The RCL 2000 language for specifying role-based authorization constraints

Authorization constraints (also simply called constraints) are an important aspect of role-based access control (RBAC), since they can be argued to be one of the principal motivations behind RBAC. Although the importance of constraints in RBAC has been recognized for a long time, they have not received much attention in research literature, while role hierarchies have been practiced and discussed at considerable length. Most prior work has focused on separation of duty (SOD) constraints enumerating many variations. In this dissertation, we describe a framework for specifying authorization constraints in role-based systems. To specify these constraints, we need an appropriate language as well as some system functions. We propose a simple and intuitive language, RCL 2000 (Role-based Constraints Language 2000), to specify constraints in an intuitive and useful way in role-based systems. The formal semantics for this language is based on its translation to a restricted form of first order predicate logic.;With this language we show how we can express the previous SOD constraints discovering newly identified properties, such as permission-centric constraints. We also define new forms of SOD, especially with role hierarchies. To illustrate the power of RCL 2000 we specify constraints which have been identified in simulations of Lattice-based access control, Chinese Wall, and Discretionary access control policy in RBAC. Moreover, we separate role-based constraints into two major classes: Prohibition Constraints and Obligation Constraints. We characterize a subset of these classes from our specification of role-based constraints.;Our work also shows that it is futile to try to enumerate all constraints because there are too many possibilities and variations; instead, we should pursue an intuitively simple yet rigorous language, such as RCL 2000 , for specifying constraints.