Ninghui Li
Ziqing Mao
ABSTRACT
Administration of large-scale RBAC systems is a challenging open problem. We propose a principled approach in designing and analyzing administrative models for RBAC. We identify six design requirements for administrative models of RBAC. These design requirements are motivated by three principles for designing security mechanisms: (1) flexibility and scalability, (2) psychological acceptability, and (3) economy of mechanism. We then use these requirements to analyze several approaches to RBAC administration, including ARBAC97 [21, 23, 22], SARBAC [4, 5], and the RBAC system in the Oracle DBMS. Based on these requirements and the lessons learned in analyzing existing approaches, we design UARBAC, a new family of administrative models for RBAC that has significant advantages over existing models.
- ANSI. American national standard for information technology --- role based access control. ANSI INCITS 359-2004, Feb. 2004.Google Scholar
- R. W. Baldwin. Naming and grouping privileges to simplify security management in large databases. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 116--132, May 1990.Google ScholarCross Ref
- J. Crampton. Understanding and developing role-based administrative models. In Proc. ACM Conference on Computer and Communications Security (CCS), pages 158--167, Nov. 2005. Google ScholarDigital Library
- J. Crampton and G. Loizou. Administrative scope and role hierarchy operations. In Proceedings of Seventh ACM Symposium on Access Control Models and Technologies (SACMAT 2002), pages 145--154, June 2002. Google ScholarDigital Library
- J. Crampton and G. Loizou. Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security, 6(2):201--231, May 2003. Google ScholarDigital Library
- D. F. Ferraiolo, R. Chandramouli, G.-J. Ahn, and S. Gavrila. The role control center: Features and case studies. In Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, June 2003. Google ScholarDigital Library
- D. F. Ferraiolo, J. A. Cuigini, and D. R. Kuhn. Role-based access control (RBAC): Features and motivations. In Proceedings of the 11th Annual Computer Security Applications Conference (ACSAC'95), Dec. 1995.Google Scholar
- D. F. Ferraiolo and D. R. Kuhn. Role-based access control. In Proceedings of the 15th National Information Systems Security Conference, 1992.Google Scholar
- D. F. Ferraiolo, R. S. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Transactions on Information and Systems Security, 4(3):224--274, Aug. 2001. Google ScholarDigital Library
- L. Giuri and P. Iglio. Role templates for content-based access control. In Proceedings of the Second ACM Workshop on Role-Based Access Control (RBAC'97), pages 153--159, Nov. 1997. Google ScholarDigital Library
- A. Kern. Advanced features for enterprise-wide role-based access control. In Proceedings of the 18th Annual Computer Security Applications Conference, pages 333--343, Dec. 2002. Google ScholarDigital Library
- A. Kern, A. Schaad, and J. Moffett. An administration concept for the enterprise role-based access control model. In Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies (SACMAT 2003), pages 3--11, June 2003. Google ScholarDigital Library
- N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a role-based trust management framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 114--130. IEEE Computer Society Press, May 2002. Google ScholarDigital Library
- A. D. Marshall. A financial institution's legacy mainframe access control system in light of the proposed NIST RBAC standard. In Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC 2002), pages 382--390, 2002. Google ScholarDigital Library
- J. D. Moffett. Control principles and role hierarchies. In Proceedings of the Third ACM Workshop on Role-Based Access Control (RBAC 1998), Oct. 1998. Google ScholarDigital Library
- J. D. Moffett and E. C. Lupu. The uses of role hierarchies in access control. In Proceedings of the Fourth ACM Workshop on Role-Based Access Control (RBAC 1999), Oct. 1999. Google ScholarDigital Library
- NSA. Security enhanced linux. http://www.nsa.gov/selinux/.Google Scholar
- M. Nyanchama and S. Osborn. The role graph model and conflict of interest. ACM Transactions on Information and System Security, 2(1):3--33, Feb. 1999. Google ScholarDigital Library
- S. Oh and R. S. Sandhu. A model for role admininstration using organization structure. In Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies (SACMAT 2002), June 2002. Google ScholarDigital Library
- J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9): 1278--1308, September 1975.Google Scholar
- R. S. Sandhu and V. Bhamidipati. Role-based administration of user-role assignment: The URA97 model and its Oracle implementation. Journal of Computer Security, 7, 1999. Google ScholarDigital Library
- R. S. Sandhu, V. Bhamidipati, E. Coyne, S. Ganta, and C. Youman. The ARBAC97 model for role-based administration of roles: preliminary description and outline. In Proceedings of the Second ACM workshop on Role-based access control (RBAC 1997), pages 41--50, Nov. 1997. Google ScholarDigital Library
- R. S. Sandhu, V. Bhamidipati, and Q. Munawer. The ARBAC97 model for role-based aministration of roles. ACM Transactions on Information and Systems Security, 2(1): 105--135, Feb. 1999. Google ScholarDigital Library
- R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, February 1996. Google ScholarDigital Library
- R. S. Sandhu and Q. Munawer. The ARBAC99 model for administration of roles. In Proceedings of the 18th Annual Computer Security Applications Conference, pages 229--238, Dec. 1999. Google ScholarDigital Library
- A. Schaad, J. Moffett, and J. Jacob. The role-based access control system of a European bank: A case study and discussion. In Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, pages 3--9. ACM Press, 2001. Google ScholarDigital Library
- T. C. Ting. A user-role based data security approach. In C. Landwehr, editor, Database Security: Status and Prospects. Results of the IFIP WG 11.3 Initial Meeting, pages 187--208. North-Holland, 1988. Google ScholarDigital Library
- H. Wang and S. L. Osborn. An administrative model for role graphs. In Proceedings of the 17th Annual IFIP WG11.3 Working Conference on Database Security, Aug. 2003.Google Scholar
- H. F. Wedde and M. Lischka. Cooperative role-based administration. In Proceedings of the Eighth ACM Symposium on Access control models and technologies (SACMAT 2003), pages 21--32. ACM Press, June 2003. Google ScholarDigital Library
- H. F. Wedde and M. Lischka. Modular authorization and administration. ACM Transactions on Information and System Security (TISSEC), 7(3):363--391, Aug. 2004. Google ScholarDigital Library
Index Terms
- Administration in role-based access control
Recommendations
The ARBAC97 model for role-based administration of roles
Special issue on role-based access controlIn role-based access control (RBAC), permissions are associated with roles' and users are made members of roles, thereby acquiring the roles; permissions. RBAC's motivation is to simplify administration of authorizations. An appealing possibility is to ...
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Domain Administration of Task-role Based Access Control for Process Collaboration Environments
IAS '09: Proceedings of the 2009 Fifth International Conference on Information Assurance and Security - Volume 01The fast evolving workflow technologies facilitate organizations to interact and cooperate with each other to achieve their business goals by process collaborations. Task-role based access control is an important security mechanism to protect data and ...
Comments