Role-based access control on the web

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Role-based access control on the web

Full text

Pdf (331 KB)

Source

ACM Transactions on Information and System Security (TISSEC) archive
Volume 4 , Issue 1 (February 2001) table of contents

Pages: 37 - 71

Year of Publication: 2001

ISSN:1094-9224

Authors

Joon S. Park	George Mason University
Ravi Sandhu	George Mason University
Gail-Joon Ahn	University of North Carolina at Charlotte

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 49, Downloads (12 Months): 355, Citation Count: 27

Additional Information:

abstract references cited by index terms review collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/383775.383777 What is a DOI?

ABSTRACT

Current approaches to access control on the Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and efficient RBAC access control technology in large-scale Web environments. To satisfy this requirement, we identify two different architectures for RBAC on the Web, called user-pull and server-pull. To demonstrate feasibility, we implement each architecture by integrating and extending well-known technologies such as cookies, X.509, SSL, and LDAP, providing compatibility with current web technologies. We describe the technologies we use to implement RBAC on the Web in different architectures. Based on our experience, we also compare the tradeoffs of the different approaches.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Gail-Joon Ahn , Ravi Sandhu, Role-based authorization constraints specification, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.207-226, Nov. 2000 [doi>10.1145/382912.382913]
	2	Gail-Joon Ahn , Ravi Sandhu , Myong Kang , Joon Park, Injecting RBAC to secure a Web-based workflow system, Proceedings of the fifth ACM workshop on Role-based access control, p.1-10, July 26-28, 2000, Berlin, Germany [doi>10.1145/344287.344295]
	3	Mihir Bellare , Ran Canetti , Hugo Krawczyk, Keying Hash Functions for Message Authentication, Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology, p.1-15, August 18-22, 1996
	4	Grady Booch , James Rumbaugh , Ivar Jacobson, The Unified Modeling Language user guide, Addison Wesley Longman Publishing Co., Inc., Redwood City, CA, 1999
	5	CALLAS, J., DONNERHACKE, L., FINNEY, H., AND THAYER, R. 1998. OpenPGP message format. RFC 2440.
	6	DIERKS,T.AND ALLEN, C. 1999. The TLS (Transport Layer Security) Protocol. RFC 246.
	7	DIFFIE,W.AND HELLMAN, M. 1997. ANSI X9.42: Establishment of symmetric algorithm keys using Diffie-Hellman. ANSI, New York, NY.
	8	ELLISON, C., FRANTZ, B., LAMPSON, B., RIVEST, R., THOMAS, B., AND YLONEN, T. 1999. SPKI (simple public key infrastructure). RFC 2693.
	9	ENCOMMERCE. 2000. getAccess. http://www.encommerce.com/products.
	10	FARRELL, S. 1998a. An Internet AttributeCertificate profile for Authorization. Draft. draft-ietf-tls-ac509prof-00.txt.
	11	FARRELL, S. 1998b. TLS extensions for AttributeCertificate based authorization. Draft. draft-ietf-tls-attr-cert-00.txt.
	12	FERRAIOLO, D., CUGINI, J., AND KUHN, R. 1995. Role-based access control (RBAC): Features and motivations. In Proceedings of the 11th Annual Conference on Computer Security Applications (New Orleans, LA, Dec. 11-15). 241-248.
