Jason Crampton
ABSTRACT
Role-based access control and role hierarchies have generated considerable research activity in recent years.In many role-based models the role hierarchy partially determines which roles and permissions are available to users via various inheritance mechanisms.In this paper, we consider the nature of permissions more closely than is customary in the literature and propose a particular structure for permissions.We then introduce a role-based access control model that contains a novel approach to permission inheritance and illustrate how this model can be used to derive a role-based model with multi-level secure properties.We also consider the issue of redundant and consistent permission-role assignments and describe how such assignments can be avoided.
- Bell, D., and LaPadula, L. Secure computer systems: Unified exposition and Multics interpretation. Tech. Rep. MTR-2997, Mitre Corporation, Bedford, Massachusetts, 1976.Google Scholar
Cross Ref
- Crampton, J., and Loizou, G. Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security 6, 2 (2003). 201--231. Google ScholarDigital Library
- Davey, B., and Priestley, H. Introduction to Lattices and Order. Cambridge University Press, Cambridge, United Kingdom, 1990.Google Scholar
- Denning, D. A lattice model of secure information flow. Communications of the ACM 19, 5 (1976), 236--243. Google ScholarDigital Library
- Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., and Chandramouli, R. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security 4, 3 (2001), 224--274. Google ScholarDigital Library
- Gavrila, S., and Barkley, J. Formal specification for role based access control user/role and role/role relationship management. In Proceedings of Third ACM Workshop on Role-Based Access Control (Fairfax, Virginia, 1998), pp. 81--90. Google ScholarDigital Library
- Goh, C., and Baldwin, A. Towards a more complete model of role. In Proceedings of Third ACM Workshop on Role-Based Access Control (Fairfax, Virginia, 1998), pp. 55--61. Google ScholarDigital Library
- Kuhn, D. Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. In Proceedings of Second ACM Workshop on Role-Based Access Control (Fairfax, Virginia, 1997), pp. 23--30. Google ScholarDigital Library
- Kuhn, D. Role based access control on MLS systems without kernel changes. In Proceedings of Third ACM Workshop on Role-Based Access Control (Fairfax, Virginia, 1998), pp. 25--35. Google ScholarDigital Library
- McLean, J. Security models. In Encyclopedia of Software Engineering, J. Marciniak, Ed. John Wiley & Sons, 1994.Google Scholar
- Moffett, J., and Lupu, E. The uses of role hierarchies in access control. In Proceedings of Fourth ACM Workshop on Role-Based Access Control (Fairfax, Virginia, 1999), pp. 153--160. Google ScholarDigital Library
- Nyanchama, M., and Osborn, S. The role graph model and conflict of interest. ACM Transactions on Information and System Security 2, 1 (1999), 3--33. Google ScholarDigital Library
- Osborn, S., Sandhu, R., and Munawer, Q. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security 3, 2 (2000), 85--106. Google ScholarDigital Library
- Sandhu, R. Role hierarchies and constraints for lattice-based access controls. In Proceedings of Fourth European Symposium on Research in Computer Security (Rome, 1996), pp. 65--79. Google ScholarDigital Library
- Sandhu, R., Bhamidipati, V., and Munawer, Q. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security 1, 2 (1999), 105--135. Google ScholarDigital Library
- Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. Role-based access control models. IEEE Computer 29, 2 (1996), 38--47. Google ScholarDigital Library
Index Terms
- On permissions, inheritance and role hierarchies
Recommendations
Practical Role-Based Access Control
This article presents access control from a general and a role-based perspective. The article's focus is role based Access Control from a practical vice a theoretical perspective. The article starts with some access control definitions and two secure ...
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Delegation in role-based access control
User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Comments