Sorting out Role based access control

Wouter Kuijper, Victor Ermolaev

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

15 Citations (Scopus)

Abstract

Role-based access control (RBAC) is a popular framework for modelling access control rules. In this paper we identify a fragment of RBAC called bi-sorted role based access control (RBAC). We start from the observation that "classic" RBAC blends together subject management aspects and permission management aspects into a single object of indirection: a role. We posit there is merit in distinguishing these administrative perspectives and consequently introducing two distinct objects of indirection: the proper role (which applies solely to subjects) and the demarcation (which applies solely to permissions). We then identify a third administrative perspective called access management where the two are linked up. In this way we enhance organisational scalability by decoupling the tasks of maintaining abstractions over the set of subjects (assignment of subjects into proper roles), maintaining abstractions over the set of permissions (assignment of permissions into demarcations), and maintaining abstract access control policy (granting proper roles access to demarcations). Moreover, the latter conceptual refinement naturally leads us to the introduction of negative roles (and, dually, negative demarcations). The relevance of the four-sorted extension called polarized, bi-sorted role based access control (R+BÄC), in a semantic sense, is further supported by the existence of Galois connections between sets of subjects and permissions and between positive and negative roles.

Original languageEnglish
Title of host publicationSACMAT 2014
Subtitle of host publicationProceedings of the 19th ACM Symposium on Access Control Models and Technologies
Place of PublicationNew York, NY
PublisherAssociation for Computing Machinery
Pages63-74
Number of pages12
ISBN (Print)978-1-4503-2939-2
DOIs
Publication statusPublished - 2014
Externally publishedYes
Event19th ACM Symposium on Access Control Models and Technologies, SACMAT 2014 - London, ON, Canada
Duration: 25 Jun 201427 Jun 2014

Conference

Conference19th ACM Symposium on Access Control Models and Technologies, SACMAT 2014
Country/TerritoryCanada
CityLondon, ON
Period25/06/1427/06/14

Keywords

  • Domain specific languages
  • Galois connections
  • Negative specification
  • Organizational structure
  • Physical access control
  • Positive specification
  • RBAC
  • Scalability
  • n/a OA procedure

Fingerprint

Dive into the research topics of 'Sorting out Role based access control'. Together they form a unique fingerprint.

Cite this