DS RBAC - Dynamic Sessions in Role Based Access Control

Besides the well established access control models, Discretionary Access Control (DAC) and Mandatory Access Control (MAC), the policy neutral Role Based Access Control (RBAC) is gaining increasing attention. An important step towards a wide acceptance of RBAC has been achieved by the standardization of RBAC through the American National Standards Institute (ANSI). While the mandatory concept of sessions specified in the ANSI RBAC standard allows for differentiated role selections according to the tasks that have to be performed in the session, it is very likely that more roles will be selected than are actually needed. Dynamic Sessions in RBAC (DS RBAC) is an extension of the existing RBAC ANSI standard that dynamically de-activates roles in a session if they are not used for a certain period of time. Analogous to the working set model known from virtual memory, only those roles are left activated in a session, that have most recently been exercised by the user. If the user tries to access a role that has aged out due to inactivity, a role fault occurs. A role fault can be resolved by the role fault handler that is responsible for re-activating the expired role for the user. After a brief overview about access control systems in general and an historical review about the evolution of RBAC, the basics of of DS RBAC will be presented.