This chapter addresses the problem that traditional role-base access control (RBAC) models do not scale up well for modeling security policies spanning multiple organizations. After reviewing recently proposed Role and Organization Based Access Control (ROBAC) models, an administrative ROBAC model called AROBAC07 is presented and formalized in this chapter. Two examples are used to motivate and demonstrate the usefulness of ROBAC. Comparison between AROBAC07 and other administrative RBAC models are given. We show that ROBAC/AROBAC07 can significantly reduce administration complexity for applications involving a large number of organizational units. Finally, an application compartment-based delegation model is introduced, which provides a method to construct administrative role hierarchy in AROBAC07. We show that the AROBAC07 model provides convenient ways to decentralize administrative tasks for ROBAC systems and scales up well for role-based systems involving a large number of organizational units.
ANSI RBAC reference model includes core RBAC (no role hierarchy), hierarchy RBAC (has role hierarchy), and constrained RBAC (has Separation of Duty constraints). Figure 1 shows a classic (standard) RBAC which is based on the well-known RBAC96 and permission definition from ANSI RBAC.
Key Terms in this Chapter
Permissible Administrative Organization Set (PAOSET): A paoset of an organization is a set of organizations in which the greatest administrative role (gar) in the organization can modify the organization hierarchy.
Administrative ROBAC: Refers to approaches of controlling administrative tasks in ROBAC. It usually provides ways to control the following major administrative tasks: assigning users to role-organization pairs, assigning permissions to roles, managing roles and role hierarchy, managing organizations and organization hierarchy, and managing role and organization association.
Role and Organization Based Access Control (ROBAC): An extension of RBAC. In ROBAC, access is based on user’s roles and the indirect association between users and system resources via organizations.
Role-Based Access Control (RBAC): A method to restrict user’s access to system resources based on the user’s roles. In RBAC, roles are defined based on job functions, permissions are associated with roles, and users are made members of appropriate roles, thereby acquiring the roles’ permissions.
Application Compartment (ACom): An ACom of an application is a subset of a ROBAC where only the users, permissions, roles, and organizations applicable to the application are included.
Permission Prerequisite Condition (PPC): A condition a permission needs to be met before the permission can be assigned to roles.
Permissible Administrative Role Set (PARSET): A parset of an administrative role is a set of regular roles in which the administrative role can modify the regular role hierarchy.
Administrative RBAC: Refers to approaches of controlling administrative tasks in RBAC. It usually provides ways to control the following major administrative tasks: assigning users to roles (user to role assignment), assigning permissions to roles (permission to role assignment), and adjusting role hierarchy (role to role assignment).
User Prerequisite Condition (UPC): A condition a user needs to be met before the user can be assigned to roles or role-organization pairs.