Abstract
Today’s on-line end user experience is compromised by the need for managing multiple redundant identities for access to various services — such as email accounts, in order to ensure a clear separation of tasks that users perform in different capacities. Approaches based on Single Sign On (SSO) have focused on the provision of interoperability and trust management solutions required to allow users to log in once and use multiple on-line services. In this paper, we argue that Single Sign On provides neither adequate privacy preservation nor sufficient fine-grained separation of tasks, as it requires that a user performs all tasks — whether e.g. personal or professional — using the same identity. We propose Identity and Role Management (IRM), a new approach to identity management, combining the benefits of SSO and user-centric frameworks: it allows a user to be authenticated as conveniently as with SSO, to still achieve an effective separation of tasks she performs in different capacities through the use of different roles, and to retain full control of her private and sensitive data. Additionally, it facilitates fine-grained service customisation, supporting a personalised on-line experience. Our experiments with real users demonstrate the effectiveness, transparency, and user acceptance of our solution.
Please use the following formal when citing this chapter: Kotsovinos. E.. Friese. 1., Kurze, M. and Heuer, J., 2007, in IFIP international Federation for information Processing, Volume 232, New Approaches for Security, Privacy and Trust in Complex Environments, eds. Venter, H-, Eioff, M., Labuschagne, L., Eloff, J., von Solms, R.. (Boston: Springer), pp. 289–300.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
P. Bonatti and P. Samarati. A unified framework for regulating access and information release on the web. Journal of Comp. Sec., 10(3), 2002.
N. H. Cohen, J. Black, P. Castro, M. Ebling, B. Leiba, A. Misra, and W. Segmuller. Building Context-Aware Applications with Context Weaver. Research Report RC 23388, IBM, Oct. 2004.
N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Ponder Policy Specification Language. In Proc. of the Policy2001 Workshop, Jan. 2001.
D. Ferraiolo and R. Kuhn. Role-Based Access Controls. In Proc. of the 15th NIST-NCSC Conf, 1992.
R. J. Hayton, J. M. Bacon, and K. Moody. Access Control in an Open Distributed Environment. In Proc. of the IEEE Symp. on Sec. and Priv., 1998.
J. Merrells. DIX: Digital Identity Exchange Protocol, Mar. 2006.
D. Jonscher and K. R. Dittrich. Argos — A Configurable Access Control System for Interoperable Environments. In DB Sec, IX: Status and Prospects, 1996.
N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a Role-Based Trust Management Framework. In Proc. of the IEEE Symp. on Sec and Priv., 2002.
Liberty Alliance Project. Liberty ID-SIS Personal Profile Service Spec, 2003.
E. C. Lupu, D. A. Marriott, M. S. Sloman, and N. Yialelis. A Policy Based Role Framework for Access Control. In Proc. of the 1st ACM RBAC’ 96.
J. Miller. Yadis Specification, Version 1.0, Mar. 2006.
M. Nyanchama and S. Osborn. Access Rights Administration in Role-Based Security Systems. In Proc of the 8th IFIP WG 11.3 Working Conf. on DB Sec, volume A-60. Elsevier, Aug. 1995.
Organization for the Advancement of Structured Information Standards (OA-SIS). Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML), Apr. 2002.
Organization for the Advancement of Structured Information Standards (OA-SIS). Security Assertion Markup Language (SAML) V2.0 Technical Overview, Sept. 2005.
J. S. Park, R. Sandhu, and G.-J. Ahn. Role-based access control on the web. ACM Trans. Inf. Syst. Sec., 4(1), 2001.
A. Pashalidis and C. Mitchell. A taxonomy of single sign-on systems. In Proc. of the 8th Australasian Conf. in Inf. Sec. and Priv., July 2003.
A. Pfitzmann and M. Hansen. Anonymity, Unlinkability, Unobservability, Pseudonymity, and Identity Management — A Consolidated Proposal for Terminology. Research report, TU-Dresden, May 2006.
SXIP Networks. The SXIP 2.0 Overview, Mar. 2006.
K. Toth and M. Subramanium. Requirements for the persona concept. In Proc. of RHAS’03, Sept. 2003.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Kotsovinos, E., Friese, I., Kurze, M., Heuer, J. (2007). A Role-Based Architecture for Seamless Identity Management and Effective Task Separation. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds) New Approaches for Security, Privacy and Trust in Complex Environments. SEC 2007. IFIP International Federation for Information Processing, vol 232. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-72367-9_25
Download citation
DOI: https://doi.org/10.1007/978-0-387-72367-9_25
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-72366-2
Online ISBN: 978-0-387-72367-9
eBook Packages: Computer ScienceComputer Science (R0)