Skip to main content
SpringerLink
Log in

Role-Based Access Controls: Status, Dissemination, and Prospects for Generic Security Mechanisms

  • Published:
Electronic Commerce Research Aims and scope Submit manuscript

Abstract

E-commerce applications have diverse security requirements ranging from business-to-business over business-to-consumer to consumer-to-consumer types of applications. This range of requirements cannot be handled adequately by one single security model although role-based access controls (RBAC) depict a promising fundament for generic high-level security. Furthermore, RBAC is well researched but rather incompletely realized in most of the current backend as well as business layer systems. Security mechanisms have often been added to existing software causing many of the well-known deficiencies found in most software products. However, with the rise of component-based software development security models can also be made available for reuse. Therefore, we present a general-purpose software framework providing security mechanisms such as authentication, access controls, and auditing for Java software development. The framework is called GAMMA (Generic Authorization Mechanisms for Multi-Tier Applications) and offers multiple high-level security models (including the aforementioned RBAC) that may even be used concurrently to cover such diverse security requirements as found within e-commerce environments.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Beznosov, K. and Y. Deng. (1999). “A Framework for Implementing Role-Based Access Control Using CORBA Security Service.” In Proc. of 4th ACM Workshop on Role-Based Access Control Fairfax, VA.

  2. Biskup, J. and H.H. Brüggemann. (1989). “The Personal Model of Data: Towards a Privacy-Oriented Information System.” In Proc. of 5th IEEE Int. Conf. on Data Engineering (ICDE '89) IEEE Computer Society Press.

  3. Castano, S., M. Fugini, G. Martella, and P. Samarati. (1995). In Database Security Addison-Wesley.

  4. Essmayr, W., E. Kapsammer, R.R. Wagner, and A.-M. Tjoa. (1998). “Using Role-Templates for Handling Recurring Role Structures.” In Proc. of 12th IFIP WG 11.3 Working Conf. on Database Security.

  5. Fernandez, E.B., K.R. Nair, M.M. Larrondo-Petrie, and Y. Xu. (1996). “High-Level Security Issues in Multimedia/Hypertext Systems.” In Proc. of IFIP TC6/TC11 Int. Conf. on Communications and Multimedia Security Essen, Germany.

  6. Ferraiolo, D.F. and R. Kuhn. (1992). “Role-Based Access Control (RBAC).” In Proc. of 15th NIST-NSA National Computer Security Conference Baltimore, MD.

  7. Gavrila, S.I. and J.F. Barkley. (1998). “Formal Specification for Role Based Access Control User/Role and Role/Role Relationship Management.” In Proc. of 3rd ACM Workshop on Role-Based Access Control Fairfax, VA.

  8. Giuri, L. (1998). “Role-Based Access Control in Java.” In Proc. of 3rd ACM Workshop on Role-Based Access Control Fairfax, VA.

  9. Herzberg, A., J. Mihaeli, Y. Mass, D. Naor, and Y. Ravid. (2000). “Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers.” In Proc. of IEEE Symposium on Security and Privacy.

  10. Lai, C., L. Gong, L. Koved, A. Nadalin, and R. Schemers. (1999). “User Authentication and Authorization in the Java Platform.” In Proc. of 15th Annual Computer Security Applications Conference Phoenix, AZ.

  11. Nyanchama, M. and S. Osborn. (1994). “IFIP WG 11.3 Working Conf. on Database Security. Database Security VIII: Status & Prospects.” In Proc. of 15th Annual Computer Security Applications Conference North-Holland.

  12. Oppliger, R., G. Pernul, and C. Strauss. (2000). “Using Attribute Certificates to Implement Role-Based Authorization and Access Controls.” In Proc. of Fachtagung Sicherheit in Informationssystemen (SIS).

  13. Osborn, S., R.S. Sandhu, and Q. Munawer. (2000). “Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies.” ACM Transactions on Information and System Security 3(2) 85–206.

    Google Scholar 

  14. Ramaswamy, C. and R. Sandhu. (1998). “Role-Based Access Control Features in Commercial Database Management Systems.” In Proc. of 21th NIST-NCSC National Information System Security Conference Arlington, VA.

  15. Sandhu, R.S. and G.J. Ahn. (1998). “Decentralized Group Hierarchies in Unix: An Experiment and Lessons Learned.” In Proc. of 21th NIST-NCSC National Information System Security Conference Arlington, VA.

  16. Sandhu, R.S. and G.J. Ahn. (1998). “Group Hierarchies with Decentralized User Assignment in Windows NT.” In Proc. of IASTED Conf. on Software Engineering Las Vegas,NV.

  17. Sandhu, R.S. and E.J. Coyne. (1996). “Role-Based Access Control Models.” IEEE Computer 29(2).

  18. Sandhu, R.S., D. Ferraiolo, and R. Kuhn. (2000). “The NIST Model for Role-Based Access Control: Towards a Unified Standard.” In Proc. of of 5th ACM Workshop on Role-Based Access Control Berlin, Germany.

  19. Sandhu, R.S., D. Ferraiolo, and R. Kuhn. (1996). “Authentication, Access Control, and Audit.” ACM Computing Surveys 28(1).

  20. Schier, K. (1998). “Multifunctional Smartcards for Electronic Commerce-Application of the Role and Task Based Security Model.” In Proc. of 14th Annual Computer Security Applications Conf. (ACSAC'98).

  21. Tenday, J.M.K., J.J. Quisquater, and M. Lobelle. (1999). “Deriving a Role-Based Access Control Model from the OBBAC Model.” In Proc. of IEEE 8th Int. Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.

  22. Thomas, R.K. (1997). “Team-Based Access Control (TMAC): A Primitive for Applying Role-Based Access Controls in Collaborative Environments.” In Proc. of 2nd ACM Workshop on Role-Based Access Control.

  23. Thomsen, D., D. O'Brien, and J. Bogle. (1998). “Role Based Access Control Framework for Network Enterprises.” In Proc. of 14th Annual Computer Security Applications Conference (ACSAC'1998) Scottsdale, AZ.

  24. Welch, I. and R. Stroud. (1999). “Supporting Real World Security Models in Java.” In Proc. of 7th IEEE Workshop on Future Trends in Distributed Computing Systems.

Download references

Author information

Authors and Affiliations

  1. Software Competence Center, Hagenberg Hauptstr. 99, A-4232, Hagenberg, Austria

    Wolfgang Essmayr, Stefan Probst & Edgar Weippl

Authors
  1. Wolfgang Essmayr
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefan Probst
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Edgar Weippl
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

About this article

Cite this article

Essmayr, W., Probst, S. & Weippl, E. Role-Based Access Controls: Status, Dissemination, and Prospects for Generic Security Mechanisms. Electronic Commerce Research 4, 127–156 (2004). https://doi.org/10.1023/B:ELEC.0000009285.50078.b2

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1023/B:ELEC.0000009285.50078.b2

Search

Navigation