Abstract
Role-based access control is an important way of limiting the access users have to computing resources. While the basic concepts of role-based access control are now well understood, there is no consensus on the best approach to managing role-based systems. In this paper, we introduce a new model for role-based administration, using the notions of discretionary and mandatory controls. Our model provides a number of important features that control the assignment of users and permissions to roles. This means that we can limit the damage that can be done by malicious administrative users. We compare our approach to a number of other models for role-based administration, and demonstrate that our model has several advantages.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Crampton, J., Loizou, G.: Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security 6(2), 201–231 (2003)
Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC 1997 model for role-based administration of roles. ACM Transactions on Information and System Security 1(2), 105–135 (1999)
Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
American National Standards Institute: ANSI INCITS 359-2004 for Role Based Access Control (2004)
Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security 4(3), 224–274 (2001)
Harrison, M., Ruzzo, W., Ullman, J.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)
Bell, D., LaPadula, L.: Secure computer systems: Mathematical foundations. Technical Report MTR-2547, vol I, Mitre Corporation, Bedford, Massachusetts (1973)
Crampton, J.: Understanding and developing role-based administrative models. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 158–167 (2005)
Ahn, G.J., Sandhu, R.: Role-based authorization constraints specification. ACM Transactions on Information and System Security 3(4), 207–226 (2000)
Crampton, J.: Specifying and enforcing constraints in role-based access control. In: Proceedings of the 8th ACM Symposium on Access Control Models and Technologies, pp. 43–50 (2003)
Gligor, V., Gavrila, S., Ferraiolo, D.: On the formal definition of separation-of-duty policies and their composition. In: Proceedings of the 1998 IEEE Symposium on Security and Privacy, pp. 172–183 (1998)
Jaeger, T., Tidswell, J.: Practical safety in flexible access control models. ACM Transactions on Information and System Security 4(2), 158–190 (2001)
Nyanchama, M., Osborn, S.: The role graph model and conflict of interest. ACM Transactions on Information and System Security 2(1), 3–33 (1999)
Simon, R., Zurko, M.: Separation of duty in role-based environments. In: Proceedings of 10th IEEE Computer Security Foundations Workshop, pp. 183–194 (1997)
Oh, S., Sandhu, R.: A model for role administration using organization structure. In: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, pp. 155–162 (2002)
Bhatti, R., Joshi, J., Bertino, E., Ghafoor, A.: X-GTRBAC Admin: A decentralized administration model for enterprise-wide access control. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, pp. 78–86 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Crampton, J. (2006). Discretionary and Mandatory Controls for Role-Based Administration. In: Damiani, E., Liu, P. (eds) Data and Applications Security XX. DBSec 2006. Lecture Notes in Computer Science, vol 4127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11805588_14
Download citation
DOI: https://doi.org/10.1007/11805588_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-36796-3
Online ISBN: 978-3-540-36799-4
eBook Packages: Computer ScienceComputer Science (R0)