Induced Role Hierarchies with Attribute-Based RBAC

摘要

The Role-Based Access Control (RBAC) model is traditionally used to manually assign users to appropriate roles. When the service-providing enterprise has a massive customer base, assigning users to roles ought to be automated. RB-RBAC (Rule-Based RBAC) provides the mechanism to dynamically assign users to roles based on a finite set of authorization rules defined by the enterprise's security policy. These rules may have seniority relation among them, which induces a roles hierarchy. The main contribution of this paper is to explore the possible discrepancies between the Induced Roles Hierarchy and any existing roles hierarchy. The functional impact of existing discrepancies and ways of reconciling them are discussed.