Effective Role Administration Model
Oh, S., Sandhu, R., & Zhang, X. (2006). An Effective Role Administration Model Using Organization Structure. ACM Transactions on Information Security and System Security, 9, 113-137. Retrieved September 13, 2006, from the ACM Digital Library database.
In this article Oh, Sandhu and Zhang reviewed the Role-Based Access Control (RBAC) model, a model routinely used by enterprises, and proposed their own model, Administrative RBCA ’02 (ARBAC02) which improves on the RBAC model.
RBAC sought to administer security systems by using an organizational concept of rules to determine user access. A later improvement on RBAC, Administrative RBAC ’97 (ARBAC97), sought to improve on the original model by allowing for decentralized administration. ARBAC97 was made of three parts: User-Role Assignments ’97 (URA97) which used user pools and role ranges to decentralize user-role administration, Permission-Role Administration ’97 (PRA97) which used permission pools and role ranges to decentralize permission-role administration, and Role-Role Administration ’97 (RRA97) which used a role hierarchy to assign access rights to users. While URA97 sought to decentralize user-role administration, its drawbacks included that it required many steps for single user-role assignments and even more for higher destination roles in a role hierarchy, allowed for redundant role assignments, and had a restricted construction of user pools resulting from the use of user pools, prerequisite rules and a role hierarchy. While PRA97 was designed to decentralize permission role administration, it had the same problems at URA97 as well as the unwanted flow of permissions.
Unlike ARBAC97, ARBAC02 has a flexible make-up of user and permission pools by using organizational structure steps in role administration. First, users and permissions are granted to organizational units (OTs) by human resources and an information technology department. Next, security administration personnel grant the users and permissions in OTs to regular roles. Unlike the top-down method used in ARBAC97, ARBAC02 proposed a bottom-up inheritance for permission-role administration. ARBCA02 allots common permissions to lower positions and non-common permissions to higher positions in a Permission Organizational Structure (OS-P). This allows senior roles within the model hierarchy to inherit common permissions.
The authors also illustrated Organizational Structure User Pools and Permission Pools (OS-U/OS-P) in other access control models like Access Control Lists (ACL) and Lattice-Based Access Controls (LBAC) where access control choices are made beyond the control of one individual. An OS-U has all the users who are assigned by Human Resources in an organization while a Permission Organizational Structure (OS-P) is a hierarchy of organizational units shown as a permission pool. Since it is important that permission inheritance travels downward, an OS-P has an inverted tree structure, a maximum organization unit and only one direct child. An OS-P has permissions that were previously given by IT personnel within an organization. The authors therefore showed that organizational structure user pools and permission pools were a comprehensive solution to security administration for different access control methods.
In this article Oh, Sandhu and Zhang reviewed the Role-Based Access Control (RBAC) model, a model routinely used by enterprises, and proposed their own model, Administrative RBCA ’02 (ARBAC02) which improves on the RBAC model.
RBAC sought to administer security systems by using an organizational concept of rules to determine user access. A later improvement on RBAC, Administrative RBAC ’97 (ARBAC97), sought to improve on the original model by allowing for decentralized administration. ARBAC97 was made of three parts: User-Role Assignments ’97 (URA97) which used user pools and role ranges to decentralize user-role administration, Permission-Role Administration ’97 (PRA97) which used permission pools and role ranges to decentralize permission-role administration, and Role-Role Administration ’97 (RRA97) which used a role hierarchy to assign access rights to users. While URA97 sought to decentralize user-role administration, its drawbacks included that it required many steps for single user-role assignments and even more for higher destination roles in a role hierarchy, allowed for redundant role assignments, and had a restricted construction of user pools resulting from the use of user pools, prerequisite rules and a role hierarchy. While PRA97 was designed to decentralize permission role administration, it had the same problems at URA97 as well as the unwanted flow of permissions.
Unlike ARBAC97, ARBAC02 has a flexible make-up of user and permission pools by using organizational structure steps in role administration. First, users and permissions are granted to organizational units (OTs) by human resources and an information technology department. Next, security administration personnel grant the users and permissions in OTs to regular roles. Unlike the top-down method used in ARBAC97, ARBAC02 proposed a bottom-up inheritance for permission-role administration. ARBCA02 allots common permissions to lower positions and non-common permissions to higher positions in a Permission Organizational Structure (OS-P). This allows senior roles within the model hierarchy to inherit common permissions.
The authors also illustrated Organizational Structure User Pools and Permission Pools (OS-U/OS-P) in other access control models like Access Control Lists (ACL) and Lattice-Based Access Controls (LBAC) where access control choices are made beyond the control of one individual. An OS-U has all the users who are assigned by Human Resources in an organization while a Permission Organizational Structure (OS-P) is a hierarchy of organizational units shown as a permission pool. Since it is important that permission inheritance travels downward, an OS-P has an inverted tree structure, a maximum organization unit and only one direct child. An OS-P has permissions that were previously given by IT personnel within an organization. The authors therefore showed that organizational structure user pools and permission pools were a comprehensive solution to security administration for different access control methods.
posted by Dr. Adam Norten at 5:00 PM
0 Comments:
Post a Comment
<< Home