Abstract
The complexity of modern organisations’ IT landscapes has grown dramatically over the last decades. Many enterprises initiate role projects in order to reorganise their access structures based on an organisation-wide Identity Management Infrastructure (IdMI). This paper surveys role models and related literature and identifies different role properties. It shows that current role models are not feasible for their usage in IdMIs. By implementing one single type of role they fail to take business requirements and different role perceptions into account. This paper improves the current situation by developing busiROLE, a role model that integrates various types of roles, fulfilling business- as well as IT requirements, and is hence usable in IdMIs.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Ferraiolo, D.F., Kuhn, R.D., Chandramouli, R.: Role-Based Access Control. Artech House, Boston (2007)
Larsson, E.A.: A case study: implementing novell identity management at Drew University. In: Proceedings of the 33rd annual ACM SIGUCCS conference on User services, Monterey, CA, USA (2005), http://doi.acm.org/10.1145/1099435.1099472
Dhillon, G.: Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns. Computers & Security 20(2), 165–172 (2001)
Bank for International Settlements BIS: International Convergence of Capital Measurement and Capital Standards: A Revised Framework - Comprehensive Version (2006), http://www.bis.org/publ/bcbs128.pdf
Sarbanes, P.S., Oxley, M.: Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 (2002), http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.tst.pdf
European Union: Directive 95/46/EC of the European Parliament and of the Council. Official Journal of the European Communities L (28-31) (1995), http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
Fuchs, L., Pernul, G.: Supporting Compliant and Secure User Handling – a Structured Approach for In-house Identity Management. In: Proceedings of the 2nd International Conference on Availability, Reliability and Security (ARES 2007), Vienna, Austria (2007), http://dx.doi.org/10.1109/ARES.2007.145
Walther, I., Gilleßen, S., Gebhard, M.: Ein Bezugsrahmen für Rollen in Unternehmungen. Teil 2: Klassifizierung von Rollen und Situationen. Working Paper 1/2004, University of Erlangen-Nürnberg, Department of Wirtschaftsinformatik I (2004), http://www.forsip.de/download.php?file=/publikationen/siprum/iw-sg_arbeitsbericht_2.pdf
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)
Li, N., Byun, J., Bertino, E.: A Critique of the ANSI Standard on Role-Based Access Control. IEEE Security & Privacy 5(6), 41–49 (2007)
Fuchs, L., Pernul, G.: proROLE: A Process-oriented Lifecycle Model for Role Systems. In: Proceedings of the 16th European Conference on Information Systems (ECIS), Galway, Ireland (2008)
Gallaher, M. P., O’Connor, A. C., Kropp, B.: The economic impact of role-based access control. Planning report 02-1, National Institute of Standards and Technology, Gaithersburg, MD (2002), http://www.nist.gov/director/prog-ofc/report02-1.pdf
McRae, R.: The Stanford Model for Access Control Administration, Stanford University (unpublished) (2002)
Wortmann, F.: Vorgehensmodelle für die rollenbasierte Autorisierung in heterogenen Systemlandschaften. Wirtschaftsinformatik 49(6), 439–447 (2007)
Epstein, P., Sandhu, R.: Engineering of Role/Permission Assignments. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, LA, USA (2001), http://doi.ieeecomputersociety.org/10.1109/ACSAC.2001.991529
Roeckle, H., Schimpf, G., Weidinger, R.: Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In: Proceedings of the fifth ACM workshop on Role-based access control, Berlin, Germany (2000), http://doi.acm.org/10.1145/344287.344308
Mintzberg, H.: Structuring of Organizations. Prentice Hall, Englewood Cliffs (1979)
Katzenbach, J.R., Smith, D.K.: The Wisdom of Teams: Creating the High-Performance Organization. Harvard Business School Press, Boston (1993)
Chakraborty, S., Ray, I.: TrustBAC: integrating trust relationships into the RBAC model for access control in open systems. In: Proceedings of the eleventh ACM symposium on Access control models and technologies, Lake Tahoe, CA, USA (2006), http://doi.acm.org/10.1145/1133058.1133067
El Kalam, A.A., Benferhat, S., Miege, A., El Baida, R., Cuppens, F., Saurel, C., Balbiani, P., Deswarte, Y., Trouessin, G.: Organization based access control. In: Proceedings of the Fourth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2003), Lake Como, Italy, June 2003, pp. 120–131 (2003), http://doi.ieeecomputersociety.org/10.1109/POLICY.2003.1206966
Seufert, S.E.: Der Entwurf strukturierter rollenbasierter Zugriffskontrollmodelle. Informatik – Forschung und Entwicklung 17(1), 1–11 (2002)
Daft, R.: Organization Theory and Design, 2nd edn. West, St. Paul, Minn. (1986)
Wainer, J., Barthelmess, P., Kumar, A.: W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints. International Journal of Cooperative Information Systems 12(4), 455–485 (2003)
Oh, S., Park, S.: Task-Role Based Access Control (T-RBAC): An Improved Access Control Model for Enterprise Environment. In: Ibrahim, M., Küng, J., Revell, N. (eds.) DEXA 2000. LNCS, vol. 1873. Springer, Heidelberg (2000), http://dx.doi.org/10.1016/S0306-4379-02-00029-7
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fuchs, L., Preis, A. (2008). BusiROLE: A Model for Integrating Business Roles into Identity Management. In: Furnell, S., Katsikas, S.K., Lioy, A. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2008. Lecture Notes in Computer Science, vol 5185. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85735-8_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-85735-8_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85734-1
Online ISBN: 978-3-540-85735-8
eBook Packages: Computer ScienceComputer Science (R0)