Using Role-Templates for Handling Recurring Role Structures

Role-based access controls (RBAC) have been proposed as a design and implementation approach to discretionary access controls (DAC) more apt to the requirements of commercial enterprise environments. As advantages can be mentioned centralized security administration, separation of duty and least privilege properties. However, the nature of enterprises often entails recurring sub-structures like departments, projects etc. that cannot yet be handled adequately by the available concepts for role-hierarchies. Therefore, we propose an additional mechanism for administrating role-hierarchies called role-templates. This mechanism allows to specify a generic sub-hierarchy (e.g. a department role-hierarchy) that may be instantiated for each department of the enterprise resulting in an automatically generated, concrete role-hierarchy for the particular department. Furthermore, role-templates may be specialized and have aggregations and associations to other templates making the concept more flexible and semantically expressive. The proposed ideas will be implemented as a prototype within OASIS (Open Architecture Security for Information Systems) dealing with enterprise-wide security, which demands highly configurable access controls for multiple heterogeneous information systems.

[1]  Imtiaz Mohammed,et al.  Design for dynamic user-role-based security , 1994, Comput. Secur..

[2]  Sylvia L. Osborn,et al.  Access Rights Administration in Role-Based Security Systems , 1994, DBSec.

[3]  Zahir Tari,et al.  A Role-Based Access Control for Intranet Security , 1997, IEEE Internet Comput..

[4]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[5]  Brian Henderson-Sellers OPEN Relationships - Compositions and Containments , 1997, J. Object Oriented Program..

[6]  A Min Tjoa,et al.  Access Controls by Object-Oriented Concepts , 1997, DBSec.

[7]  Brian Henderson-Sellers,et al.  OPEN Relationships - Associations, Mappings, Dependencies, and Uses , 1998, J. Object Oriented Program..

[8]  A Min Tjoa,et al.  The security architecture of IRO-DB , 1996, SEC.

[9]  Ravi S. Sandhu,et al.  The URA97 Model for Role-Based User-Role Assignment , 1997, DBSec.

[10]  A Min Tjoa,et al.  Authorization and access control in IRO-DB , 1996, Proceedings of the Twelfth International Conference on Data Engineering.

[11]  Ravi S. Sandhu,et al.  Role-based access control: a multi-dimensional view , 1994, Tenth Annual Computer Security Applications Conference.

[12]  L. G. Lawrence The role of roles , 1993, Comput. Secur..

[13]  T. C. Ting,et al.  Towards an authorization mechanism for user-role based security in an object-oriented design model , 1993, Proceedings of Phoenix Conference on Computers and Communications.

[14]  Elisa Bertino,et al.  Supporting Periodic Authorizations and Temporal Reasoning in Database Access Control , 1996, VLDB.

[15]  Ehud Gudes,et al.  Alter-egos and Roles: Supporting Workflow Security in Cyberspaces , 1997, DBSec.

[16]  Silvana Castano,et al.  Database Security , 1997, IFIP Advances in Information and Communication Technology.

[17]  Elisa Bertino,et al.  A temporal authorization model , 1994, CCS '94.

[18]  William E. Lorensen,et al.  Object-Oriented Modeling and Design , 1991, TOOLS.

[19]  Ravi S. Sandhu Role Hierarchies and Constraints for Lattice-Based Access Controls , 1996, ESORICS.