Simulation of the Augmented Typed Access Matrix Model (ATAM) using Roles

Role-based Access Control (RBAC) is a promising alternative to traditional discretionary (DAC) and mandatory access (MAC) controls. In RBAC permissions are associated with roles, and users are made members of the roles thereby acquiring the roles’ permissions. RBAC is policy neutral and flexible enough to accommodate diverse security policies. Access matrix models define another mechanism for enforcing the security policy. The Augmented Typed Access Matrix model (ATAM), an extension of Typed Access Matrix (TAM) model, defined by Sandhu is well known from this class of models. ATAM is defined by introducing strong typing (i.e., each subject or object created is to be of particular type which thereafter does not change). The ATAM is recognized as the current state of the art with respect to formal models for generalized access control policies. In this paper we formally show that ATAM can be simulated by appropriate configuration of RBAC components. Our results attest to the flexibility of RBAC and its ability to accommodate a wide range of decentralized administrative models.

[1]  Ravi S. Sandhu,et al.  Implementing transaction control expressions by checking for absence of access rights , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[2]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[3]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[4]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[5]  Ravi S. Sandhu,et al.  The schematic protection model: its definition and analysis for acyclic attenuating schemes , 1988, JACM.

[6]  Sylvia L. Osborn,et al.  Modeling Mandatory Access Control in Role-Based Security Systems , 1995, DBSec.

[7]  Ravi S. Sandhu The typed access matrix model , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Ravi S. Sandhu,et al.  How to do discretionary access control using roles , 1998, RBAC '98.

[9]  Ravi S. Sandhu,et al.  The Extended Schematic Protection Model , 1992, J. Comput. Secur..

[10]  Ravi S. Sandhu,et al.  Rationale for the RBAC96 family of access control models , 1996, RBAC '95.