Abstract
Role-based access control (RBAC) is a popular framework for modelling access control rules. In this paper we identify a fragment of RBAC called bi-sorted role based access control (RBAC). We start from the observation that "classic" RBAC blends together subject management aspects and permission management aspects into a single object of indirection: a role. We posit there is merit in distinguishing these administrative perspectives and consequently introducing two distinct objects of indirection: the proper role (which applies solely to subjects) and the demarcation (which applies solely to permissions). We then identify a third administrative perspective called access management where the two are linked up. In this way we enhance organisational scalability by decoupling the tasks of maintaining abstractions over the set of subjects (assignment of subjects into proper roles), maintaining abstractions over the set of permissions (assignment of permissions into demarcations), and maintaining abstract access control policy (granting proper roles access to demarcations). Moreover, the latter conceptual refinement naturally leads us to the introduction of negative roles (and, dually, negative demarcations). The relevance of the four-sorted extension called polarized, bi-sorted role based access control (R+BÄC), in a semantic sense, is further supported by the existence of Galois connections between sets of subjects and permissions and between positive and negative roles.
Original language | English |
---|---|
Title of host publication | SACMAT 2014 |
Subtitle of host publication | Proceedings of the 19th ACM Symposium on Access Control Models and Technologies |
Place of Publication | New York, NY |
Publisher | Association for Computing Machinery |
Pages | 63-74 |
Number of pages | 12 |
ISBN (Print) | 978-1-4503-2939-2 |
DOIs | |
Publication status | Published - 2014 |
Externally published | Yes |
Event | 19th ACM Symposium on Access Control Models and Technologies, SACMAT 2014 - London, ON, Canada Duration: 25 Jun 2014 → 27 Jun 2014 |
Conference
Conference | 19th ACM Symposium on Access Control Models and Technologies, SACMAT 2014 |
---|---|
Country/Territory | Canada |
City | London, ON |
Period | 25/06/14 → 27/06/14 |
Keywords
- Domain specific languages
- Galois connections
- Negative specification
- Organizational structure
- Physical access control
- Positive specification
- RBAC
- Scalability
- n/a OA procedure