ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
The role-based access control system of a European bank: a case study and discussion
Full text PdfPdf (201 KB)
Source ACM Workshop on Role Based Access Control archive
Proceedings of the sixth ACM symposium on Access control models and technologies table of contents
Chantilly, Virginia, United States
Pages: 3 - 9  
Year of Publication: 2001
ISBN:1-58113-350-2
Authors
Andreas Schaad  Univ. of York, York, UK
Jonathan Moffett  Univ. of York, York, UK
Jeremy Jacob  Univ. of York, York, UK
Sponsor
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 20,   Downloads (12 Months): 254,   Citation Count: 19
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/373256.373257
What is a DOI?

ABSTRACT

Research in the area of role-based access control has made fast progress over the last few years. However, little has been done to identify and describe existing role-based access control systems within large organisations. This paper describes the access control system of a major European Bank. An overview of the systems structure, its administration and existing control principles constraining the administration is given. In addition, we provide an answer to a key question - the ratio of the number of roles to the system user population - which was raised in the recent RBAC2000 Workshop. Having described certain weaknesses of the Banks system, the case study is extended to a comparison between the system and the RBAC96 models. In particular the issues of inheritance and grouping are addressed.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Ravi Sandhu , David Ferraiolo , Richard Kuhn, The NIST model for role-based access control: towards a unified standard, Proceedings of the fifth ACM workshop on Role-based access control, p.47-63, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344301]
 
2
Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
3
Matunda Nyanchama , Sylvia Osborn, The role graph model and conflict of interest, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.3-33, Feb. 1999  [doi>10.1145/300830.300832]
4
Emil C. Lupu , Damian A. Marriott , Morris S. Sloman , Nicholas Yialelis, A policy based role framework for access control, Proceedings of the first ACM Workshop on Role-based access control, p.11-es, November 30-December 02, 1995, Gaithersburg, Maryland, United States  [doi>10.1145/270152.270171]
5
Pete Epstein , Ravi Sandhu, Towards a UML based approach to role engineering, Proceedings of the fourth ACM workshop on Role-based access control, p.135-143, October 28-29, 1999, Fairfax, Virginia, United States  [doi>10.1145/319171.319184]
6
Haio Roeckle , Gerhard Schimpf , Rupert Weidinger, Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization, Proceedings of the fifth ACM workshop on Role-based access control, p.103-110, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344308]
7
Roland Awischus, Role based access control with the security administration manager (SAM), Proceedings of the second ACM workshop on Role-based access control, p.61-68, November 06-07, 1997, Fairfax, Virginia, United States  [doi>10.1145/266741.266758]
8
Ravi Sandhu , Venkata Bhamidipati, An Oracle implementation of the PRA97 model for permission-role assignment, Proceedings of the third ACM workshop on Role-based access control, p.13-21, October 22-23, 1998, Fairfax, Virginia, United States  [doi>10.1145/286884.286889]
9
Jeremy Epstein , Ravi Sandhu, NetWare 4 as an example of role-based access control, Proceedings of the first ACM Workshop on Role-based access control, p.18-es, November 30-December 02, 1995, Gaithersburg, Maryland, United States  [doi>10.1145/270152.270187]
 
10
5th ACM Workshop on Role-based Access Control, Berlin, Germany, 2000.
11
Jonathan D. Moffett, Control principles and role hierarchies, Proceedings of the third ACM workshop on Role-based access control, p.63-69, October 22-23, 1998, Fairfax, Virginia, United States  [doi>10.1145/286884.286900]
 
12
Schaad A. and J.D. Moffett, "The Incorporation of Control Principles into Access Control Policies (Extended Abstract)." presented at Hewlett Packard Policy Workshop, Bristol, 2001.
 
