Panel on role engineering

  • Authors:

  • Vijay Atluri

  • Affiliations:

  • Rutgers University

  • Venue:
  • Proceedings of the 13th ACM symposium on Access control models and technologies
  • Year:
  • 2008

Quantified Score

Hi-index 0.00

Visualization

Abstract

Due to its exibility, ease of administration and intuitiveness, role-based access control (RBAC) is now part of most operating systems and application software. As a result of its commercial success, it has become a standard to implementing access control in many of today's organizations. However, deploying RBAC requires one to first identify an accurate and complete set of roles, and assign users to roles and permissions to roles. This process, known as role engineering [3], has been identified as one of the costliest components in realizing RBAC [7]. Although the problem of role engineering has been studied since early nineties, a recent surge in interest can be seen equally from academic and industry communities. The primary focus of this panel is to have an in-depth discussion of this problem along several dimensions. The panelists, drawn from both academia and industry, include Gail Ahn (University of North Carolina, Charlotte), Vijay Atluri (Rutgers University), Edward Coyne (Science Applications International Corporation), William Horne (Hewlett-Packard), Axel Kern (Beta Systems), Sylvia Osborn (University of Western Ontario) and Andreas Schaad (SAP Labs), who are experts in role engineering. The first dimension of discussions will be on the different means of approaching the role engineering problem, which basically include top-down and bottom-up approaches. Under the top-down approach, roles are defined by carefully analyzing and decomposing business processes into smaller units in a functionally independent manner. These functional units are then associated with permissions on information systems. Coyne [3] is the first to describe the role engineering problem, and to present the concepts of the top-down approach. Later, several top-down approaches have been proposed [6, 1, 12, 14, 15, 11, 5, 8, 2]. In contrast, the bottom-up approach utilizes the existing permission assignments to formulate roles. Recently, several solutions have been proposed in this direction [9, 13, 18, 16, 17, 4, 10]. It may also be advantageous to use a hybrid approach, which is a mixture of the top-down and the bottom-up approaches. The focus of the discussion will be on the pragmatics of applying these classes of solutions in real world situations. Another dimension of discussion will be on the past experiences and current practices employed by organizations in dealing with the role engineering problem, as well as on the opinions of the panelists on the expected practices in future. Yet another dimension is to tackle this problem from a formal perspective and examine the different variants of the problem. These include devising a minimal but complete and good set of roles, minimal number of user-to-role and role-permission assignments, weaker notions of devising minimal roles [16], and the like. The discussions include formal versus practical solutions, their limitations and issues needing further investigation.