Department of Software Technology
Vienna University of Technology


Using Role-Templates for Handling Recurring Role Structures Abstract Role-based access controls have been proposed as an alternative to discretionary and mandatory access controls more apt to commercial enterprise environments. Many advantages can be mentioned including centralized administration, separation of duty and least privilege properties. However, the nature of enterprises often entails recurring sub-structures like departments, projects etc. that cannot yet be handled adequately by the available concepts for role-hierarchies. Therefore, we propose an additional mechanism for administrating role hierarchies called role-templates. This mechanism allows to specify a generic sub-hierarchy (e.g. a department role-hierarchy) that may be instantiated for each department of the enterprise resulting in an automatically generated, concrete role-hierarchy for the particular department. Furthermore, role-templates may be specialized and have aggregations and associations to other templates making the concept more flexible and semantically expressive. The proposed ideas will be implemented as a prototype within the project MeSMo (Meta Security Model) dealing with enterprise-wide security, which demands highly configurable access controls for multiple heterogeneous information systems.


Up

Comments: rauber@ifs.tuwien.ac.at