Configuring role-based access control to enforce mandatory and discretionary access control policies

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Configuring role-based access control to enforce mandatory and discretionary access control policies

Full text

Pdf (138 KB)

Source

ACM Transactions on Information and System Security (TISSEC) archive
Volume 3 , Issue 2 (May 2000) table of contents

Pages: 85 - 106

Year of Publication: 2000

ISSN:1094-9224

Authors

Sylvia Osborn	Univ. of Western Ontario, London, Ont., Canada
Ravi Sandhu	George Mason Univ., Fairfax, VA
Qamar Munawer	George Mason Univ., Fairfax, VA

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 18, Downloads (12 Months): 270, Citation Count: 59

Additional Information:

abstract references cited by index terms review collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/354876.354878 What is a DOI?

ABSTRACT

Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general enough to simulate the traditional methods. In this paper we provide systematic constructions for various common forms of both of the traditional access control paradigms using the role-based access control (RBAC) models of Sandhu et al., commonly called RBAC96. We see that all of the features of the RBAC96 model are required, and that although for the manatory access control simulation, only one administrative role needs to be assumed, for the discretionary access control simulations, a complex set of administrative roles is required.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	BELL, D. 1987. Secure computer systems: A network interpretation. In Proceedings on 3rd Annual Computer Security Application Conference. 32-39.
	2	CLARK,D.AND WILSON, D. 1987. A comparison of commercial and military computer security policies. In Proceedings of IEEE Symposium on Security and Privacy (Oakland, CA, May). 184-194.
	3	Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976 [doi>10.1145/360051.360056]
	4	GRAHAM,G.AND DENNING, P. 1972. Protection-principles and practice. In Proceedings on AFIPS Spring Joint Computer Conference. AFIPS Press, Arlington, VA, 417-429.
	5	LAMPSON, B. 1974. Protection. In Proceedings of the 5th Symposium on Information Sciences and Systems (Princeton, NJ, Mar.). 437-443.
	6	LEE, T. 1988. Using mandatory integrity to enforce "commercial" security. In Proceedings of IEEE Symposium on Security and Privacy (Oakland, CA). 140-146.
	7	Qamar Munawer , Ravi S. Sandhu, Administrative models for role-based access control, 2000
	8	Matunda Nyanchama , Sylvia L. Osborn, Access Rights Administration in Role-Based Security Systems, Proceedings of the IFIP WG11.3 Working Conference on Database Security VII, p.37-56, August 23-26, 1994
	9	Matunda Nyanchama , Sylvia Osborn, Modeling mandatory access control in role-based security systems, Proceedings of the ninth annual IFIP TC11 WG11.3 working conference on Database security IX : status and prospects: status and prospects, p.129-144, January 1996, Rennselaerville, New York, United States
	10	Matunda Nyanchama , Sylvia Osborn, The role graph model and conflict of interest, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.3-33, Feb. 1999 [doi>10.1145/300830.300832]
	11	Sylvia Osborn, Mandatory access control and role-based access control revisited, Proceedings of the second ACM workshop on Role-based access control, p.31-40, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266751]
	12	Sylvia L. Osborn , Laura K. Reid , Gregory J. Wesson, On the interaction between role-based access control and relational databases, Proceedings of the tenth annual IFIP TC11/WG11.3 international conference on Database security: volume X : status and prospects: status and prospects, p.275-287, January 1997, Como, Italy
	13	Ravi S. Sandhu, Lattice-Based Access Control Models, Computer, v.26 n.11, p.9-19, November 1993 [doi>10.1109/2.241422]
	14	Ravi S. Sandhu, Role Hierarchies and Constraints for Lattice-Based Access Controls, Proceedings of the 4th European Symposium on Research in Computer Security: Computer Security, p.65-79, September 25-27, 1996
	15	Ravi Sandhu , Venkata Bhamidipati , Qamar Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.105-135, Feb. 1999 [doi>10.1145/300830.300839]
	16	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996 [doi>10.1109/2.485845]
	17	Ravi Sandhu , Qamar Munawer, How to do discretionary access control using roles, Proceedings of the third ACM workshop on Role-based access control, p.47-54, October 22-23, 1998, Fairfax, Virginia, United States [doi>10.1145/286884.286893]
	18	SANDHU,R.AND SAMARATI, P. 1994. Access control: Principles and practice. IEEE Commun. Mag. 32,9,40-48.
	19	SANDHU,R.S.AND SAMARATI, P. 1997. Authentication, access control and intrusion detection. In The Computer Science and Engineering Handbook, A. B. Tucker, Ed. CRC Press, Inc., Boca Raton, FL, 1929-1948.
	20	SCHOCKLEY, W. 1988. Implementing the Clark/Wilson integrity policy using current technology. In Proceedings of the 11th National Computer Security Conference (NIST-NCSC, Baltimore, Maryland, Oct.17-20). National Institute of Standards and Technology, Gaithersburg, MD, 29-37.

