Role-Based Access Controls: Status, Dissemination, and Prospects for Generic Security Mechanisms
Rent the article at a discountRent now
* Final gross prices may vary according to local VAT.Get Access
E-commerce applications have diverse security requirements ranging from business-to-business over business-to-consumer to consumer-to-consumer types of applications. This range of requirements cannot be handled adequately by one single security model although role-based access controls (RBAC) depict a promising fundament for generic high-level security. Furthermore, RBAC is well researched but rather incompletely realized in most of the current backend as well as business layer systems. Security mechanisms have often been added to existing software causing many of the well-known deficiencies found in most software products. However, with the rise of component-based software development security models can also be made available for reuse. Therefore, we present a general-purpose software framework providing security mechanisms such as authentication, access controls, and auditing for Java software development. The framework is called GAMMA (Generic Authorization Mechanisms for Multi-Tier Applications) and offers multiple high-level security models (including the aforementioned RBAC) that may even be used concurrently to cover such diverse security requirements as found within e-commerce environments.
- Beznosov, K. and Y. Deng. (1999). “A Framework for Implementing Role-Based Access Control Using CORBA Security Service.” In Proc. of 4th ACM Workshop on Role-Based Access Control Fairfax, VA.
- Biskup, J. and H.H. Brüggemann. (1989). “The Personal Model of Data: Towards a Privacy-Oriented Information System.” In Proc. of 5th IEEE Int. Conf. on Data Engineering (ICDE '89) IEEE Computer Society Press.
- Castano, S., M. Fugini, G. Martella, and P. Samarati. (1995). In Database Security Addison-Wesley.
- Essmayr, W., E. Kapsammer, R.R. Wagner, and A.-M. Tjoa. (1998). “Using Role-Templates for Handling Recurring Role Structures.” In Proc. of 12th IFIP WG 11.3 Working Conf. on Database Security.
- Fernandez, E.B., K.R. Nair, M.M. Larrondo-Petrie, and Y. Xu. (1996). “High-Level Security Issues in Multimedia/Hypertext Systems.” In Proc. of IFIP TC6/TC11 Int. Conf. on Communications and Multimedia Security Essen, Germany.
- Ferraiolo, D.F. and R. Kuhn. (1992). “Role-Based Access Control (RBAC).” In Proc. of 15th NIST-NSA National Computer Security Conference Baltimore, MD.
- Gavrila, S.I. and J.F. Barkley. (1998). “Formal Specification for Role Based Access Control User/Role and Role/Role Relationship Management.” In Proc. of 3rd ACM Workshop on Role-Based Access Control Fairfax, VA.
- Giuri, L. (1998). “Role-Based Access Control in Java.” In Proc. of 3rd ACM Workshop on Role-Based Access Control Fairfax, VA.
- Herzberg, A., J. Mihaeli, Y. Mass, D. Naor, and Y. Ravid. (2000). “Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers.” In Proc. of IEEE Symposium on Security and Privacy.
- Lai, C., L. Gong, L. Koved, A. Nadalin, and R. Schemers. (1999). “User Authentication and Authorization in the Java Platform.” In Proc. of 15th Annual Computer Security Applications Conference Phoenix, AZ.
- Nyanchama, M. and S. Osborn. (1994). “IFIP WG 11.3 Working Conf. on Database Security. Database Security VIII: Status & Prospects.” In Proc. of 15th Annual Computer Security Applications Conference North-Holland.
- Oppliger, R., G. Pernul, and C. Strauss. (2000). “Using Attribute Certificates to Implement Role-Based Authorization and Access Controls.” In Proc. of Fachtagung Sicherheit in Informationssystemen (SIS).
- Osborn, S., R.S. Sandhu, and Q. Munawer. (2000). “Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies.” ACM Transactions on Information and System Security 3(2) 85–206.
- Ramaswamy, C. and R. Sandhu. (1998). “Role-Based Access Control Features in Commercial Database Management Systems.” In Proc. of 21th NIST-NCSC National Information System Security Conference Arlington, VA.
- Sandhu, R.S. and G.J. Ahn. (1998). “Decentralized Group Hierarchies in Unix: An Experiment and Lessons Learned.” In Proc. of 21th NIST-NCSC National Information System Security Conference Arlington, VA.
- Sandhu, R.S. and G.J. Ahn. (1998). “Group Hierarchies with Decentralized User Assignment in Windows NT.” In Proc. of IASTED Conf. on Software Engineering Las Vegas,NV.
- Sandhu, R.S. and E.J. Coyne. (1996). “Role-Based Access Control Models.” IEEE Computer 29(2).
- Sandhu, R.S., D. Ferraiolo, and R. Kuhn. (2000). “The NIST Model for Role-Based Access Control: Towards a Unified Standard.” In Proc. of of 5th ACM Workshop on Role-Based Access Control Berlin, Germany.
- Sandhu, R.S., D. Ferraiolo, and R. Kuhn. (1996). “Authentication, Access Control, and Audit.” ACM Computing Surveys 28(1).
- Schier, K. (1998). “Multifunctional Smartcards for Electronic Commerce-Application of the Role and Task Based Security Model.” In Proc. of 14th Annual Computer Security Applications Conf. (ACSAC'98).
- Tenday, J.M.K., J.J. Quisquater, and M. Lobelle. (1999). “Deriving a Role-Based Access Control Model from the OBBAC Model.” In Proc. of IEEE 8th Int. Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.
- Thomas, R.K. (1997). “Team-Based Access Control (TMAC): A Primitive for Applying Role-Based Access Controls in Collaborative Environments.” In Proc. of 2nd ACM Workshop on Role-Based Access Control.
- Thomsen, D., D. O'Brien, and J. Bogle. (1998). “Role Based Access Control Framework for Network Enterprises.” In Proc. of 14th Annual Computer Security Applications Conference (ACSAC'1998) Scottsdale, AZ.
- Welch, I. and R. Stroud. (1999). “Supporting Real World Security Models in Java.” In Proc. of 7th IEEE Workshop on Future Trends in Distributed Computing Systems.
- Role-Based Access Controls: Status, Dissemination, and Prospects for Generic Security Mechanisms
Electronic Commerce Research
Volume 4, Issue 1-2 , pp 127-156
- Cover Date
- Print ISSN
- Online ISSN
- Kluwer Academic Publishers
- Additional Links
- access control
- software framework