Meta-policies for distributed role-based access control systems

In this paper meta-policies for access control policies are presented. There has been a lot of research into the various ways of specifying policy for a single domain. Such domains are autonomous and can be managed by the users or by a specific system administrator It is often helpful to have a more general policy description in order to restrict the ways in which policy can be modified. Meta-policies fill this particular role. With their help changes to policy can be made subject to predefined constraints. Meta-policies are long lived and so can provide users with stable information about the policy of the system. In addition they can provide bodies external to a domain with relevant but restricted information about its policies, so forming a basis for co-operation between domains. For example, a domain's meta-policy can function as a policy interface, thus establishing a basis for agreement on the structure of the objects accessed In this way it is possible to build service level agreements between domains automatically.

[1]  Luigi V. Mancini,et al.  On the specification and evolution of access control policies , 2001, SACMAT '01.

[2]  Pietro Iglio,et al.  A formal model for role-based access control with constraints , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[3]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[4]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[5]  Ravi S. Sandhu,et al.  Engineering authority and trust in cyberspace: the OM-AM and RBAC way , 2000, RBAC '00.

[6]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[7]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2001, TSEC.

[8]  Ravi S. Sandhu,et al.  How to do discretionary access control using roles , 1998, RBAC '98.

[9]  Jonathan D. Moffett,et al.  Specification of management policies and discretionary access control , 1994 .

[10]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[11]  Ravi S. Sandhu,et al.  The ARBAC97 model for role-based administration of roles: preliminary description and outline , 1997, RBAC '97.

[12]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[13]  Richard Hayton OASIS - an open architecture for secure interworking services , 1996, Technical Report / University of Cambridge / Computer Laboratory.

[14]  Roland Awischus,et al.  Role based access control with the security administration manager (SAM) , 1997, RBAC '97.

[15]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[16]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[17]  Jean Bacon,et al.  Access control and trust in the use of widely distributed services , 2001, Softw. Pract. Exp..

[18]  Joon S. Park,et al.  Access control mechanisms for inter-organizational workflow , 2001, SACMAT '01.

[19]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[20]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[21]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[22]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.