville, I. 2001. Structured management of role-permission relationships. In Proceedings of 6th ACM Symposium on Access Control Models and Technologies. Chantilly, VA. Google ScholarDigital Library
- Sandhu, R. 1993. Lattice-Based Access Control Models. IEEE Computer, 26, 11. Google ScholarDigital Library
- Sandhu, R. and Bhamidipati, V. 1997a. The URA97 model for role-based user-role assignment. In Proceedings of IFIP WG 11.3 Workshop on Database Security. Lake Tahoe, CA. Google ScholarDigital Library
- Sandhu, R. and Bhamidipati, V. 1997b. The ARBAC97 model for role-based administration of Roles: Preliminary description and outline. In Proceedings of second ACM Workshop on Role-Based Access Control. Fairfax, VA. Google ScholarDigital Library
- Sandhu, R. and Munawer, Q. 1998. The RRA97 model for role-based administration of role hierarchy. In Proceedings of the Annual Computer Security Applications Conference. Phoenix, AZ. Google ScholarDigital Library
- Sandhu, R., Coyne, E., Feinstein H., and Youman, C. 1996. Role-based access control models. IEEE Computer, 29, 2, 38--47. Google ScholarDigital Library
- Sandhu, R. and Bhamidipati, V. 1999. Role-based administration of user-role assignment: The URA97 model and its Oracle implementation. Journal of Computer Security, 7. Google ScholarDigital Library
- Sandhu, R. and Munawer, Q. 1999. The ARBAC99 model for administration of roles. In Proceedings of the Annual Computer Security Applications Conference. Phoenix, AZ. Google ScholarDigital Library
- Sandhu, R., Bhamidipati V., and Munawer, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security, 2, 1, 105--135. Google ScholarDigital Library
Index Terms
- An effective role administration model using organization structure
Recommendations
A model for role administration using organization structure
SACMAT '02: Proceedings of the seventh ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an excellent model for access control in an enterprise environment. In large enterprises, effective RBAC administration is a major issue. ARBAC97 is a well-known solution for decentralized RBAC ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
Scalable RBAC model for large-scale applications with automatic user-role assignment
Access control is one of the essential security requirements of any information system. Role-based access control (RBAC) has been the most popular access control model so far. However, in-advance, manual, and time-consuming role assignment process makes ...
Comments