Analyzing temporal role based access control models

Today, Role Based Access Control (RBAC) is the de facto model used for advanced access control, and is widely deployed in diverse enterprises of all sizes. Several extensions to the authorization as well as the administrative models for RBAC have been adopted in recent years. In this paper, we consider the temporal extension of RBAC (TRBAC), and develop safety analysis techniques for it. Safety analysis is essential for understanding the implications of security policies both at the stage of specification and modification. Towards this end, in this paper, we first define an administrative model for TRBAC. Our strategy for performing safety analysis is to appropriately decompose the TRBAC analysis problem into multiple subproblems similar to RBAC. Along with making the analysis simpler, this enables us to leverage and adapt existing analysis techniques developed for traditional RBAC. We have adapted and experimented with employing two state of the art analysis approaches developed for RBAC as well as tools developed for software testing. Our results show that our approach is both feasible and flexible

V-Model Role Engineering

The paper focuses on role engineering which is an important topic in the development of access control system, particularly when considering Role Based Access Control – RBAC models. Despite the wide use of RBAC in various applications, the role engineering process is not a standardized approach. The paper aims to define a methodology and a process model for role engineeringInformation security, access control systems, role based access control systems – RBAC, engineering methodologies, security policies, access control models

Refinement for Administrative Policies

Flexibility of management is an important requisite for access control systems as it allows users to adapt the access control system in accordance with practical requirements. This paper builds on earlier work where we defined administrative policies for a general class of RBAC models. We present a formal definition of administrative refinnement and we show that there is an ordering for administrative privileges which yields administrative refinements of policies. We argue (by giving an example) that this privilege ordering can be very useful in practice, and we prove that the privilege ordering is tractable

Report on the Survey of Role-Based Access Control (RBAC) in Practice

From literature study, we collected: (a) a set of core features of the RBAC model, according to the ANSI/INCITS 359:2004 RBAC standard, (b) implicit assumptions, (c) a set of strengths, and (d) a set of phenomena which may limit these strengths in practice. To acquire insights about these four elements and complement our initial set of strengths and phenomena, a survey was designed and launched online between June and July 2011. This report consolidates results obtained from the survey