Department of Software Technology
Vienna University of Technology
Using Role-Templates for Handling Recurring Role Structures
Abstract
Role-based access controls have been proposed as an alternative to discretionary and
mandatory access controls more apt to commercial enterprise environments. Many advantages
can be mentioned including centralized administration, separation of duty and least privilege
properties. However, the nature of enterprises often entails recurring sub-structures like
departments, projects etc. that cannot yet be handled adequately by the available concepts for
role-hierarchies. Therefore, we propose an additional mechanism for administrating role
hierarchies called role-templates. This mechanism allows to specify a generic sub-hierarchy
(e.g. a department role-hierarchy) that may be instantiated for each department of the
enterprise resulting in an automatically generated, concrete role-hierarchy for the particular
department. Furthermore, role-templates may be specialized and have aggregations and
associations to other templates making the concept more flexible and semantically expressive.
The proposed ideas will be implemented as a prototype within the project MeSMo (Meta
Security Model) dealing with enterprise-wide security, which demands highly configurable
access controls for multiple heterogeneous information systems.
Up
Comments: rauber@ifs.tuwien.ac.at