ReMoLa: Responsibility Model Language to Align Access Rights with Business Process Requirements
ABSTRACT Access controls is an important IT security issue and has accordingly been a huge research topic for the last decade. Many models and role engineering methods have been provided since then, and RBAC has appeared to be one of the most significant contributions. In parallel to those developments, new requirements have appeared in the field of IT governance and they provide new constraints for the elicitation of access control policies. One of those requirements is to have access rights strictly aligned with the business process and to have the responsibility of the employees involved in those processes strictly defined and suitably assigned to the employee. RBAC doesn’t permit to integrate these new requirements. In this paper we propose a responsibility modeling language to align access rights with business processes requirements. To achieve that, our approach uses the concept of employees’ responsibility as a means to bridge the gap through frameworks from the business layer down to frameworks from the technical layer.
- SourceAvailable from: psu.edu[show abstract] [hide abstract]
ABSTRACT: this article we propose a standard for role-based access control (RBAC). Although RBAC models have received broad support as a generalized approach to access control, and are well recognized for their many advantages in performing large-scale authorization management, no single authoritative definition of RBAC exists today. This lack of a widely accepted model results in uncertainty and confusion about RBAC's utility and meaning. The standard proposed here seeks to resolve this situation by unifying ideas from a base of frequently referenced RBAC models, commercial products, and research prototypes. It is intended to serve as a foundation for product development, evaluation, and procurement specification. Although RBAC continues to evolve as users, researchers, and vendors gain experience with its application, we feel the features and components proposed in this standard represent a fundamental and stable set of mechanisms that may be enhanced by developers in further meeting the needs of their customers. As such, this document does not attempt to standardize RBAC features beyond those that have achieved acceptance in the commercial marketplace and research community, but instead focuses on defining a fundamental and stable set of RBAC components. This standard is organized into the RBAC Reference Model and the RBAC System and Administrative Functional Specification. The reference model defines the scope of features that comprise the standard and provides a consistent vocabulary in support of the specification. The RBAC System and Administrative Functional Specification defines functional requirements for administrative operations and queries for the creation, maintenance, and review of RBAC sets and relations, as well as for specifying system level functionality in sup...ACM Trans. Inf. Syst. Secur. 01/2001; 4:224-274.