A role‐based infrastructure management system: design and implementation

Over the last decade there has been a tremendous advance in the theory and practice of role‐based access control (RBAC). One of the most significant aspects of RBAC can be viewed from its management of permissions on the basis of roles rather than individual users. Consequently, it reduces administrative costs and potential errors. The management of roles in various RBAC implementations, however, tends to be conducted on an ad hoc basis, closely coupled with a certain context of system environments. This paper discusses the development of a system whose purpose is to help manage a valid set of roles with assigned users and permissions for role‐based authorization infrastructures. We have designed and implemented the system, called RolePartner. This system enables role administrators to build and configure various components of a RBAC model so as to embody organizational access control policies which can be separated from different enforcement mechanisms. Hence the system helps make it possible to lay a foundation for role‐based authorization infrastructures. Three methodological constituents are introduced for our purposes, together with the design and implementation issues. The system has a role‐centric view for easily managing constrained and hierarchical roles as well as assigned users and permissions. An LDAP‐accessible directory service was used for a role database. We show that the system can be seamlessly integrated with an existing privilege‐based authorization infrastructure. Copyright © 2004 John Wiley & Sons, Ltd.

[1]  Gerhard Schimpf,et al.  Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization , 2000, RBAC '00.

[2]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[3]  Gail-Joon Ahn,et al.  A rule-based framework for role based delegation , 2001, SACMAT '01.

[4]  Sangrae Cho,et al.  ROLE-BASED EAM USING X.509 ATTRIBUTE CERTIFICATE∗ , 2003 .

[5]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[6]  Edward J. Coyne Role engineering , 1996, RBAC '95.

[7]  Seunghun Jin,et al.  On modeling system-centric information for role engineering , 2003, SACMAT '03.

[8]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[9]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[10]  Adrian Baldwin,et al.  Towards a more complete model of role , 1998, RBAC '98.

[11]  Dan Thomsen,et al.  Role based access control framework for network enterprises , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[12]  Mark Strembeck,et al.  Design and implementation of a flexible RBAC-service in an object-oriented scripting language , 2001, CCS '01.

[13]  Andreas Schaad,et al.  Observations on the role life-cycle in the context of enterprise security management , 2002, SACMAT '02.

[14]  Ravi S. Sandhu,et al.  Engineering of role/permission assignments , 2001, Seventeenth Annual Computer Security Applications Conference.

[15]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[16]  X Itu,et al.  Information technology-open systems interconnection-the directory: Public-key and attribute certific , 2000 .

[17]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..