Article

Free access

Engineering authority and trust in cyberspace: the OM-AM and RBAC way

Author:

Ravi SandhuAuthors Info & Claims

RBAC '00: Proceedings of the fifth ACM workshop on Role-based access control

Pages 111 - 119

https://doi.org/10.1145/344287.344309

Published: 26 July 2000 Publication History

Abstract

Information systems of the future will be large-scale, highly decentralized, pervasive, span organizational boundaries and evolve rapidly. Effective security in this cyberspace will require engineering authority and trust retationships across organizations and individuals. In this paper we propose the four-layer OM-AM framework for this purpose. OM-AM comprises objective, model, architecture and mechanism layers in this sequence. The objective and model (OM) layers articulate whatthe security objective and tradeoffs are, while the architecture and mechanism (AM) layers address howto meet these requirements. The hyphen in OM-AM emphasizes the shift from what to how. These layers are roughly analogous to a network protocol stack with a many-to-many relationship between successive layers, and most certainly do not imply a top-down waterfall-style software engineering process. OM-AM is an excellent match to the policy-neutral and flexible nature of role-based access control (RBAC). This paper describes and motivates the OM-AM framework and presents a case study in applying it in a distributed RBAC application.

References

[1]

Department of Defense National Computer Security Center. Department of Defense Trusted Computer Systems Evaluation Criteria, December 1985. DoD 5200.28-STD.

[2]

Department of Defense National Computer Security Center. Trusted Database Interpretation of the Trusted Computer Systems Evaluation Criteria, April 1991. NCSC-TG- 021.

[3]

David F. Ferraiolo, John F. Barkley, and D. Richard Kuhn. A role based access control model and reference implementation within a corporate intranet. ACM Transactions on In}ormation and System Security, 2(1), February 1999.

Digital Library

[4]

David Ferraiolo, Janet Cugini, and Richard Kuhn. Role-based access control (RBAC): Features and motivations. In Proceedings o} 11th Annual Computer Security Application Conferenee, pages 241-48, New Orleans, LA, December 11-15 1995.

[5]

David Ferraiolo and Richard Kuhn. Rolebased access controls. In Proceedings o} 15th NIST-NCSC National Computer Security Conference, pages 554-563, Baltimore, MD, October 13-16 1992.

[6]

Luigi Guiri. A new model for role-based access control. In Proceedings of 11th Annual Computer Security Application Conference, pages 249-255, New Orleans, LA, December 11-15 1995.

[7]

R. Levin, E. Cohen, W. Corwin, F. Pollack, and W. Wulf. Policy/mechanism separation in Hydra. In 5th A CM Symposium on Operating Systems Principles, pages 132-140, 1975.

Digital Library

[8]

J. McLean. Security models. In John Marciniak, editor, Encyclopedia of Software Engineering. Wiley & Sons, Inc., 1994.

[9]

Matunda Nyanchama and Sylvia Osborn. Access rights administration in role-based security systems. In J. Biskup, M. Morgernstern, and C. Landwehr, editors, Database Security VIII: Status and Prospects. North- Holland, 1995.

Digital Library

[10]

Matunda Nyanchama and Sylvia Osborn. The role graph model and conflict of interest. ACM Transactions on Information and System Security, 2(1), February 1999.

Digital Library

[11]

LouAnna Notargiacomo. Architectures for MLS database management systems. In M. Abrams, S. Jajodia, and H. Podell, editors, Information Security : An Integrated Collection of Essays. IEEE Computer Society Press, 1994.

[12]

Sylvia Osborn, Ravi Sandhu, and Qamar Munawer. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security, 3(2), May 2000.

Digital Library

[13]

Joon Park and Ravi Sandhu. Smart certificates: Extending x.509 for secure attribute services on the web. In Proceedings of 22nd NIST-NCSC National Inforrnation Systems Security Conference, Arlington, VA, October 18-21 1999.

[14]

Joon Park, Ravi Sandhu, and SreeLatha Ghanta. RBAC on the web by secure cookies. In Atluri and Hale, editors, Database Security XIII: Status and Prospects. Kluwer, 2000.

Digital Library

[15]

Chandramouli Ramaswamy and Ravi Sandhu. Role-based access control features in commercial database management systems. In Proceedings of 21st NIST-NCSC National Inforrnation Systems Security Conference, pages 503-511, Arlington, VA, October 5-8 1998.

