Object-Specific Role-Based Access Control,International Journal of Cooperative Information Systems

当前位置： X-MOL 学术 › Int. J. Coop. Inf. Syst. › 论文详情

Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)

Object-Specific Role-Based Access Control
International Journal of Cooperative Information Systems ( IF 1.5 ) Pub Date : 2019-02-19 , DOI: 10.1142/s0218843019500035
Nicolas Mundbrod ₁ , Manfred Reichert ₁

Affiliation

The proper management of privacy and security constraints in information systems in general and access control in particular constitutes a tremendous, but still prevalent challenge. Role-based access control (RBAC) and its variations can be considered as the widely adopted approach to realize authorization in information systems. However, RBAC lacks a proper object-specific support, which disallows establishing the fine-grained access control required in many domains. By comparison, attribute-based access control (ABAC) enables a fine-grained access control based on policies and rules evaluating attributes. As a drawback, ABAC lacks the abstraction of roles. Moreover, it is challenging to engineer and to audit the granted privileges encoded in rule-based policies. This paper presents the generic approach of object-specific role-based access control (ORAC). On one hand, ORAC enables information system engineers, administrators and users to utilize the well-known principle of roles. On the other hand, ORAC allows realizing the access to objects in a fine-grained way where required. The approach was systematically established according to well-elicited key requirements for fine-grained access control in information systems. For the purpose of evaluation, the approach was applied to real-world scenarios and implemented in a proof-of-concept prototype demonstrating its feasibility and applicability.

中文翻译：

基于对象特定角色的访问控制

对信息系统中的隐私和安全约束的适当管理，尤其是访问控制，构成了一个巨大但仍然普遍存在的挑战。基于角色的访问控制（RBAC）及其变体可以被认为是在信息系统中实现授权的广泛采用的方法。但是，RBAC 缺乏适当的特定于对象的支持，这不允许建立许多领域所需的细粒度访问控制。相比之下，基于属性的访问控制 (ABAC) 支持基于评估属性的策略和规则的细粒度访问控制。作为一个缺点，ABAC 缺乏角色的抽象。此外，设计和审核编码在基于规则的策略中的授予权限具有挑战性。本文介绍了特定于对象的基于角色的访问控制 (ORAC) 的通用方法。一方面，ORAC 使信息系统工程师、管理员和用户能够利用众所周知的角色原则。另一方面，ORAC 允许在需要时以细粒度的方式实现对对象的访问。该方法是根据充分引出的信息系统中细粒度访问控制的关键要求系统地建立的。出于评估的目的，该方法被应用于现实世界的场景，并在概念验证原型中实施，展示了其可行性和适用性。ORAC 允许在需要时以细粒度的方式实现对对象的访问。该方法是根据充分引出的信息系统中细粒度访问控制的关键要求系统地建立的。出于评估的目的，该方法被应用于现实世界的场景，并在概念验证原型中实施，展示了其可行性和适用性。ORAC 允许在需要时以细粒度的方式实现对对象的访问。该方法是根据充分引出的信息系统中细粒度访问控制的关键要求系统地建立的。出于评估的目的，该方法被应用于现实世界的场景，并在概念验证原型中实施，展示了其可行性和适用性。

更新日期：2019-02-19

点击分享查看原文

点击收藏

公开下载

阅读更多本刊最新论文本刊介绍/投稿指南

全部期刊列表>>