ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Engineering authority and trust in cyberspace: the OM-AM and RBAC way
Full text PdfPdf (728 KB)
Source Symposium on Access Control Models and Technologies archive
Proceedings of the fifth ACM workshop on Role-based access control table of contents
Berlin, Germany
Pages: 111 - 119  
Year of Publication: 2000
ISBN:1-58113-259-X
Author
Ravi Sandhu  ISE Department, MS 4A4, George Mason University, Fairfax, VA
Sponsor
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 1,   Downloads (12 Months): 22,   Citation Count: 13
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/344287.344309
What is a DOI?

ABSTRACT

Information systems of the future will be large-scale, highly decentralized, pervasive, span organizational boundaries and evolve rapidly. Effective security in this cyberspace will require engineering authority and trust retationships across organizations and individuals. In this paper we propose the four-layer OM-AM framework for this purpose. OM-AM comprises objective, model, architecture and mechanism layers in this sequence. The objective and model (OM) layers articulate whatthe security objective and tradeoffs are, while the architecture and mechanism (AM) layers address howto meet these requirements. The hyphen in OM-AM emphasizes the shift from what to how. These layers are roughly analogous to a network protocol stack with a many-to-many relationship between successive layers, and most certainly do not imply a top-down waterfall-style software engineering process. OM-AM is an excellent match to the policy-neutral and flexible nature of role-based access control (RBAC). This paper describes and motivates the OM-AM framework and presents a case study in applying it in a distributed RBAC application.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
Dep85
Department of Defense National Computer Security Center. Department of Defense Trusted Computer Systems Evaluation Criteria, December 1985. DoD 5200.28-STD.
 
Dep91
Department of Defense National Computer Security Center. Trusted Database Interpretation of the Trusted Computer Systems Evaluation Criteria, April 1991. NCSC-TG- 021.
FBK99
David F. Ferraiolo , John F. Barkley , D. Richard Kuhn, A role-based access control model and reference implementation within a corporate intranet, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.34-64, Feb. 1999  [doi>10.1145/300830.300834]
 
FCK95
David Ferraiolo, Janet Cugini, and Richard Kuhn. Role-based access control (RBAC): Features and motivations. In Proceedings o} 11th Annual Computer Security Application Conferenee, pages 241-48, New Orleans, LA, December 11-15 1995.
 
FK92
David Ferraiolo and Richard Kuhn. Rolebased access controls. In Proceedings o} 15th NIST-NCSC National Computer Security Conference, pages 554-563, Baltimore, MD, October 13-16 1992.
 
Gui95
Luigi Guiri. A new model for role-based access control. In Proceedings of 11th Annual Computer Security Application Conference, pages 249-255, New Orleans, LA, December 11-15 1995.
LCC+75
R. Levin , E. Cohen , W. Corwin , F. Pollack , W. Wulf, Policy/mechanism separation in Hydra, Proceedings of the fifth ACM symposium on Operating systems principles, p.132-140, November 19-21, 1975, Austin, Texas, United States
 
McL94
J. McLean. Security models. In John Marciniak, editor, Encyclopedia of Software Engineering. Wiley & Sons, Inc., 1994.
 
NO95
Matunda Nyanchama , Sylvia L. Osborn, Access Rights Administration in Role-Based Security Systems, Proceedings of the IFIP WG11.3 Working Conference on Database Security VII, p.37-56, August 23-26, 1994
NO99
Matunda Nyanchama , Sylvia Osborn, The role graph model and conflict of interest, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.3-33, Feb. 1999  [doi>10.1145/300830.300832]
 
Not94
LouAnna Notargiacomo. Architectures for MLS database management systems. In M. Abrams, S. Jajodia, and H. Podell, editors, Information Security : An Integrated Collection of Essays. IEEE Computer Society Press, 1994.
OSM00
Sylvia Osborn , Ravi Sandhu , Qamar Munawer, Configuring role-based access control to enforce mandatory and discretionary access control policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.2, p.85-106, May 2000  [doi>10.1145/354876.354878]
 
PS99
Joon Park and Ravi Sandhu. Smart certificates: Extending x.509 for secure attribute services on the web. In Proceedings of 22nd NIST-NCSC National Inforrnation Systems Security Conference, Arlington, VA, October 18-21 1999.
 
PSG00
Joon S. Park , Ravi S. Sandhu , SreeLatha Ghanta, RBAC on the Web by Secure Cookies, Proceedings of the IFIP WG 11.3 Thirteenth International Conference on Database Security: Research Advances in Database and Information Systems Security, p.49-62, July 26-28, 1999
 
RS98
Chandramouli Ramaswamy and Ravi Sandhu. Role-based access control features in commercial database management systems. In Proceedings of 21st NIST-NCSC National Inforrnation Systems Security Conference, pages 503-511, Arlington, VA, October 5-8 1998.
 
SA98a
Ravi Sandhu and Gail-Joon Ahn. Decentralized group hieraches in unix: An experiment and lessons learned. In Proceedings of 21st NIST-NCSC National Inforrnation Systems Security Conference, Arlington, VA, October 5-8 1998.
 
