Article

The role control center: features and case studies

Authors:

David F. Ferraiolo,

R. Chandramouli,

Gail-Joon Ahn,

Serban I. GavrilaAuthors Info & Claims

SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Pages 12 - 20

https://doi.org/10.1145/775412.775415

Published: 02 June 2003 Publication History

Get Access

Abstract

Role-based Access Control (RBAC) models have been implemented not only in self-contained resource management products such as DBMSs and Operating Systems but also in a class of products called Enterprise Security Management Systems (ESMS). ESMS products are used for centralized management of authorizations for resources resident in several heterogeneous systems (called target systems) distributed throughout the enterprise. The RBAC model used in an ESMS is called the Enterprise RBAC model (ERBAC). An ERBAC model can be used to specify not only sophisticated access requirements centrally for resources resident in several target systems, but also administrative data required to map those defined access requirements to the access control structures native to the target platforms. However, the ERBAC model (i.e., the RBAC implementation) supported in many commercial ESMS products has not taken full advantage of policy specification capabilities of RBAC. In this paper we describe an implementation of ESMS called the 'Role Control Center' (RCC) that supports an ERBAC model that includes features such as general role hierarchy, static separation of duty constraints, and an advanced permission review facility (as defined in NIST's proposed RBAC standard). We outline the various modules in the RCC architecture and describe how they collectively provide support for authorization administration tasks at the enterprise and target-system levels.

References

[1]

Gail-J. Ahn and Ravi Sandhu. The RSL99 language for role-based separation of duty constraints. In Proceedings of 4th ACM Workshop on Role-Based Access Control, pages 43--54. ACM, 1999.

Digital Library

Google Scholar

[2]

Gail-J. Ahn, Ravi Sandhu, Role-based authorization constraints specification, ACM Transactions on Information and Systems Security 3 (4) (2000).

Digital Library

Google Scholar

[3]

Enterprise Security Station - User Guide (Windows GUI) - BMC Software Inc., 2002.

Google Scholar

[4]

R. Chandramouli, R. Sandhu, "Role Based Access Control Features in Commercial Database Management Systems", 21st National Information Systems Security Conference, October, 1998. Crystal City, Virginia.

Google Scholar

[5]

G. Faden, "RBAC in UNIX Administration", 4th ACM workshop on Role-based Access Control, Fairfax, VA, USA, 1999.

Digital Library

Google Scholar

[6]

D. Ferraiolo, R. Sandhu, S. Gavrila, R. Kuhn, R. Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and Systems Security 4 (3) (2001).

Digital Library

Google Scholar

[7]

V.D. Gligor, S.I. Gavrila, D.F. Ferraiolo: "On the Formal Definition of Separation-of-Duty Policies and their Composition," Proc. 1998 Symposium on Security and Privacy, May 1998, Oakland, California.

Google Scholar

[8]

Trent Jaeger and Jonathon Tidswell, "Practical Safety in Flexible Access Control Models." ACM Transactions on Information and Systems Security, Volume 4, Number 3, August 2001.

Digital Library

Google Scholar

[9]

M.Nyanchama, S. Osborn: "The Graph Model and Conflict of Interest," ACM Transactions on Information and System Security, 2(1), February 1999.

Digital Library

Google Scholar

[10]

R. Sandhu, V. Bhamidipati, The URA97 model for role-based administration of user-role assignment, in: T.Y. Lin, X. Qian (Eds.), Database Security XI: Status and Prospects, North-Holland, Amsterdam, 1997.

Digital Library

Google Scholar

[11]

R.T. Simon, M.E. Zurko: Separation of Duty in Role-Based Environments, in Proc. Computer Security Foundations Workshop X, Rockport, Massachusetts, June 1997.

Digital Library

Google Scholar

[12]

Enterprise Security Architecture using IBM Tivoli Security Solutions (2002) - IBM Corporation

Google Scholar

Cited By

View all

Fernandez RCheng PNhlabatsi AKhan KFetais N(2023)Effective Collaboration in the Management of Access Control Policies: A Survey of ToolsIEEE Access10.1109/ACCESS.2023.324286311(13929-13947)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3242863
Ferraiolo DGavrila SKatwala GBertino ESandhu RKrishnan R(2018)A System for Centralized ABAC Policy Administration and Local ABAC Policy Decision and Enforcement in Host Systems using Access Control ListsProceedings of the Third ACM Workshop on Attribute-Based Access Control10.1145/3180457.3180460(35-42)Online publication date: 14-Mar-2018
https://dl.acm.org/doi/10.1145/3180457.3180460
Thuraisingham BCadenhead TKantarcioglu MKhadilkar V(2014)Scalable and Efficient RBAC for ProvenanceSecure Data Provenance and Inference Control with Semantic Web10.1201/b17258-14(99-118)Online publication date: 22-Jul-2014
https://doi.org/10.1201/b17258-14
Show More Cited By

