RABAC: role-centric attribute-based access control

  • Authors:

  • Xin Jin;Ravi Sandhu;Ram Krishnan

  • Affiliations:

  • Institute for Cyber Security & Department of Computer Science, University of Texas at San Antonio;Institute for Cyber Security & Department of Computer Science, University of Texas at San Antonio;Institute for Cyber Security & Dept. of Elect. and Computer Engg., University of Texas at San Antonio

  • Venue:
  • MMM-ACNS'12 Proceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security
  • Year:
  • 2012

Quantified Score

Hi-index 0.00

Visualization

Abstract

Role-based access control (RBAC) is a commercially dominant model, standardized by the National Institute of Standards and Technology (NIST). Although RBAC provides compelling benefits for security management it has several known deficiencies such as role explosion, wherein multiple closely related roles are required (e.g., attending-doctor role is separately defined for each patient). Numerous extensions to RBAC have been proposed to overcome these shortcomings. Recently NIST announced an initiative to unify and standardize these extensions by integrating roles with attributes, and identified three approaches: use attributes to dynamically assign users to roles, treat roles as just another attribute, and constrain the permissions of a role via attributes. The first two approaches have been previously studied. This paper presents a formal model for the third approach for the first time in the literature. We propose the novel role-centric attribute-based access control (RABAC) model which extends the NIST RBAC model with permission filtering policies. Unlike prior proposals addressing the role-explosion problem, RABAC does not fundamentally modify the role concept and integrates seamlessly with the NIST RBAC model. We also define an XACML profile for RABAC based on the existing XACML profile for RBAC.