Article

How to Securely Break into RBAC: The BTG-RBAC Model

Authors:

Luis AntunesAuthors Info & Claims

ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications Conference

Pages 23 - 31

https://doi.org/10.1109/ACSAC.2009.12

Published: 07 December 2009 Publication History

Publisher Site

Abstract

Access control models describe frameworks that dictate how subjects (e.g. users) access resources. In the Role-Based Access Control (RBAC) model access to resources is based on the role the user holds within the organization. RBAC is a rigid model where access control decisions have only two output options: Grant or Deny. Break The Glass (BTG) policies on the other hand are flexible and allow users to break or override the access controls in a controlled and justifiable manner. The main objective of this paper is to integrate BTG within the NIST/ANSI RBAC model in a transparent and secure way so that it can be adopted generically in any domain where unanticipated or emergency situations may occur. The new proposed model, called BTG-RBAC, provides a third decision option BTG, which grants authorized users permission to break the glass rather than be denied access. This can easily be implemented in any application without major changes to either the application code or the RBAC authorization infrastructure, apart from the decision engine. Finally, in order to validate the model, we discuss how the BTG-RBAC model is being introduced within a Portuguese healthcare institution where the legislation requires that genetic information must be accessed by a restricted group of healthcare professionals. These professionals, advised by the ethical committee, have required and asked for the implementation of the BTG concept in order to comply with the said legislation.

Cited By

View all

de Oliveira MVerginadis YReis LPsarra EPatiniotakis IOlabarriaga S(2023)AC-ABACExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.119271213:PCOnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.eswa.2022.119271
Ferreira ATeles SVieira-Marques P(2019)SoTRAACE for smart security in ambient assisted livingJournal of Ambient Intelligence and Smart Environments10.3233/AIS-19053111:4(323-334)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.3233/AIS-190531
Cao LXiao LXiao Y(2019)Secure Social Model Based on IRBAC MobileProceedings of the 2019 3rd International Conference on Management Engineering, Software Engineering and Service Sciences10.1145/3312662.3312674(88-92)Online publication date: 12-Jan-2019
https://dl.acm.org/doi/10.1145/3312662.3312674
Show More Cited By

Index Terms

How to Securely Break into RBAC: The BTG-RBAC Model
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Index terms have been assigned to the content through auto-classification.

Recommendations

Emergency role-based access control (E-RBAC) and analysis of model specifications with alloy
Abstract
In role-based access control (RBAC), users gain access to predetermined roles and permissions. Thus, desired results are not achieved in emergency situations through policy in RBAC. In emergency situations, users should sometimes gain ...
Supporting RBAC with XACML+OWL
SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies

XACML does not natively support RBAC and even the pecialized XACML profiles are not able to support many relevant constraints such as static and dynamic separation of duty. Extending XACML to support such constraints, however, is an issue that requires ...
DW-RBAC: A formal security model of delegation and revocation in workflow systems

One reason workflow systems have been criticized as being inflexible is that they lack support for delegation. This paper shows how delegation can be introduced in a workflow system by extending the role-based access control (RBAC) model. The current ...

Comments

Information & Contributors

Information

Published In

ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications Conference

December 2009

492 pages

ISBN:9780769539195

Publisher

IEEE Computer Society

United States

Publication History

Published: 07 December 2009

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

de Oliveira MVerginadis YReis LPsarra EPatiniotakis IOlabarriaga S(2023)AC-ABACExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.119271213:PCOnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.eswa.2022.119271
Ferreira ATeles SVieira-Marques P(2019)SoTRAACE for smart security in ambient assisted livingJournal of Ambient Intelligence and Smart Environments10.3233/AIS-19053111:4(323-334)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.3233/AIS-190531
Cao LXiao LXiao Y(2019)Secure Social Model Based on IRBAC MobileProceedings of the 2019 3rd International Conference on Management Engineering, Software Engineering and Service Sciences10.1145/3312662.3312674(88-92)Online publication date: 12-Jan-2019
https://dl.acm.org/doi/10.1145/3312662.3312674
Coles-Kemp LJensen RBrewster SFitzpatrick GCox AKostakos V(2019)Accessing a New LandProceedings of the 2019 CHI Conference on Human Factors in Computing Systems10.1145/3290605.3300411(1-12)Online publication date: 2-May-2019
https://dl.acm.org/doi/10.1145/3290605.3300411
Nazerian FMotameni HNematzadeh H(2019)Emergency role-based access control (E-RBAC) and analysis of model specifications with alloyJournal of Information Security and Applications10.1016/j.jisa.2019.01.00845:C(131-142)Online publication date: 1-Apr-2019
https://dl.acm.org/doi/10.1016/j.jisa.2019.01.008
Parrend PMazzucotelli TColin FCollet PMandel J(2018)Cerberus, an Access Control Scheme for Enforcing Least Privilege in Patient Cohort Study PlatformsJournal of Medical Systems10.1007/s10916-017-0844-y42:1(1-19)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1007/s10916-017-0844-y
Tasali QChowdhury CVasserman EBertino ESandhu RWeippl E(2017)A Flexible Authorization Architecture for Systems of Interoperable Medical DevicesProceedings of the 22nd ACM on Symposium on Access Control Models and Technologies10.1145/3078861.3078862(9-20)Online publication date: 7-Jun-2017
https://dl.acm.org/doi/10.1145/3078861.3078862
Cheng LLi ZZhang YZhang YLee I(2017)Protecting interoperable clinical environment with authenticationACM SIGBED Review10.1145/3076125.307612914:2(34-43)Online publication date: 31-Mar-2017
https://dl.acm.org/doi/10.1145/3076125.3076129
Gope PAmin R(2016)A Novel Reference Security Model with the Situation Based Access Policy for Accessing EPHR DataJournal of Medical Systems10.1007/s10916-016-0620-440:11(1-14)Online publication date: 1-Nov-2016
https://dl.acm.org/doi/10.1007/s10916-016-0620-4
Jayabalan MO'daniel T(2016)Access control and privilege management in electronic health recordJournal of Medical Systems10.1007/s10916-016-0589-z40:12(1-9)Online publication date: 1-Dec-2016
https://dl.acm.org/doi/10.1007/s10916-016-0589-z
Show More Cited By

Abstract

Cited By

Index Terms

Recommendations

Emergency role-based access control (E-RBAC) and analysis of model specifications with alloy

Supporting RBAC with XACML+OWL

DW-RBAC: A formal security model of delegation and revocation in workflow systems

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations