Supporting Relationships in Access Control Using Role Based Access Control
John Barkley, Konstantin Benznosov, Jinny Uppal
The Role Based Access Control (RBAC) model and mechanism have proven to be useful and effective. This is clear from the many RBAC implementations in commercial products. However, there are many common examples where access decisions must include other factors, in particular, relationships between entities, such as, the user, the object to be accessed, the subject of the information contained within the object. Such relationships are often not efficiently represented using traditional static security attributes centrally administered. Furthermore, the extension of RBAC models to include relationships obscures the fundamental RBAC metaphor.This paper furthers the concept of relationships for use in access control, and it shows how relationships can be supported in role based access decisions by using the Object Management Group's (OMG) Resource Access Decision facility (RAD) nearing adoption. This facility allows relationship information, which can dynamically change as part of normal application processing, to be used in access decisions by applications. The access decision logic is separate from application logic. In addition, RAD allows access decision logic from different models to be combined into a single access decision. Each access control model is thus able to retain its metaphor.
Proceedings of the Fourth ACM Workshop on Role-Based Access Control (RBAC '99)
October 28-29, 1999
Fourth ACM Workshop on Role-Based Access Control (RBAC '99)
, Benznosov, K.
and Uppal, J.
Supporting Relationships in Access Control Using Role Based Access Control, Proceedings of the Fourth ACM Workshop on Role-Based Access Control (RBAC '99), Fairfax, VA, [online], https://doi.org/10.1145/319171.319177
(Accessed December 9, 2023)