Index Terms

The role control center: features and case studies

Recommendations

Role-based authorizations for workflow systems in support of task-based separation of duty

Role-based authorizations for assigning tasks of workflows to roles/users are crucial to security management in workflow management systems. The authorizations must enforce separation of duty (SoD) constraints to prevent fraud and errors. This work ...
The ARBAC97 model for role-based administration of roles
Special issue on role-based access control

In role-based access control (RBAC), permissions are associated with roles' and users are made members of roles, thereby acquiring the roles; permissions. RBAC's motivation is to simplify administration of authorizations. An appealing possibility is to ...
A Generalized Temporal Role-Based Access Control Model

Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. In many practical scenarios, users may be restricted to assume roles only at predefined time ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

June 2003

246 pages

ISBN:1581136811

DOI:10.1145/775412

General Chair:
Elena Ferrari
University of Insubria, Italy
,
Program Chair:
David Ferraiolo
National Institute of Standards & Technology, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 June 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SACMAT03

Sponsor:

SACMAT03: 8th ACM Symposium on Access Control Models and Technologies 2003

June 2 - 3, 2003

Como, Italy

Acceptance Rates

SACMAT '03 Paper Acceptance Rate 23 of 63 submissions, 37%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
8,827
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)0

Reflects downloads up to 20 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Fernandez RCheng PNhlabatsi AKhan KFetais N(2023)Effective Collaboration in the Management of Access Control Policies: A Survey of ToolsIEEE Access10.1109/ACCESS.2023.324286311(13929-13947)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3242863
Ferraiolo DGavrila SKatwala GBertino ESandhu RKrishnan R(2018)A System for Centralized ABAC Policy Administration and Local ABAC Policy Decision and Enforcement in Host Systems using Access Control ListsProceedings of the Third ACM Workshop on Attribute-Based Access Control10.1145/3180457.3180460(35-42)Online publication date: 14-Mar-2018
https://dl.acm.org/doi/10.1145/3180457.3180460
Thuraisingham BCadenhead TKantarcioglu MKhadilkar V(2014)Scalable and Efficient RBAC for ProvenanceSecure Data Provenance and Inference Control with Semantic Web10.1201/b17258-14(99-118)Online publication date: 22-Jul-2014
https://doi.org/10.1201/b17258-14
Lee DKim BKim K(2014)PCA in ERP environment using the misuse detection system design and implementation of RBAC permissionsMultimedia Tools and Applications10.1007/s11042-010-0675-z73:2(601-615)Online publication date: 1-Nov-2014
https://dl.acm.org/doi/10.1007/s11042-010-0675-z
Gouglidis AMavridis I(2012)Grid Access Control Models and ArchitecturesComputational and Data Grids10.4018/978-1-61350-113-9.ch008(217-234)Online publication date: 2012
https://doi.org/10.4018/978-1-61350-113-9.ch008
Gouglidis AMavridis I(2012)Grid Access Control Models and ArchitecturesGrid and Cloud Computing10.4018/978-1-4666-0879-5.ch202(349-365)Online publication date: 2012
https://doi.org/10.4018/978-1-4666-0879-5.ch202
Gouglidis AMavridis I(2012)Grid Access Control Models and ArchitecturesGrid and Cloud Computing10.4018/978-1-4666-0879-5.ch2.2(349-365)Online publication date: 30-Apr-2012
https://doi.org/10.4018/978-1-4666-0879-5.ch2.2
Huang CSun JWang XSi Y(2010)Minimal role mining method for Web service compositionJournal of Zhejiang University SCIENCE C10.1631/jzus.C091018611:5(328-339)Online publication date: 7-May-2010
https://doi.org/10.1631/jzus.C0910186
Giblin CGraf MKarjoth GWespi AMolloy ILobo JCalo SSager TAhn GKant KLipford H(2010)Towards an integrated approach to role engineeringProceedings of the 3rd ACM workshop on Assurable and usable security configuration10.1145/1866898.1866908(63-70)Online publication date: 4-Oct-2010
https://dl.acm.org/doi/10.1145/1866898.1866908
ASAKURA YNAKAMOTO Y(2009)Extending a Role Graph for Role-Based Access ControlIEICE Transactions on Information and Systems10.1587/transinf.E92.D.211E92-D:2(211-219)Online publication date: 2009
https://doi.org/10.1587/transinf.E92.D.211
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Role-based authorizations for workflow systems in support of task-based separation of duty

The ARBAC97 model for role-based administration of roles

A Generalized Temporal Role-Based Access Control Model