CITED BY 59

	Ravi Sandhu , David Ferraiolo , Richard Kuhn, The NIST model for role-based access control: towards a unified standard, Proceedings of the fifth ACM workshop on Role-based access control, p.47-63, July 26-28, 2000, Berlin, Germany
	James B. D. Joshi , Basit Shafiq , Arif Ghafoor , Elisa Bertino, Dependencies and separation of duty constraints in GTRBAC, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Roberto Di Pietro , Luigi V. Mancini, Security and privacy issues of handheld and wearable wireless devices, Communications of the ACM, v.46 n.9, p.74-79, September 2003
	Gustaf Neumann , Mark Strembeck, Design and implementation of a flexible RBAC-service in an object-oriented scripting language, Proceedings of the 8th ACM conference on Computer and Communications Security, November 05-08, 2001, Philadelphia, PA, USA
	Manuel Koch , Luigi V. Mancini , Francesco Parisi-Presicce, A graph-based formalism for RBAC, ACM Transactions on Information and System Security (TISSEC), v.5 n.3, p.332-365, August 2002
	Charles E. Phillips, Jr. , T.C. Ting , Steven A. Demurjian, Information sharing and security in dynamic coalitions, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
	Sejong Oh , Ravi Sandhu, A model for role administration using organization structure, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
	Gail-Joon Ahn , Ravi Sandhu, Role-based authorization constraints specification, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.207-226, Nov. 2000
	Lawrence A. Gordon , Martin P. Loeb, The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), v.5 n.4, p.438-457, November 2002
	David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001
	James B D Joshi , Elisa Bertino , Arif Ghafoor, Temporal hierarchies and inheritance semantics for GTRBAC, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
	Elisa Bertino , Piero Andrea Bonatti , Elena Ferrari, TRBAC: A temporal role-based access control model, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.191-233, August 2001
	Ravi Sandhu, Engineering authority and trust in cyberspace: the OM-AM and RBAC way, Proceedings of the fifth ACM workshop on Role-based access control, p.111-119, July 26-28, 2000, Berlin, Germany
	Joon S. Park , Ravi Sandhu , Gail-Joon Ahn, Role-based access control on the web, ACM Transactions on Information and System Security (TISSEC), v.4 n.1, p.37-71, Feb. 2001
	Cungang Yang , Chang N. Zhang, An approach to secure information flow on Object Oriented Role-based Access Control model, Proceedings of the 2003 ACM symposium on Applied computing, March 09-12, 2003, Melbourne, Florida
	Katherine Campbell , Lawrence A. Gordon , Martin P. Loeb , Lei Zhou, The economic cost of publicly announced information security breaches: empirical evidence from the stock market, Journal of Computer Security, v.11 n.3, p.431-448, 1 March 2003
	Jason Crampton, On permissions, inheritance and role hierarchies, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
	Basit Shafiq , James B. D. Joshi , Elisa Bertino , Arif Ghafoor, Secure Interoperation in a Multidomain Environment Employing RBAC Policies, IEEE Transactions on Knowledge and Data Engineering, v.17 n.11, p.1557-1577, November 2005
	Shih-Chien Chou, Embedding role-based access control model in object-oriented systems to protect privacy, Journal of Systems and Software, v.71 n.1-2, p.143-161, April 2004
	James B. D. Joshi , Rafae Bhatti , Elisa Bertino , Arif Ghafoor, Access-Control Language for Multidomain Environments, IEEE Internet Computing, v.8 n.6, p.40-50, November 2004
	Jingzhu Wang , Sylvia L. Osborn, A role-based approach to access control for XML databases, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
	Marian Ventuneac , Tom Coffey , Ioan Salomie, A policy-based security framework for Web-enabled applications, Proceedings of the 1st international symposium on Information and communication technologies, September 24-26, 2003, Dublin, Ireland
	Rafae Bhatti , James Joshi , Elisa Bertino , Arif Ghafoor, X-GTRBAC admin: a decentralized administration model for enterprise wide access control, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
