Conference Paper

An object-oriented organizational model to support dynamic role-based access control in electronic commerce applications

Birkbeck Coll., London Univ.
DOI: 10.1109/HICSS.1999.773053 Conference: System Sciences, 1999. HICSS-32. Proceedings of the 32nd Annual Hawaii International Conference on, Volume: Track8
Source: DBLP


Role-based access control (RBAC) provides flexibility to security
management over the traditional approach of using user and group
identifiers. In RBAC, access privileges are given to roles rather than
to individual users. Users acquire the corresponding permissions when
playing different roles. Roles can be defined simply as a label, but
such an approach lacks the support to allow users to automatically
change roles under different contexts; this static method also adds
administrative overheads in role assignment. In electronic commerce and
other cooperative computing environments, access to shared resources has
to be controlled in the context of the entire business process; it is
therefore necessary to model dynamic roles as a function of resource
attributes and contextual information. In this paper, an object-oriented
organizational model, OMM, is presented as an underlying model to
support dynamic role definition and role resolution in RBAC. The paper
describes the OMM reference model and shows how it can be applied
flexibly to capture the different classes of resources within a
corporation, and to maintain the complex and dynamic roles and
relationships between the resource objects. Administrative tools use the
role model in OMM to define security policies for role definition and
role assignment. At runtime, the resource manager queries the OMM system
to resolve roles in order to authorize any access attempts. Similarly,
cooperative computing software uses OMM to support task assignment and
access control to business processes. Contrary to traditional
approaches, OMM separates the organization model from the application
model; thus it allows independent and flexible role modeling to reflect
realistically a dynamic authorization subsystem in a rapidly changing
business world

Full-text preview

Available from:
  • Source
    • "More precisely, if a given permission is granted to a given role, then all users that play this role will inherit the given permission. Therefore, it is not possible to specify that a physician is permitted to have a direct access to the patient records, unless he/she is one of the physician's patient[12] [13]. Moreover , as mentioned in the previous section, another limit of the RBAC model is that it only enables the administrator to specify permissions. "
    [Show abstract] [Hide abstract]
    ABSTRACT: None of the classical access control models such as DAC, MAC, RBAC, TBAC or TMAC is fully satisfactory to model security policies that are not restricted to static permissions but also include contextual rules related to permissions, prohibitions, obligations and recommendations. This is typically the case of security policies that apply to the health care domain. We suggest a new model that provides solutions to specify such contextual security policies. This model, called organization based access control, is presented using a formal language based on first-order logic.
    Full-text · Conference Paper · Jul 2003
  • Source
    • "• R org represents roles that relate to the organizational chart. This typically reflects the functional decomposition (a vertical partitioning) of the organization [2]. This could refer to areas such as sales, finance or engineering. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Due to the correspondence between the role abstraction in Role-based Access Control (RBAC) and the notion of organizational positions, it seems easy to construct role hierarchies. This is, however, a misconception. This paper argues that, in order to reflect the functional requirements, a role hierarchy becomes very complex. In a bid to simplify the design of role hierarchies suitable for the expression of access control requirements in workflow systems, the paper proposes a "typed" role hierarchy. In a "typed" role hierarchy a role is of a specific type. The associations between different types of roles are limited by rules that govern the construction of a role hierarchy. This paper proposes a methodology to systematically construct a "typed" role hierarchy. Since the "typed" nature of the role hierarchy is only relevant during the construction of the role hierarchy, it can seamlessly be integrated into existing RBAC schemes that support the concept of role hierarchies
    Full-text · Conference Paper · Feb 2001
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Workflow systems bring a new technology available to organisations enabling them to support the computerised automation of their business processes. Regardless of full support from information technology, most business processes rely considerably on the human resources of the organisation. Within a workflow management system, the correct modelling of human resources is an important issue affecting the overall performance of the system. In this paper, modelling the resource manager for the human resources is mainly considered and a Petri net-based approach is proposed. The resulting model can be used for both qualitative analyses, e.g. checking the correctness of resource assignment, and quantitative analyses, e.g. performance evaluation of the system.
    Full-text · Article · Mar 2000
Show more