	13	FERRAIOLO,D.AND KUHN, D. R. 1992. Role based access control. In Proceedings of the 15th Annual Conference on National Computer Security. National Institute of Standards and Technology, Gaithersburg, MD, 554-563.
	14	FIELDING, R., GETTYS, J., MOGUL, J., FRYSTYK, H., MASINTER, L., LEACH, P., AND BERNERS-LEE,T. 1999. Hypertext Transfer Protocol-HTTP/1.1. RFC 2616. ftp://ftp.isi.edu/in-notes/rfc2616.txt.
	15	GARFINKEL, S. 1995. Pretty Good Privacy. O'Reilly Associates.
	16	GUIRI, L. 1995. A new model for role-based access control. In Proceedings of the 11th Annual Conference on Computer Security Applications (New Orleans, LA, Dec.). IEEE Computer Society Press, Los Alamitos, CA, 249-255.
	17	Luigi Giuri , Pietro Iglio, A Formal Model for Role-Based Access Control with Constraints, Proceedings of the Ninth IEEE Computer Security Foundations Workshop, p.136, March 10-12, 1996
	18	HOUSLEY, R., FORD, W., POLK, W., AND SOLO, D. 1998. Internet X.509 public key infrastructure certificate and CRL profile. Draft. draft-ietf-pkix-ipki-part1-11.txt.
	19	Tim A. Howes , Gordon Good , Mark Smith, Understanding and Deploying LDAP Directory Services, Alpel Publishing, 1998
	20	HU, M.-Y., DEMURJIAN, S., AND TING, T. 1995. User-role based security in the ADAM object-oriented design and analyses environment. In Database Security VIII: Status and Prospects, J. Biskup, M. Morgernstern, and C. Landwehr, Eds. Elsevier North-Holland, Inc., Amsterdam, The Netherlands.
	21	ITU-T. 1993. Information technology-Open systems Interconnection-The Directory: Authentication framework. ITU-T Recommendation X.509. ISO/IEC 9594-8:1993.
	22	ITU-T. 1997. Information technology-Open systems interconnection-The directory: Authentication framework. Recommendation X.509.
	23	KRISTOL,D.M.AND MONTULLI, L. 1999. HTTP state management mechanism. draft-ietf-http-state-man-mec-12.txt.
	24	Xuejia Lai , James L. Massey, A proposal for a new block encryption standard, Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology, p.389-404, February 1991, Aarhus, Denmark
	25	Imtiaz Mohammed , David M. Dilts, Design for dynamic user-role-based security, Computers and Security, v.13 n.9, p.661-671, Oct. 1994 [doi>10.1016/0167-4048(94)90048-5]
	26	MOORE,K.AND FREED, N. 1999. Use of HTTP state management. Draft. draft-ietf-http-state-man-mec-12.txt.
	27	NEUMAN, C. 1994. Using Kerberos for authentication on computer networks. IEEE Commun. Mag. 32,9.
	28	NIXDORF, S. 2000. TrustedWeb. http://www.sse.ie/TrustedWeb.
	29	Matunda Nyanchama , Sylvia L. Osborn, Access Rights Administration in Role-Based Security Systems, Proceedings of the IFIP WG11.3 Working Conference on Database Security VII, p.37-56, August 23-26, 1994
	30	Sylvia Osborn , Ravi Sandhu , Qamar Munawer, Configuring role-based access control to enforce mandatory and discretionary access control policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.2, p.85-106, May 2000 [doi>10.1145/354876.354878]
	31	PARK,J.S.,AHN, G. -J., AND SANDHU, R. S. 2001. RBAC on the Web using LDAP. In Proceedings of the 15th IFIP WG 11.3 Working Conference on Database and Application Security (Ont., Canada, July 15-18). IFIP.
	32	J. S. Park , R. Sandhu, Binding identities and attributes using digitally signed certificates, Proceedings of the 16th Annual Computer Security Applications Conference, p.120, December 11-15, 2000