	Ting Yu , Divesh Srivastava , Laks V. S. Lakshmanan , H. V. Jagadish, A compressed accessibility map for XML, ACM Transactions on Database Systems (TODS), v.29 n.2, p.363-402, June 2004
	Shih-Chien Chou, Providing flexible access control to an information flow control model, Journal of Systems and Software, v.73 n.3, p.425-439, November-December 2004
	Thuong Doan , Steven Demurjian , T. C. Ting , Andreas Ketterl, MAC and UML for secure software design, Proceedings of the 2004 ACM workshop on Formal methods in security engineering, October 29-29, 2004, Washington DC, USA
	Mahesh V. Tripunitara , Ninghui Li, Comparing the expressive power of access control models, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA
	Sylvia Osborn, Integrating role graphs: a tool for security integration, Data & Knowledge Engineering, v.43 n.3, p.317-333, December 2002
	James B. D. Joshi , Elisa Bertino , Usman Latif , Arif Ghafoor, A Generalized Temporal Role-Based Access Control Model, IEEE Transactions on Knowledge and Data Engineering, v.17 n.1, p.4-23, January 2005
	Rafae Bhatti , Elisa Bertino , Arif Ghafoor , James B. D. Joshi, XML-Based Specification for Web Services Document Security, Computer, v.37 n.4, p.41-49, April 2004
	Li Yang , Raimund K. Ege , Huiqun Yu, Mediation security specification and enforcement for heterogeneous databases, Proceedings of the 2005 ACM symposium on Applied computing, March 13-17, 2005, Santa Fe, New Mexico
	David F. Ferraiolo , Serban Gavrila , Vincent Hu , D. Richard Kuhn, Composing and combining policies under the policy machine, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden
	Yanjun Zuo , Brajendra Panda, Component based trust management in the context of a virtual organization, Proceedings of the 2005 ACM symposium on Applied computing, March 13-17, 2005, Santa Fe, New Mexico
	Shih-Chien Chou , Chin-Yi Chang, An information flow control model for C applications based on access control lists, Journal of Systems and Software, v.78 n.1, p.84-100, October 2005
	Rafae Bhatti , Arif Ghafoor , Elisa Bertino , James B. D. Joshi, X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control, ACM Transactions on Information and System Security (TISSEC), v.8 n.2, p.187-227, May 2005
	Patrick C. K. Hung , Dickson K. W. Chiu , W. W. Fung , William K. Cheung , Raymond Wong , Samuel P. M. Choi , Eleanna Kafeza , James Kwok , Jousha C. C. Pun , Vivying S. Y. Cheng, Towards end-to-end privacy control in the outsourcing of marketing activities: a web service integration solution, Proceedings of the 7th international conference on Electronic commerce, August 15-17, 2005, Xi'an, China
	Sylvia L. Osborn, Information flow analysis of an RBAC system, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
	James B. D. Joshi , Elisa Bertino , Arif Ghafoor, An Analysis of Expressiveness and Design Issues for the Generalized Temporal Role-Based Access Control Model, IEEE Transactions on Dependable and Secure Computing, v.2 n.2, p.157-175, April 2005
	Jason Crampton , George Loizou, Administrative scope: A foundation for role-based administrative models, ACM Transactions on Information and System Security (TISSEC), v.6 n.2, p.201-231, May 2003
	Siqing Du , James B. D. Joshi, Supporting authorization query and inter-domain role mapping in presence of hybrid role hierarchy, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA
	Shih-Chien Chou , Yuan-Chien Chen, Managing role relationships in an information flow control model, Journal of Systems and Software, v.79 n.4, p.507-522, April 2006
	Vugranam C. Sreedhar, Data-centric security: role analysis and role typestates, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA
	Wolfgang Essmayr , Stefan Probst , Edgar Weippl, Role-Based Access Controls: Status, Dissemination, and Prospects for Generic Security Mechanisms, Electronic Commerce Research, v.4 n.1-2, p.127-156, January-April 2004
