RABAC: Role-Centric Attribute-Based Access Control

Role-based access control (RBAC) is a commercially dominant model, standardized by the National Institute of Standards and Technology (NIST). Although RBAC provides compelling benefits for security management it has several known deficiencies such as role explosion, wherein multiple closely related roles are required (e.g., attending-doctor role is separately defined for each patient). Numerous extensions to RBAC have been proposed to overcome these shortcomings. Recently NIST announced an initiative to unify and standardize these extensions by integrating roles with attributes, and identified three approaches: use attributes to dynamically assign users to roles, treat roles as just another attribute, and constrain the permissions of a role via attributes. The first two approaches have been previously studied. This paper presents a formal model for the third approach for the first time in the literature. We propose the novel role-centric attribute-based access control (RABAC) model which extends the NIST RBAC model with permission filtering policies. Unlike prior proposals addressing the role-explosion problem, RABAC does not fundamentally modify the role concept and integrates seamlessly with the NIST RBAC model. We also define an XACML profile for RABAC based on the existing XACML profile for RBAC.

[1]  Ravi S. Sandhu,et al.  ROBAC: Scalable Role and Organization Based Access Control Models , 2006, 2006 International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[2]  Ravi S. Sandhu,et al.  Roles in information security - A survey and classification of the research area , 2011, Comput. Secur..

[3]  A. Karp,et al.  From ABAC to ZBAC : The Evolution of Access Control Models , 2009 .

[4]  Indrajit Ray,et al.  TrustBAC: integrating trust relationships into the RBAC model for access control in open systems , 2006, SACMAT '06.

[5]  Ravi S. Sandhu,et al.  A model for attribute-based user-role assignment , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[6]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[7]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[8]  Manoj R. Sastry,et al.  A Contextual Attribute-Based Access Control Model , 2006, OTM Workshops.

[9]  David W. Chadwick,et al.  Implementing Role Based Access Controls UsingX.509 Attribute Certificates , 2003 .

[10]  Daling Wang,et al.  A Role and Context Based Access Control Model with UML , 2008, 2008 The 9th International Conference for Young Computer Scientists.

[11]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[12]  David W. Chadwick,et al.  Role-Based Access Control With X.509 Attribute Certificates , 2003, IEEE Internet Comput..

[13]  Arun Kumar,et al.  Context sensitivity in role-based access control , 2002, OPSR.

[14]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[15]  Etienne J. Khayat,et al.  A Formal Model for Parameterized Role-Based Access Control , 2004, Formal Aspects in Security and Trust.

[16]  Sylvia L. Osborn,et al.  A Design for Parameterized Roles , 2004, DBSec.

[17]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[18]  Michael P. Gallaher,et al.  Planning Report 02-1: The Economic Impact of Role-Based Access Control | NIST , 2002 .

[19]  Zahir Tari,et al.  On The Move to Meaningful Internet Systems 2003: OTM 2003 Workshops , 2003, Lecture Notes in Computer Science.

[20]  Rupak Majumdar,et al.  Fine-Grained Access Control with Object-Sensitive Roles , 2009, ECOOP.

[21]  Duminda Wijesekera,et al.  Towards Session-Aware RBAC Administration and Enforcement with XACML , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[22]  Sophia Drossopoulou ECOOP 2009 - Object-Oriented Programming, 23rd European Conference, Genoa, Italy, July 6-10, 2009. Proceedings , 2009, ECOOP.

[23]  Pietro Iglio,et al.  Role templates for content-based access control , 1997, RBAC '97.

[24]  D. Richard Kuhn,et al.  Adding Attributes to Role-Based Access Control , 2010, Computer.

[25]  Roberto Tamassia,et al.  A Role and Attribute Based Access Control System Using Semantic Web Technologies , 2007, OTM Workshops.

[26]  M. Gallaher,et al.  The Economic Impact of Role-Based Access Control , 2002 .

[27]  Elisa Bertino,et al.  Extended RBAC with Role Attributes , 2006, PACIS.

[28]  Philip W. L. Fong Relationship-based access control: protection model and policy language , 2011, CODASPY '11.

[29]  David M. Nicol,et al.  A framework integrating attribute-based policies into role-based access control , 2012, SACMAT '12.