	33	Joon S. Park , Ravi Sandhu, Secure Cookies on the Web, IEEE Internet Computing, v.4 n.4, p.36-44, July 2000 [doi>10.1109/4236.865085]
	34	Joon S. Park , Ravi Sandhu, RBAC on the Web by smart certificates, Proceedings of the fourth ACM workshop on Role-based access control, p.1-9, October 28-29, 1999, Fairfax, Virginia, United States [doi>10.1145/319171.319172]
	35	PARK,J.S.AND SANDHU, R. S. 1999b. Smart certificates: Extending X.509 for secure attribute services on the Web. In Proceedings of 22nd National Conference on Information Systems Security (Crystal City, VA, Oct.).
	36	Joon S. Park , Ravi S. Sandhu , SreeLatha Ghanta, RBAC on the Web by Secure Cookies, Proceedings of the IFIP WG 11.3 Thirteenth International Conference on Database Security: Research Advances in Database and Information Systems Security, p.49-62, July 26-28, 1999
	37	PARKER,T.AND PINKAS, D. 1995. SESAME V4-OVERVIEW: Version 4. SESAME Technology.
	38	RESCORLA,E.AND SCHIFFMAN, A. 1998. Security extensions For HTML. Draft. draft-ietf-wts-shtml-05.txt.
	39	RIGNEY, C., RUBENS, A., SIMPSON,W.A.,AND WILLENS, S. 1997. Remote authentication dial In user service RADIUS. RFC 2138.
	40	RIVEST, R. 1992. The MD5 message digest algorithm. RFC 1321.
	41	R. L. Rivest , A. Shamir , L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, v.21 n.2, p.120-126, Feb. 1978 [doi>10.1145/359340.359342]
	42	Ravi Sandhu, Rationale for the RBAC96 family of access control models, Proceedings of the first ACM Workshop on Role-based access control, p.9-es, November 30-December 02, 1995, Gaithersburg, Maryland, United States [doi>10.1145/270152.270167]
	43	SANDHU,R.S.,COYNE,E.J.,FEINSTEIN,H.L.,AND YOUMAN, C. E. 1994. Role-based access control: A multi-dimensional view. In Proceedings of the 10th Conference on Computer Security Applications (Dec.). IEEE Computer Society Press, Los Alamitos, CA, 54-62.
	44	Ravi Sandhu , Venkata Bhamidipati , Qamar Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.105-135, Feb. 1999 [doi>10.1145/300830.300839]
	45	Ravi Sandhu , Joon S. Park, Decentralized user-role assignment for Web-based intranets, Proceedings of the third ACM workshop on Role-based access control, p.1-12, October 22-23, 1998, Fairfax, Virginia, United States [doi>10.1145/286884.286887]
	46	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996 [doi>10.1109/2.485845]
	47	SCHIFFMAN,A.AND RESCORLA, E. 1998. The secure HyperText transfer protocol. Draft. draft-ietf-wts-shttp-06.txt.
	48	STEINER, J., NEUMAN, C., AND SCHILLER, J. 1988. Kerberos: An authentication service for open network systems. In Proceedings on USENIX Winter Conference. USENIX Assoc., Berkeley, CA.
	49	S. H. von Solms , Isak van der Merwe, The management of computer security profiles using a role-oriented approach, Computers and Security, v.13 n.9, p.673-680, Oct. 1994 [doi>10.1016/0167-4048(94)90049-3]
	50	WAGNER,D.AND SCHNEIER, B. 1996. Analysis of the SSL 3.0 protocol. In Proceedings of the USENIX Conference on Electronic Commerce. USENIX Assoc., Berkeley, CA, 29-40.
	51	Proceedings of the second ACM workshop on Role-based access control, November 1997
	52	Philip R. Zimmermann, The official PGP user's guide, MIT Press, Cambridge, MA, 1995