	Timothy Fraser , David Ferraiolo , Mikel L. Matthews , Casey Schaufler , Stephen Smalley , Robert Watson, Panel: which access control technique will provide the greatest overall benefit, Proceedings of the sixth ACM symposium on Access control models and technologies, p.141-149, May 2001, Chantilly, Virginia, United States
	Ravi Sandhu , Kumar Ranganathan , Xinwen Zhang, Secure information sharing enabled by Trusted Computing and PEI models, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan
	Sejong Oh , Ravi Sandhu , Xinwen Zhang, An effective role administration model using organization structure, ACM Transactions on Information and System Security (TISSEC), v.9 n.2, p.113-137, May 2006
	James B. D. Joshi , Elisa Bertino, Fine-grained role-based delegation in presence of the hybrid role hierarchy, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA
	W. T. Tsai , Yinong Chen , Ray Paul , Xinyu Zhou , Chun Fan, Simulation Verification and Validation by Dynamic Policy Specification and Enforcement, Simulation, v.82 n.5, p.295-310, May 2006
	Z. M. Qiu , K. F. Kok , Y. S. Wong , Jerry Y. H. Fuh, Role-based 3D visualisation for asynchronous PLM collaboration, Computers in Industry, v.58 n.8-9, p.747-755, December, 2007
	David F. Ferraiolo, An argument for the role-based access control model, Proceedings of the sixth ACM symposium on Access control models and technologies, p.142-143, May 2001, Chantilly, Virginia, United States
	W. T. Tsai , X. Liu , Y. Chen , R. Paul, Simulation Verification and Validation by Dynamic Policy Enforcement, Proceedings of the 38th annual Symposium on Simulation, p.91-98, April 04-06, 2005
	James B. D. Joshi , Elisa Bertino , Arif Ghafoor , Yue Zhang, Formal foundations for hybrid hierarchies in GTRBAC, ACM Transactions on Information and System Security (TISSEC), v.10 n.4, p.1-39, January 2008
	Mahesh V. Tripunitara , Ninghui Li, A theory for comparing the expressive power of access control models, Journal of Computer Security, v.15 n.2, p.231-272, April 2007
	Lillian Røstad , Øystein Nytrø, Personalized access control for a personally controlled health record, Proceedings of the 2nd ACM workshop on Computer security architectures, October 31-31, 2008, Alexandria, Virginia, USA
	Dae-Kyoo Kim , Pooja Mehta , Priya Gokhale, Describing access control models as design patterns using roles, Proceedings of the 2006 conference on Pattern languages of programs, October 21-23, 2006, Portland, Oregon
	Qurban Memon , Shakil Akhtar , Alaa A. Aly, Role management in adhoc networks, Proceedings of the 2007 spring simulaiton multiconference, March 25-29, 2007, Norfolk, Virginia
	Zhengping Wu , Alfred C. Weaver, Requirements of federated trust management for service-oriented architectures, Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, October 30-November 01, 2006, Markham, Ontario, Canada
	Xinyu Wang , Jianling Sun , Xiaohu Yang , Chao Huang , Di Wu, Security Violation Detection for RBAC Based Interoperation in Distributed Environment, IEICE - Transactions on Information and Systems, v.E91-D n.5, p.1447-1456, May 2008
	Chiu-Man Yu , Kam-Wing Ng, DPMF: A policy management framework for heterogeneous authorization systems in grid environments, Multiagent and Grid Systems, v.5 n.2, p.235-263, April 2009

INDEX TERMS

Primary Classification:
D. Software
D.4 OPERATING SYSTEMS
D.4.6 Security and Protection
Subjects: Access controls

Additional Classification:
K. Computing Milieux
K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS

General Terms:
Management, Security

Keywords:
discretionary access control, lattice-based access control, mandatory access control, role-based access control

REVIEW

"James P. Anderson : Reviewer"

The authors show that a particular set of RBAC models known as RBAC96 can be used to define a variety of lattice based access controls (LBAC), an abstraction and generalization of what is also known as the hierarchical access control model. more...

Collaborative Colleagues:

Sylvia Osborn: colleagues

Ravi Sandhu: colleagues

Qamar Munawer: colleagues

Adobe Acrobat

QuickTime

Windows Media Player

Real Player