Abstract
Role-based access control (RBAC) is a well-accepted model for access control in an enterprise environment. When we apply RBAC model to large enterprises, effective role administration is a major issue. ARBAC97 is a well-known solution for decentralized RBAC administration. ARBAC97 authorizes administrative roles by means of role ranges and prerequisite conditions, where prerequisite conditions effectively work as a restricted pool for administrative roles to pick users or permissions. Although attractive and elegant in their own right, these mechanisms have significant shortcomings. In this paper, we propose an improved role administration model named ARBAC02 to overcome the weaknesses of ARBAC97. ARBAC02 introduces the concept of organization structure for defining user and permission pools independent of roles and role hierarchies, with a refined prerequisite condition specification. In addition, we present a bottom-up approach of permission-role administration in contrast to the top-down approach in ARBAC97. As a general solution, we illustrate the applications of organization structured-based security administration with other access control models, such as access control list model and lattice-based access control model.
- Biba, K. J. 1977. Integrity Considerations for Secure Computer Systems. Mitre Corp. Report No.TR3153, Bedford, MA. (Also available through Nat'l Technical Information Service, Springfield, Va., Report No. NTIS AD--A039324.)Google Scholar
- Bell, D. E. and Lapadula, L.J. 1975. Secure Computer Systems: Mathematical Foundations and Model. Mitre Corp. Report No. M74-244, Bedford, MA. (Also available through Nat'l Technical Information Service, Springfield, VA, Report No. NTIS AD-771543.)Google Scholar
- Cramton, J. and Loizou, G. 2002. Administrative scope and role hierarchy operations. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies (SACMAT2002). Monterey, CA. Google Scholar
Digital Library
- Ids share. Aris house. http://www.ids-scheer.comGoogle Scholar
- Joshi, J. B. D., Aref, W. G., Ghafoor, A., and Spafford, E. H. 2001. Security models for web-based applications. Communications of the ACM, 44, 2. Google Scholar
Digital Library
- Moffett, J. D. 1998. Control principles and role hierarchies. In Proceedings of the 3rd ACM Workshop on Role-Based Access Control. Fairfax, VA. Google Scholar
Digital Library
- Moffett, J. D. and Lupu, E. C. 1999. The use of role hierarchies in access control. In Proceedings of the 4th ACM Workshop on Role-Based Access Control. Fairfax, VA. Google Scholar
Digital Library
- Nyanchama, M. and Osborn, S. 1999. The role graph model and conflict of interest. ACM Transactions on Information and System Security, 2, 1, 3--33. Google Scholar
Digital Library
- Oh, S. and Park, S. 2001. An improved administration method on role-based access control in the enterprise environment. Journal of Information Science and Engineering 17, 921--944.Google Scholar
- Osborn, S. and Guo, Y. 2000. Modeling users in role-based access control. In Proceedings of Fifth ACM Workshop on Role-Based Access Control, 2000. Google Scholar
Digital Library
- Osborn, S., Sandhu, R., and Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security, 3, 2, 85--106. Google Scholar
Digital Library
- Perwaiz, N. and Sommerville, I. 2001. Structured management of role-permission relationships. In Proceedings of 6th ACM Symposium on Access Control Models and Technologies. Chantilly, VA. Google Scholar
Digital Library
- Sandhu, R. 1993. Lattice-Based Access Control Models. IEEE Computer, 26, 11. Google Scholar
Digital Library
- Sandhu, R. and Bhamidipati, V. 1997a. The URA97 model for role-based user-role assignment. In Proceedings of IFIP WG 11.3 Workshop on Database Security. Lake Tahoe, CA. Google Scholar
Digital Library
- Sandhu, R. and Bhamidipati, V. 1997b. The ARBAC97 model for role-based administration of Roles: Preliminary description and outline. In Proceedings of second ACM Workshop on Role-Based Access Control. Fairfax, VA. Google Scholar
Digital Library
- Sandhu, R. and Munawer, Q. 1998. The RRA97 model for role-based administration of role hierarchy. In Proceedings of the Annual Computer Security Applications Conference. Phoenix, AZ. Google Scholar
Digital Library
- Sandhu, R., Coyne, E., Feinstein H., and Youman, C. 1996. Role-based access control models. IEEE Computer, 29, 2, 38--47. Google Scholar
Digital Library
- Sandhu, R. and Bhamidipati, V. 1999. Role-based administration of user-role assignment: The URA97 model and its Oracle implementation. Journal of Computer Security, 7. Google Scholar
Digital Library
- Sandhu, R. and Munawer, Q. 1999. The ARBAC99 model for administration of roles. In Proceedings of the Annual Computer Security Applications Conference. Phoenix, AZ. Google Scholar
Digital Library
- Sandhu, R., Bhamidipati V., and Munawer, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security, 2, 1, 105--135. Google Scholar
Digital Library
Index Terms
An effective role administration model using organization structure
Recommendations
A model for role administration using organization structure
SACMAT '02: Proceedings of the seventh ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an excellent model for access control in an enterprise environment. In large enterprises, effective RBAC administration is a major issue. ARBAC97 is a well-known solution for decentralized RBAC ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
A role administration system in role-based authorization infrastructures: design and implementation
SAC '03: Proceedings of the 2003 ACM symposium on Applied computingIn this paper we describe a system whose purpose is to help establish a valid set of roles and role hierarchies with assigned users and associated permissions. We have designed and implemented the system, called RA system, which enables role ...






Comments