On the increasing importance of constraints

In this paper, we examine how the addition of rolebased access control (RBAC) model features affect the complexity of the RBAC constraint models. Constraints are used in RBAC models to constrain the assignment of permissions and principals to roles (among other things). Historically, it was assumed that the role assignments would change rather infrequently, so only a few constraints were necessary. Given new RBAC features, such as context-sensitive roles, the complexity of the restrictions that can be required is increasing because the role definitions may depend on application state. As application state changes, so do the role assignments. We examine the RBAC constraint problem using an example of a virtual university. We propose RBAC model features for simplifying the representation of constraints given our experience with this example.

[1]  Trent Jaeger,et al.  Access control in a virtual university , 1999, Proceedings. IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE'99).

[2]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[3]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[4]  Fang Chen,et al.  Constraints for role-based access control , 1996, RBAC '95.

[5]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[6]  Ravi S. Sandhu,et al.  Role-based access control: a multi-dimensional view , 1994, Tenth Annual Computer Security Applications Conference.

[7]  Emil C. Lupu,et al.  Reconciling role based management and role based access control , 1997, RBAC '97.

[8]  L. Synder On the synthesis and analysis of protection systems , 1977 .

[9]  Dan Thomsen,et al.  Role-Based Application Design and Enforcement , 1990, Database Security.

[10]  Lawrence Snyder On the synthesis and analysis of protection systems , 1977, SOSP '77.

[11]  Ravi S. Sandhu The typed access matrix model , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  Pietro Iglio,et al.  Role templates for content-based access control , 1997, RBAC '97.

[13]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[14]  Atul Prakash,et al.  Flexible control of downloaded executable content , 1999, TSEC.