Many of the advantages of Role Based Access Control (RBAC) accrue from the flexibility of its administrative models. Over the past two decades, several administrative models have been proposed to manage user-role, permission-role and in some cases role-role relations. These models are based on different administrative principles and bring inherent advantages and disadvantages. In this paper, we present a unified model, named Uni-ARBAC, for administering user-role and permission-role relations by combining many of the administrative principles and novel concepts from prior models. For example, instead of administering individual permissions Uni-ARBAC combines permissions into tasks which are assigned to roles as a unit. Slightly differently, users are assigned to user-pools from where individual users are assigned to roles. The central concept of Uni-ARBAC is to integrate user-role and task-role administration into a more manageable unit called an Administrative Unit (AU). AUs partition roles, tasks and user-pools and they are organized in a rooted tree hierarchy. Administrative users are assigned to AUs with possibility of restricting their authority to user-role assignment or task-role assignment. While most existing models assume existence of administrative roles for managing regular roles, we present an approach for engineering AUs based on structured partitioning of roles and tasks.
展开▼