Symmetric RBAC model that takes the separation of duty and role hierarchies into consideration

RBAC is a family of reference models in which permissions are assigned to roles, and users are also assigned to appropriate roles. Studies on the permission-role part of RBAC model are relatively insufficient compared with those on the user-role part, and researches on symmetric RBAC models to overcome this is also in an incipient stage. Therefore there is difficulty in assigning permissions suitable for roles. This paper proposes a symmetric RBAC model that supplements the constraints on permission assignment set forth by previous studies. The proposed symmetric RBAC model reflects the conflicts of interests between roles and the sharing and integration of permissions on the assignment of permissions by presenting the constraints on permission assignment that take the separation of duties and role hierarchies into consideration. In addition, by expressing constraints prescribing prerequisite relations between permissions through AND/OR graphs, it is possible to effectively limit the complicated prerequisite relations of permissions. The constraints on permission assignment for the proposed symmetric RBAC model reduce errors in permission assignment by properly detailing rules to observe at the time of permission assignment.

[1]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification using Object Constraint Language , 2001, Proceedings Tenth IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. WET ICE 2001.

[2]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[3]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[4]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[5]  A. Bagchi,et al.  AND/OR graph heuristic search methods , 1985, JACM.

[6]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[7]  D. Richard Kuhn,et al.  Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems , 1997, RBAC '97.

[8]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[9]  Barbara Paech,et al.  Component-based product line engineering with UML , 2001, Addison Wesley object technology series.

[10]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[11]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[12]  David F. Ferraiolo,et al.  An Examination of Federal and Commercial Access Control Policy Needs , 1993 .

[13]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[14]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[15]  Shwu-Yeng T. Lin,et al.  Set theory: An intuitive approach , 1973 .