Abstract
Role-Based Access Control (RBAC) usually enables a higher level view of authorization. In this model, access permissions are assigned to roles and, in turn, roles are allocated to subjects. The usefulness of the RBAC model is well documented. It includes simplicity, consistency, scalability and ease of manageability. In practice, however, only limited versions of RBAC seem to have been successfully implemented, notably in applications such as databases and operating systems. The problem stems from the fact that most applications require a finer degree of authorization than what core RBAC models are able to provide. In theory, current RBAC models can be adapted to capture fine grained authorizations by dramatically increasing the number of distinct roles in these models. However, this solution comes at an unacceptably high cost of allocating low level privileges which eliminates the major benefits gained from having a high level RBAC model.
This paper presents a methodology for refining abstract RBAC models into new Parameterized RBAC models which provide finer grain of authorizations. The semantics of the Parameterized RBAC model is given as a state-based core RBAC model expressed in the formal specification notation Z. By systematically applying this methodology the scope of applications of RBAC is substantially extended and the major benefits of having the core model are maintained.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, “Role-Based Access Control Models,” IEEE Computer, vol. 29, no. 2, pp. 38–7, Nov. 1996.
R. Sandhu, D. Ferraiolo, and R. Kuhn, “The NIST Model for Role-Based Access Control: Towards A Unified Standard,” in Proc. of the 5th ACM workshop on Role-Based Access Control. Technical University of Berlin, Berlin, Germany: ACM Press, June 2000, pp. 47–63.
D. Ferraiolo, R. Sandhu, S. Gavrila, R. Kuhn, and R. Chandramouli, “Proposed NIST Standard for Role-Based Access Control,” ACM Transactions on Information and System Security (TISSEC), vol. 4, no. 3, pp. 224–274, 2001.
American National Standard for Information Technology, “Role Based Access Control” Draft BSR INCITS 359, Apr. 2003. Online: http://csrc.nist.gov/rbac/rbac-std-ncits.pdf.
E. Khayat and A. Abdallah, “A Formal Model for Flat Role-Based Access Control,” in Proc. of the ACS/IEEE International Conference on Computer Systems and Applications. Tunis, Tunisia: IEEE Press, July 2003.
R. Elmasri and S. Navathe. Fundamentals of Database Systems. Addison-Wesley, 2003.
Sun Microsystems. RBAC in the Solaris Operating Systems. White Paper, April 2001. http://wwws.sun.com/software/whitepapers/wp-rbac/wp-rbac.pdf.
T. Chalfant. Role Based Access Control and Secure Shell-A Closer Look At Two Solaris™ Operating Environment Security Features, June 2003. http://www.sun.com/solutions/blueprints/0603/817-3062.pdf.
E. Lupu and M. Sloman, “Reconciling Role Based Management and Role Based Access Control,” in Proceedings of the 2nd ACM workshop on Role-based Access Control. Fairfax, Virginia, USA: ACM Press, Nov. 1997, pp. 135–141.
D. Gollmann, Computer Security. John Wiley & Sons, 1999.
T. Jaeger, T. Michailidis, and R. Rada, “Access Control in a Virtual University,” in Proc. of the 8th International IEEE Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, California, USA, June 1999, pp. 135–140.
L. Bottaci and J. Jones, Formal Specification Using Z: A Modeling Approach. International Thomson Computer Press, 1995.
J. Bowen, Formal Specification & Documentation Using Z: A Case Study Approach. International Thomson Computer Press, 1996.
I. Toyn (Ed.), “Information Technology-Z Formal Specification Notation-Syntax, Type System and Semantics” Consensus Working Draft 2.7, Oct. 2001.
L. Giuri and P. Iglio, “Role Templates for Content-Based Access Control,” in Proc. of the 2nd ACM Workshop on Role-Based Access Control. Fairfax, Virginia, USA: ACM Press, Nov. 1997, pp. 153–159.
Jean Bacon, Ken Moody and Walt Yao. A model of OASIS role-based access control and its support for active security. ACM Trans. Inf. Syst. Security. 5(4): 492–540 (2002)
Andras Belokosztolszki, David M. Eyers and Ken Moody. Policy Contexts: Controlling Information Flow in Parameterized RBAC. POLICY 2003: 99–110.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Abdallah, A.E., Khayat, E.J. (2005). A Formal Model for Parameterized Role-Based Access Control. In: Dimitrakos, T., Martinelli, F. (eds) Formal Aspects in Security and Trust. IFIP WCC TC1 2004. IFIP International Federation for Information Processing, vol 173. Springer, Boston, MA. https://doi.org/10.1007/0-387-24098-5_17
Download citation
DOI: https://doi.org/10.1007/0-387-24098-5_17
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-24050-3
Online ISBN: 978-0-387-24098-5
eBook Packages: Computer ScienceComputer Science (R0)