We demonstrate how one can use the formal concept analysis (FCA) to obtain the role hierarchy for the role based access control from the existing access control matrix. We also discuss assesed by means of FCA the quality of security system and finding users with excess permissions.

Since its formalization RBAC has become the yardstick for the evaluation of access control formalisms. In order to meet organizational needs, it has been extended along several directions: delegation, separation of duty, history-based access control, etc. We propose in this paper an access control language in which RBAC and all the above-listed extensions can be encoded. In contrast with Cassan...

We consider the safety problem for Administrative RoleBased Access Control (ARBAC) policies, i.e. detecting whether sequences of administrative actions can result in policies by which a user can acquire permissions that may compromise some security goals. In particular, we are interested in sequences of safety problems generated by modifications (namely, adding/deleting an element to/from the s...

This paper shows how to extend RBAC sessions with dynamic aspects to deal with user switch. Users can authenticate using their functions which will create a dynamic session and automatically activate a set of privileges associated with this function. A dynamic session can be joined, leaved, restarted and reused by authorized users. Moreover, a user can switch the session to another user in orde...

Access control policies often are partly static, i.e. no dependence on any run-time information, and partly dynamic. However, they are usually enforced dynamically even the static parts. We propose a new hybrid approach to policy enforcement in the Category-Based Access Control (CBAC) meta-model. We build on previous work, which established a static system for the enforcement of (static) hierar...

The paper presents revocation schemes in role-based access control models. We are particularly interested in two key issues: how to perform the revocation and how to manage the revocation policy. We show how to deal with these two aspects in our delegation model based on the OrBAC formalism and its administration licence concept. This model provides means to manage several types of of delegatio...

There has been for several years a growing interest in defining new access control models and administration facilities for these models. Several models have observed that only structuring the model using the concept of roles as in RBAC is not sufficient to administer decentralized enterprises. These models have suggested to consider new concepts such as organization (as in OrBAC) or domain (as...

Even though the final objective of an access control model is to provide a framework to decide if actions performed by subjects on objects are permitted or not, it is not convenient to directly specify an access control policy using concepts of subjects, objects and actions. This is why the Role Based Access Control (RBAC) model suggests using a more abstract concept than subject to specify a p...

In the secure domain computing environments, it is important to keep resources and information integrity from unauthorized access. Therefore, there is a strong demand on the access control for shared resources. In the past few years, Role-based Access Control (RBAC) has been introduced and offered a powerful means of specifying access control decisions. In this paper, an Object Oriented RBAC mo...