A Framework for Secure, Obligated, Coordinated and Dynamic Collaboration that Extends NIST RBAC

There has been a long history of security and access control models, from both a research perspective, and as realized in working systems. The three dominant models are: mandatory access control, MAC [Bell, 1975], discretionary access control, DAC [Linn, 1999], and role-based access control, RBAC [Sandhu, 1996]. In MAC [Bell, 1975], security levels (SL’s) such as unclassified (U), confidential (C), secret (S), and top secret (T) where U < C < S < T form a lattice structure and are assigned to each subject (clearance CLR) and object (classification CLS). The permission of the subject to perform some operation on the object depends on the CLR and CLS relation as dictated by: Simple Security Property (read down no read up) [Bell, 1975]; Simple Integrity Property (write down no write up) [Biba, 1977]; and, Liberal *-Property (write up no write down') [Bell, 1975]. Role-based Access Control (RBAC) as supported by the National Institute of Stands and Technology (NIST RBAC, 2010) provides for the definition of roles, the binding of roles to permissions, the assignment of roles to users, and the association of users to objects limited by the permissions on the assigned user’s role, where the constraints in RBAC focus on providing the ability to limit access via separation of duty and cardinality constraints [Ahn, 2000; Han, 2007], and support least privilege, which allows for access to only that information which is necessary to accomplish one's tasks [Ferraiolo, 2001]. In DAC, the emphasis is on the delegation of authority, where an authorized individual (not the security officer) may delegate all or part of his/her authority to another individual, increasing security risk, and raising interesting security assurance implications [Linn, 1999]. These approaches share an overriding emphasis to protect and limit access, controlling who and when actions against data can occur.