[16]

Ravi Sandhu and Gail-Joon Ahn. Decentralized group hieraches in unix: An experiment and lessons learned. In Proceedings of 21st NIST-NCSC National Inforrnation Systems Security Conference, Arlington, VA, October 5-8 1998.

[17]

Ravi Sandhu and Gail-Joon Ahn. Group hierarchies with decentralized user assignment in Windows NT. In Proc. International Association of Science and Technology for Development (IASTED) Conference on Software Engineering, Las Vegas, Nevada, October 1998.

[18]

J.H. Saltzer. Information protection and the control of sharing in the Multics system. Communications of the ACM, 17(7), 1974.

Digital Library

[19]

Ravi Sandhu. Lattice-based access control models. IEEE Computer, 26(11):9-19, November 1993.

Digital Library

[20]

Ravi Sandhu. Role hierarchies and constraints for lattice-based access controls. In Elisa Bertino, editor, Proc. Fourth European Symposium on Research in Computer Security. Springer-Verlag, Rome, Italy, 1996. Published as Lecture Notes in Computer Science, Computer Security-ESORICS96.

Digital Library

[21]

Ravi San dhu. Role activation hierarchies. In Proceedings of 3rd A CM Workshop on Role- Based Access Control, pages 33-40, Fairfax, VA, October 22-23 1998. ACM.

Digital Library

[22]

Ravi Sandhu. Role-based access control. In Zelkowitz, editor, Advances in Computers, Volume: 46. Academic Press, 1998.

[23]

Ravi Sandhu and Venkata Bhamidipati. Role-based administration of user-role assignment: The URA97 model and its Oracle implementation. The Journal of Computer Security, 1999. in press.

Digital Library

[24]

Ravi Sa ndhu, Venkata Bhamidipati, and Qamar Munawer. The ARBAC97 model for role-based administration of roles. A CM Transactions on Information and System Security, 2(1):105-135, February 1999.

Digital Library

[25]

Ravi Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. IEEE Computer, 29(2):38-47, February 1996.

Digital Library

[26]

Ravi Sandhu and Qamar Munawer. How to do discretionary access control using roles. In Proceedings of 3rd A CM Workshop on Role-Based Access Control, pages 47-54, Fairfax, VA, October 22-23 1998. ACM.

Digital Library

[27]

Ravi Sandhu and Joon Park. Decentralized user-role assignment for web-based intranets. In Proceedings of 3rd A CM Workshop on Role-Based Access Control, pages 1- 12, Faiax, VA, October 22-23 1998. ACM.

Digital Library

[28]

T.C. Ting, S.A. Demurjian, and M.Y. Hu. Requirements, capabilities, and functionalities of user-role based security for an objectoriented design model. In C.E Landwehr and S. Jajodia, editors, Database Security V: Status and Prospects. North-Holland, 1992.

Digital Library

[29]

M. Zurko, R. Simon, and T. Sanfilippo. A user-centered modular authorization service built on an rbac foundation. In Proceedings of IEEE Symposium on Research in Security and Privacy, pages 57-71, Oakland, CA, May 1999.

Cited By

Ameer SPraharaj LSandhu RBhatt SGupta M(2024)ZTA-IoT: A Novel Architecture for Zero-Trust in IoT Systems and an Ensuing Usage Control ModelACM Transactions on Privacy and Security10.1145/367114727:3(1-36)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.1145/3671147
Osliak OMori PSaracino A(2023)Usage Control for Industrial Control SystemCollaborative Approaches for Cyber Security in Cyber-Physical Systems10.1007/978-3-031-16088-2_9(191-207)Online publication date: 2-Jan-2023
https://doi.org/10.1007/978-3-031-16088-2_9
Bayreuther SJacob FGrotz MKartmann RPeller-Konrad FPaus FHartenstein HAsfour TDietrich SChowdhury OTakabi D(2022)BlueSky: Combining Task Planning and Activity-Centric Access Control for Assistive Humanoid RobotsProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535018(185-194)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535018
Show More Cited By

Index Terms

Engineering authority and trust in cyberspace: the OM-AM and RBAC way

Recommendations

A function-based user authority delegation model

User authority delegation is granting or withdrawing access to computer-based information by entities that own and/or control that information. These entities must consider who should be granted access to specific information in the organization and ...
Hierarchical policy delegation in multiple-authority ABE

