Abstract
Role-based access control (RBAC) is a commercially dominant model, standardized by the National Institute of Standards and Technology (NIST). Although RBAC provides compelling benefits for security management it has several known deficiencies such as role explosion, wherein multiple closely related roles are required (e.g., attending-doctor role is separately defined for each patient). Numerous extensions to RBAC have been proposed to overcome these shortcomings. Recently NIST announced an initiative to unify and standardize these extensions by integrating roles with attributes, and identified three approaches: use attributes to dynamically assign users to roles, treat roles as just another attribute, and constrain the permissions of a role via attributes. The first two approaches have been previously studied. This paper presents a formal model for the third approach for the first time in the literature. We propose the novel role-centric attribute-based access control (RABAC) model which extends the NIST RBAC model with permission filtering policies. Unlike prior proposals addressing the role-explosion problem, RABAC does not fundamentally modify the role concept and integrates seamlessly with the NIST RBAC model. We also define an XACML profile for RABAC based on the existing XACML profile for RBAC.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
OASIS, Extensible access control markup language (XACML), v2.0 (2005).
Sun’s XACML implementation, http://sunxacml.sourceforge.net/index.html
Abdallah, A.E., Khayat, E.J.: A Formal Model for Parameterized Role-Based Access Control. In: Formal Aspects in Security and Trust (2004)
Al-Kahtani, M.A., Sandhu, R.: A model for attribute-based user-role assignment. In: ACSAC (2002)
Anderson, A.: XACML profile for role based access control (RBAC). Technical Report Draft 1, OASIS (February 2004)
Bao, Y., Song, J., Wang, D., Shen, D., Yu, G.: A Role and Context Based Access Control Model with UML. In: ICYCS (2008)
Chadwick, D.W., Otenko, A., Ball, E.: Implementing Role Based Access Controls Using X.509 Attribute Certificates. IEEE Internet Computing (2003)
Chakraborty, S., Ray, I.: TrustBAC: integrating trust relationships into the RBAC model for access control in open systems. In: SACMAT (2006)
Cirio, L., Cruz, I.F., Tamassia, R.: A Role and Attribute Based Access Control System Using Semantic Web Technologies. In: Meersman, R., Tari, Z. (eds.) OTM-WS 2007, Part II. LNCS, vol. 4806, pp. 1256–1266. Springer, Heidelberg (2007)
Covington, M.J., Long, W., Srinivasan, S., Dev, A.K., Ahamad, M., Abowd, G.D.: Securing context-aware applications using environment roles. In: SACMAT (2001)
Covington, M.J., Sastry, M.R.: A Contextual Attribute-Based Access Control Model. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM 2006 Workshops. LNCS, vol. 4278, pp. 1996–2006. Springer, Heidelberg (2006)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Richard Kuhn, D., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. on Infor. and Sys. Sec. (2001)
Fischer, J., Marino, D., Majumdar, R., Millstein, T.: Fine-Grained Access Control with Object-Sensitive Roles. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 173–194. Springer, Heidelberg (2009)
Fong, P.W.L.: Relationship-based access control: protection model and policy language. In: CODASPY (2011)
Fuchs, L., Pernul, G., Sandhu, R.S.: Roles in information security-A survey and classification of the research area. Computers & Security (2011)
Gallagher, M.P., O’Connor, A.C., Kropp, B.: The economic impact of role-based access control. In: Planning report 02-1, NIST, (March 2002)
Ge, M., Osborn, S.L.: A design for parameterized roles. In: DBSec (2004)
Giuri, L., Iglio, P.: Role templates for content-based access control. In: Proc. of the Second ACM Workshop on RBAC. ACM (1997)
Huang, J., Nicol, D., Bobba, R., Huh, J.H.: A Framework Integrating Attribute-based Policies into RBAC. In: SACMAT (2012)
Jin, X., Krishnan, R., Sandhu, R.: A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC. In: DBSec (2012)
Kalam, A.A.E., Benferhat, S., Miege, A., Baida, R.E., Cuppens, F., Saurel, C., Balbiani, P., Deswarte, Y., Trouessin, G.: Organization based access control. In: POLICY (2003)
Karp, A.H., Haury, H., Davis, M.H.: From ABAC to ZBAC: the evolution of access control models, In: Tech. Report, HP Labs (2009)
Richard Kuhn, D., Coyne, E.J., Weil, T.R.: Adding Attributes to Role-Based Access Control. IEEE Computer 43(6), 79–81 (2010)
Kumar, A., Karnik, N., Chafle, G.: Context sensitivity in role-based access control. SIGOPS Oper. Syst. Rev. 36(3), 53–66 (2002)
Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. on Info. and Sys. Sec. (1999)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Xu, M., Wijesekera, D., Zhang, X., Cooray, D.: Towards Session-Aware RBAC Administration and Enforcement with XACML. In: POLICY (2009)
Yong, J., Bertino, E., Toleman, M., Roberts, D.: Extended RBAC with role attributes. In: 10th Pacific Asia Conf. on Info. Sys. (2006)
Zhang, Z., Zhang, X., Sandhu, R.: ROBAC: Scalable role and organization based access control models. In: IEEE TrustCol (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jin, X., Sandhu, R., Krishnan, R. (2012). RABAC: Role-Centric Attribute-Based Access Control. In: Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2012. Lecture Notes in Computer Science, vol 7531. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33704-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-33704-8_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33703-1
Online ISBN: 978-3-642-33704-8
eBook Packages: Computer ScienceComputer Science (R0)