SA98b
Ravi Sandhu and Gail-Joon Ahn. Group hierarchies with decentralized user assignment in Windows NT. In Proc. International Association of Science and Technology for Development (IASTED) Conference on Software Engineering, Las Vegas, Nevada, October 1998.
Sal74
Jerome H. Saltzer, Protection and the control of information sharing in multics, Communications of the ACM, v.17 n.7, p.388-402, July 1974  [doi>10.1145/361011.361067]
 
San93
Ravi S. Sandhu, Lattice-Based Access Control Models, Computer, v.26 n.11, p.9-19, November 1993  [doi>10.1109/2.241422]
 
San96
Ravi S. Sandhu, Role Hierarchies and Constraints for Lattice-Based Access Controls, Proceedings of the 4th European Symposium on Research in Computer Security: Computer Security, p.65-79, September 25-27, 1996
San98a
Ravi Sandhu, Role activation hierarchies, Proceedings of the third ACM workshop on Role-based access control, p.33-40, October 22-23, 1998, Fairfax, Virginia, United States  [doi>10.1145/286884.286891]
 
San98b
Ravi Sandhu. Role-based access control. In Zelkowitz, editor, Advances in Computers, Volume: 46. Academic Press, 1998.
 
SB99
Ravi Sandhu and Venkata Bhamidipati. Role-based administration of user-role assignment: The URA97 model and its Oracle implementation. The Journal of Computer Security, 1999. in press.
SBM99
Ravi Sandhu , Venkata Bhamidipati , Qamar Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.105-135, Feb. 1999  [doi>10.1145/300830.300839]
 
SCFY96
Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
SM98
Ravi Sandhu , Qamar Munawer, How to do discretionary access control using roles, Proceedings of the third ACM workshop on Role-based access control, p.47-54, October 22-23, 1998, Fairfax, Virginia, United States  [doi>10.1145/286884.286893]
SP98
Ravi Sandhu , Joon S. Park, Decentralized user-role assignment for Web-based intranets, Proceedings of the third ACM workshop on Role-based access control, p.1-12, October 22-23, 1998, Fairfax, Virginia, United States  [doi>10.1145/286884.286887]
 
TDH92
T. C. Ting , Steven A. Demurjian , M.-Y. Hu, Requirements, Capabilities, and Functionalities of User-Role Based Security for an Object-Oriented Design Model, Results of the IFIP WG 11.3 Workshop on Database Security V: Status and Prospects, p.275-296, November 01, 1991
 
ZSS99
M. Zurko, R. Simon, and T. Sanfilippo. A user-centered modular authorization service built on an rbac foundation. In Proceedings of IEEE Symposium on Research in Security and Privacy, pages 57-71, Oakland, CA, May 1999.

CITED BY  13
Gail-Joon Ahn , Ravi Sandhu , Myong Kang , Joon Park, Injecting RBAC to secure a Web-based workflow system, Proceedings of the fifth ACM workshop on Role-based access control, p.1-10, July 26-28, 2000, Berlin, Germany
Martin Kuhlmann , Dalia Shohat , Gerhard Schimpf, Role mining - revealing business roles for security administration using data mining technology, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
Jean Bacon , Ken Moody , Walt Yao, Access control and trust in the use of widely distributed services, Software—Practice & Experience, v.33 n.4, p.375-394, 10 April 2003
Savith Kandala , Ravi Sandhu, Secure role-based workflow models, Proceedings of the fifteenth annual working conference on Database and application security, p.45-58, July 15-18, 2001, Niagara, Ontario, Canada
Karl Fürst , Thomas Schmidt , Gerald Wippel, Managing Access in Extended Enterprise Networks, IEEE Internet Computing, v.6 n.5, p.67-74, September 2002
Jaehong Park , Ravi Sandhu, The UCONABC usage control model, ACM Transactions on Information and System Security (TISSEC), v.7 n.1, p.128-174, February 2004
Joon S. Park , Keith P. Costello , Teresa M. Neven , Josh A. Diosomito, A composite rbac approach for large, complex organizations, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
Xiaodong Jiang , James A. Landay, Modeling Privacy Control in Context-Aware Systems, IEEE Pervasive Computing, v.1 n.3, p.59-63, July 2002
Ravi Sandhu , Xinwen Zhang, Peer-to-peer access control architecture using trusted computing technology, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden
William Claycomb , Dongwan Shin, Mobile-driven architecture for managing enterprise security policies, Proceedings of the 44th annual southeast regional conference, March 10-12, 2006, Melbourne, Florida
Xinwen Zhang , Masayuki Nakae , Michael J. Covington , Ravi Sandhu, A usage-based authorization framework for collaborative computing systems, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA
Ravi Sandhu , Kumar Ranganathan , Xinwen Zhang, Secure information sharing enabled by Trusted Computing and PEI models, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan
Xinwen Zhang , Masayuki Nakae , Michael J. Covington , Ravi Sandhu, Toward a Usage-Based Security Framework for Collaborative Computing Systems, ACM Transactions on Information and System Security (TISSEC), v.11 n.1, p.1-36, February 2008

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

  H. Information Systems
  H.2 DATABASE MANAGEMENT
      H.2.7 Database Administration
          Subjects: Security, integrity, and protection


General Terms:
Design, Management, Performance, Security, Standardization, Theory

Collaborative Colleagues:
Ravi Sandhu: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player