A composite rbac approach for large, complex organizations

Secure and effective access control is critical to sensitive organizations, especially when multiple organizations are working together using diverse systems. To alleviate the confusion and challenges of redundancy in such a large, complex organization, in this paper we introduce a composite role-based access control (RBAC) approach, by separating the organizational and system role structures and by providing the mapping between them. This allows for the explicit identification and separation of organizational and target-system roles, role hierarchies, role assignments, constraints, and role activations, with an attempt to bridge the gap between the organizational and system role structures. The composite RBAC approach supports scalable and reusable RBAC mechanisms for large, complex organizations. Our research explores the newly created Department of Homeland Security (DHS) as a large, complex organization in which the Composite RBAC can be applied.

[1]  Gail-Joon Ahn,et al.  A role-based delegation framework for healthcare information systems , 2002, SACMAT '02.

[2]  Joon S. Park,et al.  Composite Role-Based Monitoring (CRBM) for Countering Insider Threats , 2004, ISI.

[3]  Andreas Schaad,et al.  Observations on the role life-cycle in the context of enterprise security management , 2002, SACMAT '02.

[4]  Gerhard Schimpf,et al.  Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization , 2000, RBAC '00.

[5]  Christoph Meinel,et al.  Role-based access control in online authoring and publishing systems vs. document hierarchy , 1999, SIGDOC '99.

[6]  Joon S. Park,et al.  Access control mechanisms for inter-organizational workflow , 2001, SACMAT '01.

[7]  Sylvia L. Osborn,et al.  Modeling users in role-based access control , 2000, RBAC '00.

[8]  Ravi S. Sandhu,et al.  RBAC on the Web by smart certificates , 1999, RBAC '99.

[9]  Ravi S. Sandhu,et al.  Secure Cookies on the Web , 2000, IEEE Internet Comput..

[10]  Seunghun Jin,et al.  On modeling system-centric information for role engineering , 2003, SACMAT '03.

[11]  R. Sandhu Task-based Authorization: a Paradigm for Flexible and Adaptable Access Control in Distributed Applications Extended Abstract , 1993 .

[12]  Joon S. Park,et al.  A Secure Workflow System for Dynamic Collaboration , 2001, SEC.

[13]  Ravi S. Sandhu Future Directions in Role-Based Access Control Models , 2001, MMM-ACNS.

[14]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[15]  Victor A. Skormin,et al.  Proceedings of the International Workshop on Information Assurance in Computer Networks: Methods, Models, and Architectures for Network Security , 2001 .

[16]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[17]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[18]  Ravi S. Sandhu,et al.  Engineering authority and trust in cyberspace: the OM-AM and RBAC way , 2000, RBAC '00.