Delegation in Role-Based Access Control

  • Jason Crampton
  • Hemanth Khambhammettu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4189)


User delegation is a mechanism for assigning access rights available to a user to another user. A delegation operation can either be a grant or transfer operation. Delegation for role-based access control models have extensively studied grant delegations. However, transfer delegations for role-based access control have largely been ignored. This is largely because enforcing transfer delegation policies is more complex than grant delegation policies. This paper, primarily, studies transfer delegations for role-based access control models. We also include grant delegations in our model for completeness. We present various mechanisms that authorise delegations in our model. In particular, we show that the use of administrative scope for authorising delegations is more efficient than using relations. We also discuss the enforcement and revocation of delegations. Finally, we compare our work with relevant work in the literature.


Access Control Access Control Policy Access Control Model Delegation Operation Role Hierarchy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  2. 2.
    Schaad, A.: A Framework for Organisational Control Principles. PhD thesis, The University of York, York, England (2003)Google Scholar
  3. 3.
    Barka, E., Sandhu, R.: Framework for role-based delegation models. In: Proceedings of Twenty Third National Information Systems Security Conference (NISSC 2000), pp. 101–114 (2000)Google Scholar
  4. 4.
    Aura, T.: Distributed access-rights management with delegation certificates. In: Vitek, J. (ed.) Secure Internet Programming. LNCS, vol. 1603, pp. 211–235. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  5. 5.
    Gligor, V., Gavrila, S., Ferraiolo, D.: On the formal definition of separation-of-duty policies and their composition. In: Proceedings of IEEE Symposium on Research in Security and Privacy, pp. 172–183 (1998)Google Scholar
  6. 6.
    Simon, R., Zurko, M.: Separation of duty in role-based environments. In: Proceedings of Tenth IEEE Computer Security Foundations Workshop, pp. 183–194 (1997)Google Scholar
  7. 7.
    Barka, E., Sandhu, R.: A role-based delegation model and some extensions. In: Proceedings of Sixteenth Annual Computer Security Applications Conference (ACSAC 2000), pp. 168–177 (2000)Google Scholar
  8. 8.
    Na, S., Cheon, S.: Role delegation in role-based access control. In: Proceedings of Fifth ACM Workshop on Role-Based Access Control (RBAC 2000), pp. 39–44 (2000)Google Scholar
  9. 9.
    Park, J., Lee, Y., Lee, H., Noh, B.: A role-based delegation model using role hierarchy supporting restricted permission inheritance. In: Proceedings of the 2003 International Conference on Security and Management (SAM 2003), pp. 294–302 (2003)Google Scholar
  10. 10.
    Tamassia, R., Yao, D., Winsborough, W.: Role-based casdaded delegation. In: Proceedings of Ninth ACM Symposium on Access Control Models and Technologies (SACMAT 2004), pp. 146–155 (2004)Google Scholar
  11. 11.
    Wainer, J., Kumar, A.: A fine-grained, controllable, user-to-user delegation method in RBAC. In: Proceedings of Tenth ACM Symposium on Access Control Models and Technologies (SACMAT 2005), pp. 59–66 (2005)Google Scholar
  12. 12.
    Zhang, L., Ahn, G.J., Chu, B.T.: A rule-based framework for role-based delegation and revocation. ACM Transactions on Information and System Security (TISSEC) 6(3), 404–441 (2003)CrossRefGoogle Scholar
  13. 13.
    Zhang, X., Oh, S., Sandhu, R.: PBDM: A flexible delegation model in RBAC. In: Proceedings of Eighth ACM Symposium on Access Control Models and Technologies (SACMAT 2003), pp. 149–157 (2003)Google Scholar
  14. 14.
    Crampton, J., Loizou, G.: Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security (TISSEC) 6(2), 201–231 (2003)CrossRefGoogle Scholar
  15. 15.
    Ferraiolo, D., Kuhn, D., Chandramouli, S.: Role-Based Access Control. Artech House, Boston, Massachussetts (2003)Google Scholar
  16. 16.
    Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security 1(2), 105–135 (1999)CrossRefGoogle Scholar
  17. 17.
    Barka, E.: Framework for Role-Based Delegation Models. PhD thesis, George Mason University, Virginia, USA (2002)Google Scholar
  18. 18.
    Hagström, Å., Jajodia, S., Parisi-Presicce, F.: Revocations– a classification. In: Proceedings of the Fourteenth IEEE Workshop on Computer Security Foundations (CSFW 2001), pp. 44–58 (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Jason Crampton
    • 1
  • Hemanth Khambhammettu
    • 1
  1. 1.Information Security GroupRoyal Holloway, University of London 

Personalised recommendations