13
Morris Sloman , Kevin Twidle, Domains: a framework for structuring management policy, Network and distributed systems management, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1994
14
Gail-Joon Ahn , Ravi Sandhu, The RSL99 language for role-based separation of duty constraints, Proceedings of the fourth ACM workshop on Role-based access control, p.43-54, October 28-29, 1999, Fairfax, Virginia, United States  [doi>10.1145/319171.319176]
15
Trent Jaeger, On the increasing importance of constraints, Proceedings of the fourth ACM workshop on Role-based access control, p.33-42, October 28-29, 1999, Fairfax, Virginia, United States  [doi>10.1145/319171.319175]
16
Jonathon E. Tidswell , Trent Jaeger, Integrated constraints and inheritance in DTAC, Proceedings of the fifth ACM workshop on Role-based access control, p.93-102, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344307]

CITED BY  19
Andreas Schaad , Jonathan D. Moffett, A lightweight approach to specification and analysis of role-based access control extensions, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
Axel Kern , Martin Kuhlmann , Andreas Schaad , Jonathan Moffett, Observations on the role life-cycle in the context of enterprise security management, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
Andreas Schaad , Jonathan Moffett, Separation, review and supervision controls in the context of a credit application process: a case study of organisational control principles, Proceedings of the 2004 ACM symposium on Applied computing, March 14-17, 2004, Nicosia, Cyprus
Ninghui Li , Mahesh V. Tripunitara, Security analysis in role-based access control, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
Kathi Fisler , Shriram Krishnamurthi , Leo A. Meyerovich , Michael Carl Tschantz, Verification and change-impact analysis of access-control policies, Proceedings of the 27th international conference on Software engineering, May 15-21, 2005, St. Louis, MO, USA
Axel Kern , Andreas Schaad , Jonathan Moffett, An administration concept for the enterprise role-based access control model, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
Dongwan Shin , Gail-Joon Ahn , Sangrae Cho , Seunghun Jin, On modeling system-centric information for role engineering, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
Jaideep Vaidya , Vijayalakshmi Atluri , Janice Warner, RoleMiner: mining roles using subset enumeration, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
Ninghui Li , Mahesh V. Tripunitara, Security analysis in role-based access control, ACM Transactions on Information and System Security (TISSEC), v.9 n.4, p.391-420, November 2006
Jaideep Vaidya , Vijayalakshmi Atluri , Qi Guo, The role mining problem: finding a minimal descriptive set of roles, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
Ninghui Li , Ziqing Mao, Administration in role-based access control, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore
Janice Warner , Vijayalakshmi Atluri , Ravi Mukkamala , Jaideep Vaidya, Using semantics for automatic enforcement of access control policies among dynamic coalitions, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
Ninghui Li , Mahesh V. Tripunitara , Ziad Bizri, On mutually exclusive roles and separation-of-duty, ACM Transactions on Information and System Security (TISSEC), v.10 n.2, p.5-es, May 2007
Dan Lin , Prathima Rao , Elisa Bertino , Jorge Lobo, An approach to evaluate policy similarity, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
Jaideep Vaidya , Vijayalakshmi Atluri , Qi Guo , Nabil Adam, Migrating to optimal RBAC with minimal perturbation, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA
Scott D. Stoller , Ping Yang , C R. Ramakrishnan , Mikhail I. Gofman, Efficient policy analysis for administrative role based access control, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
Qiang Wei , Jason Crampton , Konstantin Beznosov , Matei Ripeanu, Authorization recycling in RBAC systems, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA
Qingfeng He , Annie I. Antón, Requirements-based Access Control Analysis and Policy Specification (ReCAPS), Information and Software Technology, v.51 n.6, p.993-1009, June, 2009
Jaideep Vaidya , Vijayalakshmi Atluri , Qi Guo , Haibing Lu, Edge-RMP: Minimizing administrative assignments for role-based access control, Journal of Computer Security, v.17 n.2, p.211-235, April 2009

INDEX TERMS

Primary Classification:
  I. Computing Methodologies
  I.2 ARTIFICIAL INTELLIGENCE
      I.2.8 Problem Solving, Control Methods, and Search
          Subjects: Control theory

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Access controls

  J. Computer Applications
  J.1 ADMINISTRATIVE DATA PROCESSING
      Subjects: Financial (e.g., EFTS)

  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS


General Terms:
Design, Management, Performance, Security, Theory


Keywords:
control principles, dual control, inheritance, least privilege, number of roles, role administration, role-based access control, separation of duties

Collaborative Colleagues:
Andreas Schaad: colleagues
Jonathan Moffett: colleagues
Jeremy Jacob: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player