this article we propose a standard for role-based access control (RBAC). Although RBAC models have received broad support as a generalized approach to access control, and are well recognized for their many advantages in performing large-scale authorization management, no single authoritative definition of RBAC exists today. This lack of a widely accepted model results in uncertainty and confusion about RBAC's utility and meaning. The standard proposed here seeks to resolve this situation by unifying ideas from a base of frequently referenced RBAC models, commercial products, and research prototypes. It is intended to serve as a foundation for product development, evaluation, and procurement specification. Although RBAC continues to evolve as users, researchers, and vendors gain experience with its application, we feel the features and components proposed in this standard represent a fundamental and stable set of mechanisms that may be enhanced by developers in further meeting the needs of their customers. As such, this document does not attempt to standardize RBAC features beyond those that have achieved acceptance in the commercial marketplace and research community, but instead focuses on defining a fundamental and stable set of RBAC components. This standard is organized into the RBAC Reference Model and the RBAC System and Administrative Functional Specification. The reference model defines the scope of features that comprise the standard and provides a consistent vocabulary in support of the specification. The RBAC System and Administrative Functional Specification defines functional requirements for administrative operations and queries for the creation, maintenance, and review of RBAC sets and relations, as well as for specifying system level functionality in sup...

This paper describes a unified model for role-based access control (RBAC). RBAC is a proven technology for large-scale authorization. However, lack of a standard model results in uncertainty and confusion about its utility and meaning. The NIST model seeks to resolve this situation by unifying ideas from prior RBAC models, commercial products and research prototypes. It is intended to serve as a foundation for developing future standards. RBAC is a rich and open-ended technology which is evolving as users, researchers and vendors gain experience with it. The NIST model focuses on those aspects of RBAC for which consensus is available. It is organized into four levels of increasing functional capabilities called at RBAC, hierarchical RBAC, constrained RBAC and symmetric RBAC. These levels are cumulative and each adds exactly one new requirement. An alternate approach comprising at and hierarchical RBAC in an ordered sequence and two unordered features -- constraints and symmetry -- is also presented. The paper furthermore identifies important attributes of RBAC not included in the NIST model. Some are not suitable for inclusion in a consensus document. Others require further work and agreement before standardization is feasible.

We describe in more detail than before the reference model for role-based access control introduced by Nyanchama and Osborn, and the role-graph model with its accompanying algorithms, which is one way of implementing role-role relationships. An alternative role insertion algorithm is added, and it is shown how the role creation policies of Fernandez et al. correspond to role addition algorithms in our model. We then use our reference model to provide a taxonomy for kinds of conflict. We then go on to consider in some detail privilegeprivilege and role-role conflicts in conjunction with the role graph model. We show how role-role conflicts lead to a partitioning of the role graph into nonconflicting collections that can together be safely authorized to a given user. Finally, in an appendix, we present the role graph algorithms with additional logic to disallow roles that contain conflicting privileges.

This paper examines the concept of role-based protection and, in particular, role organization. From basic role relationships, a model for role organization is developed. The role graph model, its operator semantics based on graph theory and algorithms for role administration are proposed. The role graph model, in our view, presents a very generalized form of role organization for access rights administration. It is shown how the model simulates other organizational structures such as hierarchies [TDH92] and privilege graphs [Bal90].

This paper discusses the realization of mandatory access control in role-based protection systems. Starting from the basic definitions of roles, their application in security and the basics of the concept of mandatory access control, we develop a scheme of role-based protection that realizes mandatory access control. The basis of this formulation develops from the recognition that roles can be seen as facilitating access to some given information context. By handling each of the role contexts as independent security levels of information, we simulate mandatory access by imposing the requirements of mandatory access control. Among the key considerations, we propose a means of taming Trojan horses by imposing acyclic information flow among contexts in role-based protection systems. The acyclic information flows and suitable access rules incorporate secrecy which is an essential component of mandatory access control. Keywords Security level, information flow, mandatory access control, r...

Information systems of the future will be large-scale, highly decentralized, pervasive, span organizational boundaries and evolve rapidly. Effective security in this cyberspace will require engineering authority and trust relationships across organizations and individuals. In this paper we propose the four-layer OM-AM framework for this purpose. OM-AM comprises objective, model, architecture and mechanism layers in this sequence. The objective and model (OM) layers articulate what the security objectives and tradeoffs are, while the architecture and mechanism (AM) layers address how to meet these requirements. The hyphen in OM-AM emphasizes the shift from what to how. These layers are roughly analogous to a network protocol stack with a many-to-many relationship between successive layers, and most certainly do not imply a top-down waterfall-style software engineering process. OM-AM is an excellent match to the policy-neutral and flexible nature of role-based access control (RBAC). Th...

In many collaborative systems, users can trigger the execution of commands in a process owned by another user. Unless the access rights of such processes are limited, any user in the collaboration can: (1) gain access to another's private files; (2) execute applications on another user's behalf; or (3) read public system files, such as the password file, on another user's machine. However, some applications require limited sharing of private files, so it may be desirable to grant access to these files for a specific purpose. RBAC models can be used to limit the access rights of processes, but current implementations do not enable users to flexibly control the access rights of a process at runtime. We define a discretionary access control model that enables principals to flexibly control the access rights of a collaborative process. We then specify the requirements of role-based access control models necessary to implement this discretionary access control model. 1 Introduction We exam...

Access control has been an important issue in military systems for many years and is becoming in-creasingly important in commercial systems. There are three important access control paradigms: the Bell-LaPadula model, the protection matrix model and the role-based access control model. Each of these models has its advantages and disadvantages. Partial orders play a significant part in the role-based access control model and are also important in defining the security lattice in the Bell-LaPadula model. The main goal of this thesis is to improve the understanding and specification of access control models through a rigorous mathematical approach. We examine the mathematical foundations of the role-based access control model and conclude that antichains are a fundamental concept in the model. The analytical approach we adopt enables us to identify where improvements in the administration of role-based access control could be made. We then develop a new administrative model for role-based access control based on a novel, mathematical interpretation of encapsulated ranges. We show that this model supports discretionary access control features which have hitherto been difficult to incorporate into role-based access control frameworks.

Recently, context-dependent access control mechanisms were established: Information about the state of a business process is combined with general knowledge about a person to grant or revoke access to sensitive data. Though being understood very well in principle, many different problems arise when context-dependent access control is realized for an application of practical relevance on a concrete platform. We present in this paper the implementation of context-dependent access control for a client-/server-based hospital information system. The system is WindowsNT-based and is implemented with MS Visual Basic on an MS SQL Server database. Additionally there is an Action Technology workflow system that provides the required context information. We will demonstrate how the context-dependent access control can be implemented taking into account the constraints of the given platform. Keywords Context-dependency, access control, business processes, implementation 1 INTRODUCTION In (Hol...

In recent years we have witnessed considerable efforts in the research and development of object-oriented database management systems. As object-oriented database technology matures, the availability of adequate access control mechanisms will be crucial to its commercial acceptance. In this paper we discuss discretionary access control issues in object-oriented databases. Our objective is two-fold. One objective is to survey the state of the art in access control concepts and mechanisms as reported in the relevant literature. To do this, we develop a framework to categorize access control issues. The categories include subject to object, inter-object, and intra-object access control. Wecover structural and behavioral approaches to access control. Another objective is to identify several research directions and access control issues that are beyond the scope of existing mechanisms. These include authorizations based on separation of duties and multiple approvals, the incorporation of tempora...