Role-based access control on the web

Abstract

Current approaches to access control on the Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and efficient RBAC access control technology in large-scale Web environments. To satisfy this requirement, we identify two different architectures for RBAC on the Web, called user-pull and server-pull . To demonstrate feasibility, we implement each architecture by integrating and extending well-known technologies such as cookies, X.509, SSL, and LDAP, providing compatibility with current web technologies. We describe the technologies we use to implement RBAC on the Web in different architectures. Based on our experience, we also compare the tradeoffs of the different approaches.

Keywords

This publication has 23 references indexed in Scilit:

Role-based access control: a multi-dimensional view
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2002
Role-based authorization constraints specification
ACM Transactions on Information and System Security, 2000
Configuring role-based access control to enforce mandatory and discretionary access control policies
ACM Transactions on Information and System Security, 2000
Secure cookies on the Web
IEEE Internet Computing, 2000
RBAC on the Web by smart certificates
Published by Association for Computing Machinery (ACM) ,1999
The ARBAC97 model for role-based administration of roles
ACM Transactions on Information and System Security, 1999
Decentralized user-role assignment for Web-based intranets
Published by Association for Computing Machinery (ACM) ,1998
Rationale for the RBAC96 family of access control models
Published by Association for Computing Machinery (ACM) ,1996
Role-based access control models
Computer, 1996
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM, 1978