Role Based Access Control (RBAC) [1] is a standardized model to indirectly assign permissions to users by user roles. We follow the proposal of Chae and Shiri [2] to introduce a hierarchy of object classes in addition to the hierarchy of user roles along which permissions are inherited. This makes sense since e.g. in file systems the inheritance of permissions along the directory tree is common. Different formalizations are suitable for RBAC, especially Description Logics. Description Logic (DL) [3] systems provide their users with inference services that deduce implicit knowledge from the explicitly represented knowledge. The proposal by Chae and Shiri [2] is based on DL but has several flaws which we want to fix with this paper. The authors apply essential properties of DL in an incorrect way and do not respect DL semantics, do not use ABox assertions correctly, miss a discussion of the open world assumption and obtain wrong results with their running example. For a more detailed discussion of these issues, please refer to [4].
[1]
Jan Hladik,et al.
RBAC AUTHORIZATION DECISION WITH DL REASONING
,
2008
.
[2]
Diego Calvanese,et al.
The Description Logic Handbook: Theory, Implementation, and Applications
,
2003,
Description Logic Handbook.
[3]
Ravi S. Sandhu,et al.
The NIST model for role-based access control: towards a unified standard
,
2000,
RBAC '00.
[4]
Ian Horrocks,et al.
The Even More Irresistible SROIQ
,
2006,
KR.
[5]
Nematollaah Shiri,et al.
Formalization of RBAC Policy with Object Class Hierarchy
,
2007,
ISPEC.
[6]
Sebastian Rudolph,et al.
All Elephants are Bigger than All Mice
,
2008,
Description Logics.