We present HM-ABE, a hierarchical multi-authority attribute-based encryption scheme with policy delegation that generalises current work significantly. Current methods require encryptors to build ciphertext access policies themselves, using attributes ...
Flexible and Manageable Delegation of Authority in RBAC
AINAW '07: Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops - Volume 02

One of the most challenging problems in managing large networks is the complexity of security administration. Role based access control (RBAC) has become the predominant model for advanced access control. Flexibility and manageability are important ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

RBAC '00: Proceedings of the fifth ACM workshop on Role-based access control

July 2000

119 pages

ISBN:158113259X

DOI:10.1145/344287

Chairmen:
Klaus Rebensburg
Technical Univ. of Berlin, Berlin, Germany
,
Charles Youman
George Mason Univ., Fairfax, VA
,
Vijay Atluri
Rutgers Univ.

Copyright © 2000 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 July 2000

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Conference

RBAC00

Sponsor:

SIGSAC

RBAC00: ACM Role-based Access Control Workshop

July 26 - 28, 2000

Berlin, Germany

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

45
Total Citations
View Citations
811
Total Downloads

Downloads (Last 12 months)69
Downloads (Last 6 weeks)5

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ameer SPraharaj LSandhu RBhatt SGupta M(2024)ZTA-IoT: A Novel Architecture for Zero-Trust in IoT Systems and an Ensuing Usage Control ModelACM Transactions on Privacy and Security10.1145/367114727:3(1-36)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.1145/3671147
Osliak OMori PSaracino A(2023)Usage Control for Industrial Control SystemCollaborative Approaches for Cyber Security in Cyber-Physical Systems10.1007/978-3-031-16088-2_9(191-207)Online publication date: 2-Jan-2023
https://doi.org/10.1007/978-3-031-16088-2_9
Bayreuther SJacob FGrotz MKartmann RPeller-Konrad FPaus FHartenstein HAsfour TDietrich SChowdhury OTakabi D(2022)BlueSky: Combining Task Planning and Activity-Centric Access Control for Assistive Humanoid RobotsProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535018(185-194)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535018
Sille RMahdi HChoudhury TSahoo SKapoor ANanda ISharma A(2022)Review Study on Blockchain Frameworks for Security Issues in IoT Devices2022 International Symposium on Multidisciplinary Studies and Innovative Technologies (ISMSIT)10.1109/ISMSIT56059.2022.9932744(876-881)Online publication date: 20-Oct-2022
https://doi.org/10.1109/ISMSIT56059.2022.9932744
Reina Quintero APérez SVarela-Vaca ÁLópez MCabot J(2022)A domain-specific language for the specification of UCON policiesJournal of Information Security and Applications10.1016/j.jisa.2021.10300664:COnline publication date: 1-Feb-2022
https://dl.acm.org/doi/10.1016/j.jisa.2021.103006
Ding YSato H(2022)Bloccess: Enabling Fine-Grained Access Control Based on BlockchainJournal of Network and Systems Management10.1007/s10922-022-09700-531:1Online publication date: 7-Oct-2022
https://dl.acm.org/doi/10.1007/s10922-022-09700-5
Dramé-Maigné SLaurent MCastillo LGanem H(2021)Centralized, Distributed, and Everything in betweenACM Computing Surveys10.1145/346517054:7(1-34)Online publication date: 17-Sep-2021
https://dl.acm.org/doi/10.1145/3465170
Martinelli FOsliak OMori PSaracino AVolkamer MWressnegger C(2020)Improving security in industry 4.0 by extending OPC-UA with usage controlProceedings of the 15th International Conference on Availability, Reliability and Security10.1145/3407023.3407077(1-10)Online publication date: 25-Aug-2020
https://dl.acm.org/doi/10.1145/3407023.3407077
Sangchoolie BFolkesson PKleberger PVinter J(2020)Analysis of Cybersecurity Mechanisms with respect to Dependability and Security Attributes2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)10.1109/DSN-W50199.2020.00027(94-101)Online publication date: Jun-2020
https://doi.org/10.1109/DSN-W50199.2020.00027
Osborn S(2019)Is It Privacy or Is It Access Control?Cyber Law, Privacy, and Security10.4018/978-1-5225-8897-9.ch053(1133-1141)Online publication date: 2019
https://doi.org/10.4018/978-1-5225-8897-9.ch053
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents