Role Hierarchies and Constraints for Lattice-Based Access Controls

1 I N T R O D U C T I O N Role-based access control (RBAC) has recently received considerable attention as a promising alternative to traditional discretionary and mandatory access controls (see, for example, [FK92, SCY96, SCFY96]). In RBAC permissions are associated with roles, and users are made members of appropriate roles thereby acquiring the roles' permissions. This greatly simplifies management of permissions. Roles are created for the various job functions in an organization and users are assigned roles based on their responsibilities and qualifications. Users can be easily reassigned from one role to another. Roles can be granted new permissions as new applications and systems are incorporated, and permissions can be revoked from roles as needed. An important characteristic of RBAC is that by itself it is policy neutral. RBAC is a means for articulating policy rather than embodying a particular security policy (such as one-directional information flow in a lattice). The policy enforced in a particular system is the net result of the precise configuration and interactions of various RBAC components as directed by the system owner. Moreover, the access * This research is partly supported by contract 50-DKNB-5-00188 from the National Institute of Standards and Technology at SETA Corporation, and grant CCR-9503560 from the National Science Foundation at George Mason University. *~ All correspondence should be addressed to Ravi Sandhu, ISSE Department, MS 4A4, George Mason University, Falrfax, VA 22030, USA. Email: sandhu~isse.gmu.edu, voice: +1 703 993 1659, fax: +1 703 993 1638, URL: http://www.isse.gmu.edu/faculty/sandhu.