Engineering of role/permission assignments

No longer should any person be allowed to simply sit down and start working with a computer; only authorized personnel should be allowed to use the computer and its applications. Traditionally, an administrator would assign each person accesses to the applications. In assigning the accesses, the administrator would then grant all of the necessary permissions needed for the person to complete his/her work, while preventing that person from performing any unauthorized work.; Using an access model such as Discretionary Access Control (DAC), the permissions are granted to each individual user. Granting permissions to several users over many applications, DAC quickly became cumbersome, difficult, and costly to administer. An alternative access model that resolves these issues is Role Based Access Control (RBAC). RBAC is a proven technique to assign permissions to users via roles. A core aspect of RBAC is the Role/Permission Relation. Previous research has applied RBAC models to create roles. In addition, application developers have accepted the definition of RBAC permissions; however, the research has not detailed a systematic model for determining the assignment of permission to roles. To evolve the RBAC model, and to align permissions with role responsibilities, an approach must be developed to ensure that all, and only those, permissions that are required by a role are assigned.; One solution is to further define the granularity of a role by studying the work that is being conducted by that role. My goal was to define a layered model that served as a basis for detailing an effective methodology to assign permissions to roles. This model concentrated on the assignment of flat roles to permissions. The model also required that the roles and permissions be defined. The methodology defined the layer-to-layer mappings, an aggregation approach, a decomposition approach, and model properties. After defining the methodology, I determined the benefits of the model by comparing it against other “decomposition” and “aggregation” models.