Abstract
In the past five years there has been tremendous activity in role-based access control (RBAC) models. Consensus has been achieved on a standard core RBAC model that is in process of publication by the US National Institute of Standards and Technology (NIST). An early insight was that RBAC cannot be encompassed by a single model since RBAC concepts range from very simple to very sophisticated. Hence a family of models is more appropriate than a single model. The NIST model reflects this approach. In fact RBAC is an open-ended concept which can be extended in many different directions as new applications and systems arise. The consensus embodied in the NIST model is a substantial achievement. All the same it just a starting point. There are important aspects of RBAC models, such as administration of RBAC, on which consensus remains to be reached. Recent RBAC models have studied newer concepts such as delegation and personalization, which are not captured in the NIST model. Applications of RBAC in workflow management systems have been investigated by several researchers. Research on RBAC systems that cross organizational boundaries has also been initiated. Thus RBAC models remain a fertile area for future research. In this paper we discuss some of the directions which we feel are likely to result in practically useful enhancements to the current state of art in RBAC models.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Gail Ahn and Ravi Sandhu: Role-Based Authorization Constraints Specification. ACM Trans. on Information and System Security, V. 3,No 4 (November 2000)
Ezedin Barka and Ravi Sandhu: Framework for Role-Based Delegation Models. Proc. 16th Annual Computer Security Applications Conference, New Orleans (Dec., 2000)
Bertino, E., Bonatti, P., and Ferrari, E.: TRBAC: A Temporal Role-Based Access Control Model. ACM Transactions on Info. and System Security, 4:3, (Aug. 2001) to appear
Damianou, N., Dulay, N., Lupu, E., and Sloman, M.: The Ponder Policy Specification Language. Int. Workshop on Policy, Jan. 2001, Springer LNCS 1995
Ferraiolo, D. and Kuhn, R.: Role-Based Access Control. In Proc. of the NIST-NSA National Computer Security Conference. (1992) 554–563
Ferraiolo, D.F., Sandhu, R., Gavrila, D., Kuhn, D.R. and Chandramouli, R.: A Proposed Standard for Role-Based Access Control. ACM Transactions on Information and System Security, V. 4,No 3, (August 2001) to appear
Herzberg, A., Mass, Y., Mihaeli, J., Naor, D. and Ravid, Y.: Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers. IEEE Symposium on Security and Privacy, Oakland (May 2000)
Hildmann, T. and Barholdt, J.: Managing trust between collaborating companies using outsourced role based access control. In Proc. of 4th ACM Workshop on Role-Based Access Control. 1999 (105–111)
Hitchens, M. and Varadharajan, V.: Tower: A Language for Role Based Access Control. Int. Workshop on Policy, Bristol, UK, January 2001, Springer LNCS 1995
Huang, W., and Atluri, V.: A secure web-based workflow management system. In Proc. of 4th ACM Workshop on Role-Based Access Control. (1999)
Jaeger, T.: On the Increasing Importance of Constraints. Proc. 4th ACM Workshop on Role-Based Access Control, Fairfax, Virginia (Oct. 28–29, 1999) 33–42
Jaeger, T. and Tidswell, J.: Rebuttal to the NIST RBAC model proposal. Proc. 5th ACM Workshop on Role-Based Access Control, Berlin, Germany. (July 26–28, 2000) 65–66
Osborn, S., Sandhu, R. and Munawer, Q.: Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies. ACM Trans. on Information and System Security, V. 3,No 2, (May 2000) 85–106
Sandhu, R., Coyne, E., Feinstein, H. and Youman, C.: Role-Based Access Control Models. IEEE Computer, V. 29,No 2. (Feb. 1996) 38–47
Sandhu, R.: Role Activation Hierarchies. Proc. 3rd ACM Workshop on Role-Based Access Control, Fairfax, Virginia. (October 22–23, 1998) 33–40
Sandhu, R., Bhamidipati, V. and Munawer, Q.: The ARBAC97 Model for Role-Based Administration of Roles. ACM Trans. on Info. and System Security, 2:1, (Feb. 99) 105–135
Sandhu, R.: Engineering Authority and Trust in Cyberspace: The OM-AM and RBAC Way. Proc. 5th ACM Workshop on RBAC, Berlin. (July 26–28, 2000) 111–119
Sandhu, R., Ferraiolo, D. and Kuhn, R.: The NIST Model for Role-Based Access Control: Towards A Unified Standard. Proc. 5th ACM Workshop on RBAC. 47–63
Thomas, R. and Sandhu, R.: Task-based Authorization Controls (TBAC): Models for Active and Enterprise-Oriented Authorization Management. In Database Security XI: Status and Prospects, Chapman & Hall 1998. 262–275
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sandhu, R. (2001). Future Directions in Role-Based Access Control Models. In: Gorodetski, V.I., Skormin, V.A., Popyack, L.J. (eds) Information Assurance in Computer Networks. MMM-ACNS 2001. Lecture Notes in Computer Science, vol 2052. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45116-1_4
Download citation
DOI: https://doi.org/10.1007/3-540-45116-1_4
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42103-0
Online ISBN: 978-3-540-45116-7
eBook Packages: Springer Book Archive