CITED BY 27

	David W. Chadwick , Alexander Otenko, The PERMIS X.509 role based privilege management infrastructure, Future Generation Computer Systems, v.19 n.2, p.277-289, February 2003
	Pierangela Samarati , Michael K. Reiter , Sushil Jajodia, An authorization model for a public key management service, ACM Transactions on Information and System Security (TISSEC), v.4 n.4, p.453-482, November 2001
	James B D Joshi , Elisa Bertino , Arif Ghafoor, Temporal hierarchies and inheritance semantics for GTRBAC, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
	Ernesto Damiani , Sabrina De Capitani di Vimercati , Stefano Paraboschi , Pierangela Samarati, A fine-grained access control system for XML documents, ACM Transactions on Information and System Security (TISSEC), v.5 n.2, p.169-202, May 2002
	Joon S. Park , Myong H. Kang , Judith N. Froscher, A secure workflow system for dynamic collaboration, Proceedings of the 16th international conference on Information security: Trusted information: the new decade challenge, June 11-13, 2001, Paris, France
	David W. Chadwick , Alexander Otenko , Edward Ball, Role-Based Access Control With X.509 Attribute Certificates, IEEE Internet Computing, v.7 n.2, p.62-69, March 2003
	Mohammad A. Al-Kahtani , Ravi Sandhu, Induced role hierarchies with attribute-based RBAC, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Kerry Taylor , James Murty, Implementing role based access control for federated information systems on the web, Proceedings of the Australasian information security workshop conference on ACSW frontiers 2003, p.87-95, February 01, 2003, Adelaide, Australia
	Csilla Farkas , Gábor Ziegler , Attila Meretei , András Lörincz, Anonymity and accountability in self-organizing electronic communities, Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society, p.81-90, November 21-21, 2002, Washington, DC
	Hristo Koshutanski , Fabio Massacci, An access control framework for business processes for web services, Proceedings of the 2003 ACM workshop on XML security, October 31-31, 2003, Fairfax, Virginia
	Eric Jui-Lin Lu , Rai-Fu Chen, Design and implementation of a fine-grained menu control processor for web-based information systems, Future Generation Computer Systems, v.19 n.7, p.1105-1119, October 2003
	Xuhui Ao , Naftaly H. Minsky, On the role of roles: from role-based to role-sensitive access control, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
	Carrie Gates , Jacob Slonim, Owner-controlled information, Proceedings of the 2003 workshop on New security paradigms, August 18-21, 2003, Ascona, Switzerland
	Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA
	Joon S. Park , Keith P. Costello , Teresa M. Neven , Josh A. Diosomito, A composite rbac approach for large, complex organizations, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
	David Scott , Richard Sharp, Developing Secure Web Applications, IEEE Internet Computing, v.6 n.6, p.38-45, November 2002
	William Tolone , Gail-Joon Ahn , Tanusree Pai , Seng-Phil Hong, Access control in collaborative systems, ACM Computing Surveys (CSUR), v.37 n.1, p.29-41, March 2005
	Raman Adaikkalavan , Sharma Chakravarthy, SmartGate: a smart push-pull approach to support role-based security in web gateways, Proceedings of the 2005 ACM symposium on Applied computing, March 13-17, 2005, Santa Fe, New Mexico
	Günter Karjoth, Access control with IBM Tivoli access manager, ACM Transactions on Information and System Security (TISSEC), v.6 n.2, p.232-257, May 2003
	Jim Longstaff , Mike Lockyer , John Nicholas, The tees confidentiality model: an authorisation model for identities and roles, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Joon S. Park , Junseok Hwang, Role-based access control for collaborative enterprise in peer-to-peer computing environments, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	James B. D. Joshi , Elisa Bertino , Arif Ghafoor, An Analysis of Expressiveness and Design Issues for the Generalized Temporal Role-Based Access Control Model, IEEE Transactions on Dependable and Secure Computing, v.2 n.2, p.157-175, April 2005
	Danfeng Yao , Yunhua Koglin , Elisa Bertino , Roberto Tamassia, Decentralized authorization and data security in web content delivery, Proceedings of the 2007 ACM symposium on Applied computing, March 11-15, 2007, Seoul, Korea
	Ernesto Damiani , Pierangela Samarati , Sabrina De Capitani di Vimercati , Stefano Paraboschi, Controlling Access to XML Documents, IEEE Internet Computing, v.5 n.6, p.18-28, November 2001
	Michael Koch , Kathrin M. MöSlein, Identities Management for E-Commerce and Collaboration Applications, International Journal of Electronic Commerce, v.9 n.3, p.11-29, Number 3/Spring 2005
	Cungang Yang, Designing secure e-commerce with role-based access control, International Journal of Web Engineering and Technology, v.3 n.1, p.73-95, December 2007
	James B. D. Joshi , Elisa Bertino , Arif Ghafoor , Yue Zhang, Formal foundations for hybrid hierarchies in GTRBAC, ACM Transactions on Information and System Security (TISSEC), v.10 n.4, p.1-39, January 2008

INDEX TERMS

Primary Classification:
D. Software
D.4 OPERATING SYSTEMS
D.4.6 Security and Protection
Subjects: Access controls

Additional Classification:
H. Information Systems
H.3 INFORMATION STORAGE AND RETRIEVAL
H.3.4 Systems and Software

Nouns: World Wide Web (WWW)

K. Computing Milieux
K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
K.6.5 Security and Protection (D.4.6, K.4.2)

General Terms:
Design, Experimentation, Security

Keywords:
WWW security, cookies, digital certificates, role-based access control

REVIEW

"Stanley A. Kurzban : Reviewer"

Current approaches to access control on the Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and effic more...

Collaborative Colleagues:

Joon S. Park: colleagues

Ravi Sandhu: colleagues

Gail-Joon Ahn: colleagues

Adobe Acrobat

QuickTime

Windows Media Player

Real Player