Owner-Based Role-Based Access Control OB-RBAC

Administration of an access control model deals with the question of who is authorized to update policies defined on the basis of that model. One of the models whose administration has absorbed relatively large research is the Role-Based Access Control (RBAC) model. All the existing role-based administrative models fall into the category of administrator based decentralized approach. In such an approach, a group of administrators are given firstly, the authority of updating authorizations for operative roles and secondly, the authority of delegating the previous right to other lower-level administrators. However, in organizations with informal and flexible structure, like academic and research-oriented organizations such a sharp distinction between administrative roles and operative roles might not exist. Here, each role may take part in both operative and administrative decisions such that more mission-oriented decisions are made by senior roles and more specialized-level decisions are made by junior roles. In this paper, we study a new class of access control model called Owner-Based Role-Based Access Control (OB-RBAC) which is suitable for such environments. The OB-RBAC model utilizes the advantages of both Discretionary Access Control (DAC)and RBAC. In particular, the OB-RBAC model builds a policy model which not only fulfills the organizational restrictions but enjoys the flexible administration of the DAC model.