FORBAC: A Flexible Organisation and Role-Based Access Control Model for Secure Information Systems

  • Oumaima Saidani
  • Selmin Nurcan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4243)


Security of information systems is an increasingly critical issue. Access control is a crucial technique ensuring security. It should be based on an effective model. Even if some approaches have already been proposed, a comprehensive model, flexible enough to cope with real organizations, is still missing. This paper proposes a new access control model, FORBAC, which deals with the following issues: The first one is the adaptability to various kinds of organization. The second one concerns increasing flexibility and reducing errors and management cost, this is done by introducing a set of components which allow fine-grained and multi-level permission assignment. The paper introduces a framework for evaluating the proposed approach with respect to other related research through views, facets and criteria.


Access Control Access Control Policy Access Control Model User Session Reference Framework 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ahn, G.J., Sandhu, R.: Role-based Authorization Constraints Specification. ACM Trans. Inf. and Sys. Sec. 3(4) (2000)Google Scholar
  2. 2.
    Barka, E., Sandhu, R.: A role-based delegation model and some extensions. In: NISSC (2000); ACM Trans. Inf. and Sys. Sec., 4(3), 191–233 (2001) Google Scholar
  3. 3.
    Barrios, J.: Une méthode pour la définition de l’impact organizationnel du changement, Thèse de Doctorat de l’Université Paris1 (2001)Google Scholar
  4. 4.
    Bell, D.E., LaPadula, L.J.: Secure computer systems: Unified exposition and multics interpretation. Technical Report ESD-TR-73-306, The MITRE Corporation (1976)Google Scholar
  5. 5.
    Bertino, E., Bonatti, P.A., Ferrari, E.: TRBAC:A Temporal Role-Based Access Control ModelGoogle Scholar
  6. 6.
    Biba, K.J.: Integrity for secure computer systems. Technical report MTR-3153, The MITRE Corporation. ACM Trans. Inf. and Sys. Sec. 4(3), 191–233 (2001)Google Scholar
  7. 7.
    Cuppens, F., Miège, A.: Administration model for Or-bac. In: International Federated Conferences (OTM 2003), Workshop on Metadata for Security, Italy, November, vol. 3(7), pp. 754–768 (2003)Google Scholar
  8. 8.
    Ferraiolo, D., Kuhn, R.: Role-Based Access Control. In: Proceedings of 15th NIST-NCSC National Computer Security Conference, Baltimore, MD, pp. 554–563 (1992)Google Scholar
  9. 9.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST Standard for Role-Based Access Control. ACM Trans. Inf. and Sys. Sec. 4(3), 222–274 (2001)Google Scholar
  10. 10.
    Frederick, G., Daniel, M., Sandra, S., Carol, G.: Information Technology Control and Audit. Auerbach publications (2004)Google Scholar
  11. 11.
    Georgiadis, C.K., Mavridis, I., Pangalos, G., Thomas, R.K.: Flexible Team-based Access Control Using Contexts. In: ACM RBAC Workshop, Chantilly, VA, USA (2001)Google Scholar
  12. 12.
    Goncalves, G., Hémery, F.: Des cas d’utilisation en UML la gestion de rôles dans un système d’information. Actes du Congrès INFORSID, France (2000)Google Scholar
  13. 13.
    Harisson, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in Operating Systems. Communication of the ACM 19(8), 461–471 (1976)CrossRefGoogle Scholar
  14. 14.
    Jarke, M., Mylopoulos, J., Smith, J.W., Vassilio, Y.: DAIDA - An environment for evolving information systems. ACM Trans. on Inf. Sys. 10(1) (1992)Google Scholar
  15. 15.
    Jarke, M., Pohl, K.: Requirement engineering: an integrated view of representation, process and domain. In: Proc. of the 4th European Soft. Conf. Springer, Heidelberg (1993)Google Scholar
  16. 16.
    Jarke, M., Rolland, C., Sutcliffe, A., Dömges, R.: The NATURE Requirements Engineering. Shaker Verlag, Aachen (1999)Google Scholar
  17. 17.
    Joshi, J.B.D., Bertino, E., Latif, U., Ghafoor, A.: A Generalized Temporal Role-Based Access Control Model. IEEE Transactions on Knowledge and Data Engineering 17(1) (2005)Google Scholar
  18. 18.
    Kalam, A.E., Baida, R.E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: POLICY 2003, Italie (2003)Google Scholar
  19. 19.
    Nurcan, S., Barrios, J., Rolland, C.: Une méthode pour la définition de l’impact organisationnel du changement. ISI, N spécial, INFORSID (2002)Google Scholar
  20. 20.
    Oh, S., Sandhu, R.: A Model for Role administration using Organization Structure. In: Proc. of the 7th ACM SACMAT, California, pp. 155–162 (2002)Google Scholar
  21. 21.
    Prieto-Diaz, R., Freeman, F.: Classifying software reusability. IEEE Software (1987)Google Scholar
  22. 22.
    Sandhu, R.: Future Directions in Role-Based Access Control Models. In: Gorodetski, V.I., Skormin, V.A., Popyack, L.J. (eds.) MMM-ACNS 2001. LNCS, vol. 2052. Springer, Heidelberg (2001)Google Scholar
  23. 23.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.E.: Role Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  24. 24.
    Si-Said Cherfi, S.: Proposition pour la modélisation et le guidage des processus d’analyse des systèmes d’information. Thèse de Doctorat Université Paris 1 (1999)Google Scholar
  25. 25.
    Smith, R.E.: Authentication From Passwords to Public Keys. Addison-Wesley, Reading (2002)Google Scholar
  26. 26.
    Thomas, R., Sandhu, R.: Task-based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management. In: 11th IFIP Working Conference on Database Security, Lake Tahoe, USA (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Oumaima Saidani
    • 1
  • Selmin Nurcan
    • 1
    • 2
  1. 1.Centre de Recherche en InformatiqueUniversité Paris 1 Panthéon – SorbonneParisFrance
  2. 2.IAE de Paris – Sorbonne Graduate Business SchoolUniversité Paris 1 – Panthéon – SorbonneParisFrance

Personalised recommendations