Role-based access control for trust management: Model, processes, and management

Role-based access control (RBAC) has been widely accepted within computer security communities over the last decade.; The primary goal of this dissertation work is to provide an integrated mechanism for facilitating role-based authorization in open and distributed environments. For the purpose, we first propose a role-based access control model for trust management called TRUSTr. TRUSTr introduces a new component called trust assignment (TA) to traditional RBAC models, thereby associating roles in a local domain with roles from trusted domains. Central to understand TA is that capability delegation across domains can be expressed on the basis of roles associated by TA.; After discussing how roles can be used for access control in open and distributed environments by presenting a trust-enabled RBAC model, we further investigate two important issues relevant to the usage of roles: how valid roles can be defined and how defined roles can be managed systematically for access control. Role engineering (RE) is an approach to defining roles and assigning permissions to roles, whereby an organizational access control policy can be formulated on roles. We present an RE framework called SIREN for enabling process-driven role definition. The core of our framework is that informational characteristics and flows in the process of RE are analyzed, and then, system-centric information is modeled for the purpose of providing both a method of analysis and a method of communication between two authority boundaries identified in the process of RE. Unified Modeling Language (UML) extension mechanisms are exploited for modeling the information. A case study of using the information model is described to demonstrate its feasibility. Role administration (RA) is an approach to managing defined roles. We propose three methodological constituents that enable systematic role management. We also describe a role administration system called RolePartner, which is built on the top of those methodological constituents. RolePartner leverages a directory service for storing role-based authorization policies. We demonstrate that the system can be seamlessly integrated into an existing privilege-based authorization infrastructure based on trust management. (Abstract shortened by UMI.)...