Role-Based Access Controls: Status, Dissemination, and Prospects for Generic Security Mechanisms

E-commerce applications have diverse security requirements ranging from business-to-business over business-to-consumer to consumer-to-consumer types of applications. This range of requirements cannot be handled adequately by one single security model although role-based access controls (RBAC) depict a promising fundament for generic high-level security. Furthermore, RBAC is well researched but rather incompletely realized in most of the current backend as well as business layer systems. Security mechanisms have often been added to existing software causing many of the well-known deficiencies found in most software products. However, with the rise of component-based software development security models can also be made available for reuse. Therefore, we present a general-purpose software framework providing security mechanisms such as authentication, access controls, and auditing for Java software development. The framework is called GAMMA (Generic Authorization Mechanisms for Multi-Tier Applications) and offers multiple high-level security models (including the aforementioned RBAC) that may even be used concurrently to cover such diverse security requirements as found within e-commerce environments.

[1]  Ramaswamy Chandramouli,et al.  Role-Based Access Control Features in Commercial Database Management Systems , 1998 .

[2]  Jean-Jacques Quisquater,et al.  Deriving a role-based access control model from the OBBAC model , 1999, Proceedings. IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE'99).

[3]  Dan Thomsen,et al.  Role based access control framework for network enterprises , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[4]  Pierangela Samarati,et al.  Authentication, access control, and audit , 1996, CSUR.

[5]  Yi Deng,et al.  A framework for implementing role-based access control using CORBA security service , 1999, RBAC '99.

[6]  David R. Kuhn,et al.  Role-Based Access Control (RBAC): Features and Motivations | NIST , 1995 .

[7]  Joachim Biskup,et al.  The personal model of data: Towards a privacy-oriented information system , 1988, Comput. Secur..

[8]  Amir Herzberg,et al.  Access control meets public key infrastructure, or: assigning roles to strangers , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[9]  Kathrin Schier Multifunctional smartcards for electronic commerce-application of the role and task based security model , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[10]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[11]  Serban I. Gavrila,et al.  Formal specification for role based access control user/role and role/role relationship management , 1998, RBAC '98.

[12]  Li Gong,et al.  User authentication and authorization in the Java/sup TM/ platform , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[13]  Ravi Sandhu,et al.  Group Hierarchies With Decentralized User Assignment In Windows Nt , 1998 .

[14]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[15]  A Min Tjoa,et al.  Using Role-Templates for Handling Recurring Role Structures , 1998, DBSec.

[16]  Luigi Giuri Role-based access control in Java , 1998, RBAC '98.

[17]  Ian Welch,et al.  Supporting real world security models in Java , 1999, Proceedings 7th IEEE Workshop on Future Trends of Distributed Computing Systems.

[18]  Yan Xu,et al.  High-Level Security Issues in Multimedia/Hypertext Systems , 1997, Communications and Multimedia Security.

[19]  Ravi Sandhu Decentralized Group Hierarchies in UNIX: An Experiment and Lessons Learned , 1998 .

[20]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[21]  Rolf Oppliger,et al.  Using Attribute Certificates to Implement Role-based Authorization and Access Controls , 2000 .

[22]  Roshan K. Thomas,et al.  Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments , 1997, RBAC '97.