Administration model for Or-BAC

Abstract

Even though the final objective of an access control model is to provide a framework to decide if actions performed by subjects on objects are permitted or not, it is not convenient to directly specify an access control policy using concepts of subjects, objects and actions. This is why the Role Based Access Control (RBAC) model suggests using a more abstract concept than subject to specify a policy. The Organization Based Access Control (Or-BAC) model further generalizes the RBAC model by introducing the concepts of activity and view as abstractions of action and object. In the Or-BAC model, it is also possible to specify privileges that only apply in some given contexts. In this paper, we present AdOr-BAC, an administration model for Or-BAC. This model is fully homogeneous with the remainder of Or-BAC. AdOr-BAC can control assignment of user to role (User Role Administration), assignment of permission to role (Permission Role Administration) and assignment of user to permission (User Permission Administration). This last possibility is useful to control fine grained delegation, when a user wants to grant a specific permission to another given user. AdOr-BAC is compared with other administration models, such as the ARBAC model suggested for RBAC, showing some of its advantages. © Springer-Verlag Berlin Heidelberg 2003.