Reconciling role based management and role based access control

Abstract

Role Based Access Control is only a subset of the security management and distributed systems management. Yet, the characteristics and use of the role objects in RBAC or Role Based Management (RBM) may differ significantly. In this paper we outline a Role Management Framework based on the specification of policies and examine its differences and similarities with the RBAC concepts. In particular, two aspects of roles required in RBM are emphasised: the need for obligation policies which changes the way roles are used within the system and the Object Oriented role model which uses inheritance for re-use of the specification rather than implementing set-subset relationships on access rights. (obligation policies) which define actions to be performed by administrators or security components when events such as security violations are detected, e.g. the security administrator must investigate all sequences of 5 login failures from the same source or users must change passwords every 3 months. In this paper, we consider roles in the more general context of distributed systems management and show how these concepts can be used to extend the RBAC approach to cater for both specification