The objective of this article is to give a tutorial on lattice-based access control models for computer security. The paper begins with a review of Denning's axioms for information flow policies, which provide a theoretical foundation for these models. The structure of security labels in the military and government sectors, and the resulting lattice is discussed. This is followed by a review of the Bell-LaPadula model, which enforces information flow policies by means of its simple-security and *-properties. It is noted that information flow through covert channels is beyond the scope of such access controls. Variations of the Bell-LaPadula model are considered. The paper next discusses the Biba integrity model, examining its relationship to the Bell-LaPadula model. The paper then reviews the Chinese Wall policy, which arises in a segment of the commercial sector. It is shown how this policy can be enforced in a lattice framework.

In role-based access control (RBAC) permissions are associated with roles, and users are made members of roles thereby acquiring the roles ’ permissions. The motivation behind RBAC is to simplify administration. An appealing possibility is to use RBAC itself to manage RBAC, to further provide administrative convenience, especially in decentralizing administrative authority, responsibility and chores. This paper describes the motivation, intuition and outline of a new model for RBAC administration called ARBAC97 (administrative RBAC ‘97). ARBAC97 has three components: URA97 (user-role assignment ‘97), PRA97 (permissionrole assignment ‘97) and RRA97 (role-role assignment ‘97). URA97 was recently defined by Sandhu and Bhamidipati [SB97]. ARBAC97 incorporates URA97, builds upon it to define PRA97 and some components of RRA97, and introduces additional concepts in developing RRA97.

The basic concept of role-based access control (RBAC) is that permissions are associated with roles, and users are made members of appropriate roles thereby acquiring the roles' permissions. This idea has been around since the advent of multi-user computing. Until recently, however, RBAC has received little attention from the research community. This article describes the motivations, results and open issues in recent RBAC research. The article focuses on four areas. Firstly, RBAC is a multi-dimensional concept that can range from very simple at one extreme to quite complex and sophisticated at the other. This presents problems in coming up with a definitive model of RBAC. We see how this impasse is resolved by having a family of models which can accommodate all these variations. Secondly, we discuss how RBAC can be used to manage itself. Recent models developed for this purpose are presented. Thirdly, the flexibility of RBAC can be demonstrated in many ways. Here we show how R...

Current approaches to access control on Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and efficient RBAC access control technology in large-scale Web environments. To satisfy this requirement, we identify two different architectures for RBAC on the Web, called user-pull and server-pull. To demonstrate feasibility, we implement each architecture by integrating and extending well-known technologies such as cookies, X.509, SSL, and LDAP, providing compatibility with current Web technologies. We describe the technologies we use to implement RBAC on the Web in different architectures. Based on our experience, we also compare the tradeoffs of the different approaches.

In role-based access control (RBAC) permissions are associated with roles, and users are made members of appropriate roles thereby acquiring the roles ’ permissions. The principal motivation behind RBAC is to simplify administration. An appealing possibility is to use RBAC itself to manage RBAC, to further provide administrative convenience. In this paper we investigate one aspect of RBAC administration concerning assignment of users to roles. We define a role-based administrative model, called URA97 (User-Role Assignment ’97), for this purpose and describe its implementation in the Oracle database management system. Although our model is quite different from that built into Oracle, we demonstrate how to use Oracle stored procedures to implement it.

The intricacy of security administration is one of the most challenging problems in large networked systems. This problem is especially serious in the Web environment, which consists of synthesis of technologies and composition of various constituents. Role-Based Access Control (RBAC) can reduce the complexity and cost of security administration in large networked applications. Using RBAC itself to manage RBAC provides additional administrative convenience. The main contribution of this paper is to extend the RBAC/Web system (developed at NIST) with the URA97 model for user-role assignment (developed at GMU) to decentralize the details of RBAC administration on the Web without losing central control over the system policy. 1

This paper analyzes and compares role-based access control #RBAC# features supported in the most recent versions of three popular commercial database management systems: Informix Online Dynamic Server Version 7.2, Oracle Enterprise Server Version 8.0 and Sybase Adaptive Server Release 11.5. We categorize RBAC features under three broad areas: user role assignment, support for role relationships and constraints, and assignable privileges. Our #nding is that these products provide a sound basis for implementing the basic features of RBAC, although there are signi#cant di#erences. In particular, Informix restricts users to a single active role at any time, while Oracle and Sybase allowmultiple roles to be activated simultaneously as per the user's selection. All three provide support for role hierarchies, but Sybase is the only one to directly support mutual exclusion of roles. 1 Introduction Role-based access control #RBAC# has recently received considerable attention as a pr...

In role-based access control (RBAC) permissions are associated with roles, and users are made members of appropriate roles thereby acquiring the roles' permissions. The principal motivation behind RBAC is to simplify administration. An appealing possibility is to use RBAC itself to manage RBAC, to further provide administrative convenience. In this paper we introduce a role-based administrative model, called URA97 (user-role assignment '97), for assignment of users to roles.

Unix includes a simple group mechanism for access control. In this paper we describe an experiment to extend this mechanism in two significant ways that are valuable in managing group-based access control in large-scale systems. The goal of our experiment is to demonstrate how group hierarchies (where groups include other groups) and decentralized user-group assignment (where administrators are selectively delegated authority to assign selected users to selected groups) can be implemented by means of Unix setgid programs. In both respects the experimental goal is to implement previously published models, specifically RBAC96 for group hierarchies and URA97 for decentralized user-group assignment. Our results indicate that Unix has adequate flexibility to accommodate modern access control models to some extent, but that it also has critical limitations. The paper discusses how additional setgid based mechanisms could be implemented to make our implementation more scalable.

The notion of groups in Windows NT is much like that in other operating systems. Rather than set user and le rights individually for each and every user, the administrator can give rights to various groups, then place users within those groups. Each user within a group inherits the rights associated with that group. In this paper we describe an experiment to extend the Windows NT group mechanism in two signicant ways that are useful in managing group-based access control in large-scale systems. The goal of our experiment is to demonstrate how group hierarchies (where groups include other groups) and decentralized user-group assignment (where administrators are selectively delegated authority to assign certain users to certain groups) can be implemented by means of Microsoft remote procedure call (RPC) programs. In both respects the experimental goal is to implement previously published models (RBAC96 for group hierarchies and URA97 for decentralized user-group assignment). Our result...