This paper presents a new concept for efficient access rights administration and access control. It focuses on the special requirements of application security and reflects experiences from the implementation of security for large industry application systems. Application security shows a considerable inherent complexity due to the large number of combinations of objects and processes for which access rights must be defined. Based on practical experiences, this paper introduces a new approach for the implementation of access control for application systems which reduces this complexity. After describing the challenges for such an approach, we introduce process spaces and object spaces as a basis for authorisations. We show how they make application security maintainable, controllable and offer sufficient flexibility for reaction to changing business needs. In addition, we discuss how a separation of administration and access layers allows for convenient administration as well as optimised access decision performance in business-critical applications. To facilitate the integration of this rule-based concept into enterprise-wide security administration, we show how application security can be integrated into role-based access control (RBAC) systems. In particular, this goal is achieved by enhancing Enterprise RBAC (ERBAC) with variable roles. These roles can contain variable process and object spaces referencing user and role attributes. Finally, we give a short overview over related work.
展开▼
