Determining role rights from use cases
RBAC '97 Proceedings of the second ACM workshop on Role-based access control
RBAC '95 Proceedings of the first ACM Workshop on Role-based access control
Migrating to role-based access control
RBAC '99 Proceedings of the fourth ACM workshop on Role-based access control
RBAC '00 Proceedings of the fifth ACM workshop on Role-based access control
A scenario-driven role engineering process for functional RBAC roles
SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
Observations on the role life-cycle in the context of enterprise security management
SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
On modeling system-centric information for role engineering
Proceedings of the eighth ACM symposium on Access control models and technologies
Role mining - revealing business roles for security administration using data mining technology
Proceedings of the eighth ACM symposium on Access control models and technologies
Role-Based Access Control Framework for Network Enterprises
ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
Engineering of Role/Permission Assignments
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Proceedings of the tenth ACM symposium on Access control models and technologies
RoleMiner: mining roles using subset enumeration
Proceedings of the 13th ACM conference on Computer and communications security
The role mining problem: finding a minimal descriptive set of roles
Proceedings of the 12th ACM symposium on Access control models and technologies
Fast exact and heuristic methods for role minimization problems
Proceedings of the 13th ACM symposium on Access control models and technologies
Migrating to optimal RBAC with minimal perturbation
Proceedings of the 13th ACM symposium on Access control models and technologies
Mining roles with semantic meanings
Proceedings of the 13th ACM symposium on Access control models and technologies
Role Engineering for Enterprise Security Management
Role Engineering for Enterprise Security Management
A closer look to the V-model approach for role engineering
WSEAS Transactions on Computers
Hi-index | 0.00 |
Due to its exibility, ease of administration and intuitiveness, role-based access control (RBAC) is now part of most operating systems and application software. As a result of its commercial success, it has become a standard to implementing access control in many of today's organizations. However, deploying RBAC requires one to first identify an accurate and complete set of roles, and assign users to roles and permissions to roles. This process, known as role engineering [3], has been identified as one of the costliest components in realizing RBAC [7]. Although the problem of role engineering has been studied since early nineties, a recent surge in interest can be seen equally from academic and industry communities. The primary focus of this panel is to have an in-depth discussion of this problem along several dimensions. The panelists, drawn from both academia and industry, include Gail Ahn (University of North Carolina, Charlotte), Vijay Atluri (Rutgers University), Edward Coyne (Science Applications International Corporation), William Horne (Hewlett-Packard), Axel Kern (Beta Systems), Sylvia Osborn (University of Western Ontario) and Andreas Schaad (SAP Labs), who are experts in role engineering. The first dimension of discussions will be on the different means of approaching the role engineering problem, which basically include top-down and bottom-up approaches. Under the top-down approach, roles are defined by carefully analyzing and decomposing business processes into smaller units in a functionally independent manner. These functional units are then associated with permissions on information systems. Coyne [3] is the first to describe the role engineering problem, and to present the concepts of the top-down approach. Later, several top-down approaches have been proposed [6, 1, 12, 14, 15, 11, 5, 8, 2]. In contrast, the bottom-up approach utilizes the existing permission assignments to formulate roles. Recently, several solutions have been proposed in this direction [9, 13, 18, 16, 17, 4, 10]. It may also be advantageous to use a hybrid approach, which is a mixture of the top-down and the bottom-up approaches. The focus of the discussion will be on the pragmatics of applying these classes of solutions in real world situations. Another dimension of discussion will be on the past experiences and current practices employed by organizations in dealing with the role engineering problem, as well as on the opinions of the panelists on the expected practices in future. Yet another dimension is to tackle this problem from a formal perspective and examine the different variants of the problem. These include devising a minimal but complete and good set of roles, minimal number of user-to-role and role-permission assignments, weaker notions of devising minimal roles [16], and the like. The discussions include formal versus practical solutions, their limitations and issues needing further investigation.