Abstract
Role-based access control (RBAC) is a promising alternative to traditional discretionary and mandatory access controls. In RBAC permissions are associated with roles, and users are made members of appropriate roles thereby acquiring the roles' permissions. In this paper we formally show that lattice-based mandatory access controls can be enforced by appropriate configuration of RBAC components. Our constructions demonstrate that role hierarchies and constraints are required to effectively achieve this result. We show that variations of the lattice-based *-property, such as write-up (liberal *-property) and no-write-up (strict *-property), can be easily accommodated in RBAC. Our results attest to the flexibility of RBAC and its ability to accommodate different policies by suitable configuration of role hierarchies and constraints.
This research is partly supported by contract 50-DKNB-5-00188 from the National Institute of Standards and Technology at SETA Corporation, and grant CCR-9503560 from the National Science Foundation at George Mason University.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
D.E. Bell. Secure computer systems: A network interpretation. In Third Annual Computer Security Application Conference, pages 32–39, 1987.
D.D. Clark and D.R. Wilson. A comparison of commercial and military computer security policies. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 184–194, Oakland, CA, May 1987.
David Ferraiolo and Richard Kuhn. Role-based access controls. In 15th NIST-NCSC National Computer Security Conference, pages 554–563, Baltimore, MD, October 13–16 1992.
T.M.P. Lee. Using mandatory integrity to enforce “commercial” security. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 140–146, Oakland, CA, May 1988.
Matunda Nyanchama and Sylvia Osborn. Modeling mandatory access control in role-based security systems. In Database Security VIII: Status and Prospects. To appear, 1996.
Ravi S. Sandhu. Lattice-based access control models. IEEE Computer, 26(11):9–19, November 1993.
Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. IEEE Computer, 29(2):38–47, February 1996.
W.R. Schockley. Implementing the clark/wilson integrity policy using current technology. In NIST-NCSC National Computer Security Conference, pages 29–37, 1988.
Ravi Sandhu, Ed Coyne, and Charles Youman, editors. Proceedings of the 1st ACM Workshop on Role-Based Access Control. ACM, 1996.
Ravi S. Sandhu and Pierangela Samarati. Access control: Principles and practice. IEEE Communications, 32(9):40–48, 1994.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1996 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sandhu, R. (1996). Role hierarchies and constraints for lattice-based access controls. In: Bertino, E., Kurth, H., Martella, G., Montolivo, E. (eds) Computer Security — ESORICS 96. ESORICS 1996. Lecture Notes in Computer Science, vol 1146. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-61770-1_28
Download citation
DOI: https://doi.org/10.1007/3-540-61770-1_28
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-61770-9
Online ISBN: 978-3-540-70675-5
eBook Packages: Springer Book Archive