ROBAC: Scalable Role and Organization Based Access Control Models

In RBAC, roles are typically created based on job functions inside an organization. Traditional RBAC does not scale up well for modeling security policies spanning multiple organizations. To solve this problem, a family of extended RBAC models called role and organization based access control (ROBAC) models is proposed and formalized in this paper. Two examples are used to motivate and demonstrate the usefulness of ROBAC. Comparison between ROBAC and other related RBAC models is given. We show that ROBAC can significantly reduce administration complexity for Web and Internet-based applications involving a large number of organizations. Some administrative issues for ROBAC are identified and discussed. Although the theoretical-expressive power of ROBAC is the same as that of RBAC, it is more succinct and intuitive to use ROBAC than to use RBAC when applications involve many organizations

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  Ravi S. Sandhu,et al.  Secure information sharing enabled by Trusted Computing and PEI models , 2006, ASIACCS '06.

[3]  Jeremy L. Jacob,et al.  The role-based access control system of a European bank: a case study and discussion , 2001, SACMAT '01.

[4]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[5]  Joachim Biskup,et al.  Towards a credential-based implementation of compound access control policies , 2004, SACMAT '04.

[6]  Roshan K. Thomas,et al.  Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments , 1997, RBAC '97.

[7]  Joon S. Park,et al.  A composite rbac approach for large, complex organizations , 2004, SACMAT '04.

[8]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[9]  Pietro Iglio,et al.  Role templates for content-based access control , 1997, RBAC '97.

[10]  Ravi Sandhu,et al.  A family of models for rule-based user-role assignment , 2003 .

[11]  M. Gallaher,et al.  The Economic Impact of Role-Based Access Control , 2002 .

[12]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[13]  Najam Perwaiz Structured management of role-permission relationships , 2001, SACMAT '01.

[14]  Ravi S. Sandhu,et al.  Decentralized user-role assignment for Web-based intranets , 1998, RBAC '98.