article

Role-based access control on the web

Authors:

Joon S. Park,

Ravi Sandhu,

Gail-Joon AhnAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 4, Issue 1

Pages 37 - 71

https://doi.org/10.1145/383775.383777

Published: 01 February 2001 Publication History

Get Access

Abstract

References

[1]

AHN, G.-J. AND SANDHU, R. S. 2000. Role-based authorization constraints specification. ACM Trans. Inf. Syst. Secur. 3, 4 (Nov.).]]

Digital Library

Google Scholar

[2]

AHN, G.-J., SANDHU,R.S.,KANG, M., AND PARK, J. 2000. Injecting RBAC to secure a Web-based workflow system. In Proceedings of 5th ACM Workshop on Role-Based Access Control (RBAC '00, Berlin, Germany, July 26 - 27). ACM, New York, NY.]]

Digital Library

Google Scholar

[3]

BELLARE, M., CANETTI, R., AND KRAWCZYK, H. 1996. Keying hashing functions for message authentication. In Proceedings of the Conference on Advances in Cryptography (CRYPTO '96). Springer-Verlag, New York, NY.]]

Digital Library

Google Scholar

[4]

BOOCH, G., RUMBAUGH, J., AND JACOBSON, I. 1999. The Unified Modeling Language User Guide. Addison-Wesley Publishing Co., Inc., Redwood City, CA.]]

Digital Library

Google Scholar

[5]

CALLAS, J., DONNERHACKE, L., FINNEY, H., AND THAYER, R. 1998. OpenPGP message format. RFC 2440.]]

Digital Library

Google Scholar

[6]

DIERKS,T.AND ALLEN, C. 1999. The TLS (Transport Layer Security) Protocol. RFC 246.]]

Google Scholar

[7]

DIFFIE,W.AND HELLMAN, M. 1997. ANSI X9.42: Establishment of symmetric algorithm keys using Diffie-Hellman. ANSI, New York, NY.]]

Google Scholar

[8]

ELLISON, C., FRANTZ, B., LAMPSON, B., RIVEST, R., THOMAS, B., AND YLONEN, T. 1999. SPKI (simple public key infrastructure). RFC 2693.]]

Google Scholar

[9]

ENCOMMERCE. 2000. getAccess. http://www.encommerce.com/products.]]

Google Scholar

[10]

FARRELL, S. 1998a. An Internet AttributeCertificate profile for Authorization. Draft. draft-ietf-tls-ac509prof-00.txt.]]

Digital Library

Google Scholar

[11]

FARRELL, S. 1998b. TLS extensions for AttributeCertificate based authorization. Draft. draft-ietf-tls-attr-cert-00.txt.]]

Google Scholar

[12]

FERRAIOLO, D., CUGINI, J., AND KUHN, R. 1995. Role-based access control (RBAC): Features and motivations. In Proceedings of the 11th Annual Conference on Computer Security Applications (New Orleans, LA, Dec. 11-15). 241-248.]]

Google Scholar

[13]

FERRAIOLO,D.AND KUHN, D. R. 1992. Role based access control. In Proceedings of the 15th Annual Conference on National Computer Security. National Institute of Standards and Technology, Gaithersburg, MD, 554-563.]]

Google Scholar

[14]

FIELDING, R., GETTYS, J., MOGUL, J., FRYSTYK, H., MASINTER, L., LEACH, P., AND BERNERS-LEE,T. 1999. Hypertext Transfer Protocol-HTTP/1.1. RFC 2616. ftp://ftp.isi.edu/in-notes/rfc2616.txt.]]

Digital Library

Google Scholar

[15]

GARFINKEL, S. 1995. Pretty Good Privacy. O'Reilly Associates.]]

Google Scholar

[16]

GUIRI, L. 1995. A new model for role-based access control. In Proceedings of the 11th Annual Conference on Computer Security Applications (New Orleans, LA, Dec.). IEEE Computer Society Press, Los Alamitos, CA, 249-255.]]

Google Scholar

[17]

GIURI,L.AND IGLIO, P. 1996. A formal model for role-based access control with constraints. In Proceedings of 9th IEEE Workshop on Computer Security Foundations (Kenmare, Ireland, June). IEEE Press, Piscataway, NJ, 136-145.]]

Digital Library

Google Scholar

[18]

HOUSLEY, R., FORD, W., POLK, W., AND SOLO, D. 1998. Internet X.509 public key infrastructure certificate and CRL profile. Draft. draft-ietf-pkix-ipki-part1-11.txt.]]

Digital Library

Google Scholar

[19]

HOWES, T., SMITH, M., AND GOOD, G. 1999. Understanding and Deploying LDAP Directory Services. Macmillan Publishing Co., Inc., Indianapolis, IN.]]

Digital Library

Google Scholar

[20]

HU, M.-Y., DEMURJIAN, S., AND TING, T. 1995. User-role based security in the ADAM object-oriented design and analyses environment. In Database Security VIII: Status and Prospects, J. Biskup, M. Morgernstern, and C. Landwehr, Eds. Elsevier North-Holland, Inc., Amsterdam, The Netherlands.]]

Google Scholar

[21]

ITU-T. 1993. Information technology-Open systems Interconnection-The Directory: Authentication framework. ITU-T Recommendation X.509. ISO/IEC 9594-8:1993.]]

Google Scholar

[22]

ITU-T. 1997. Information technology-Open systems interconnection-The directory: Authentication framework. Recommendation X.509.]]

Google Scholar

[23]

KRISTOL,D.M.AND MONTULLI, L. 1999. HTTP state management mechanism. draft-ietf-http-state-man-mec-12.txt.]]

Digital Library

Google Scholar

[24]

LAI,X.AND MASSEY, J. L. 1991. A proposal for a new block encryption standard. In Proceedings of the Workshop on Advances in Cryptology (EUROCRYPT '90, Aarhus, Denmark, May 21-24), I. B. Damgard, Ed. Springer Lecture Notes in Computer Science. Springer-Verlag, New York, NY, 389-404.]]

Digital Library

Google Scholar

[25]

MOHAMMED,I.AND DILTS, D. M. 1994. Design for dynamic user-role-based security. Comput. Security 13, 8, 661-671.]]

Digital Library

Google Scholar

[26]

MOORE,K.AND FREED, N. 1999. Use of HTTP state management. Draft. draft-ietf-http-state-man-mec-12.txt.]]

Digital Library

Google Scholar

[27]

NEUMAN, C. 1994. Using Kerberos for authentication on computer networks. IEEE Commun. Mag. 32,9.]]

Digital Library

Google Scholar

[28]

NIXDORF, S. 2000. TrustedWeb. http://www.sse.ie/TrustedWeb.]]

Google Scholar

[29]

NYANCHAMA,M.AND OSBORN, S. L. 1994. Access rights administration in role-based security systems. In Proceedings of the IFIP Working Group 11.3 Working Conference on Database Security. Elsevier North-Holland, Inc., Amsterdam, The Netherlands, 37-56.]]

Digital Library

Google Scholar

[30]

OSBORN, S., SANDHU,R.S.,AND MUNAWER, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Security 3, 2 (May).]]

Digital Library

Google Scholar

[31]

PARK,J.S.,AHN, G. -J., AND SANDHU, R. S. 2001. RBAC on the Web using LDAP. In Proceedings of the 15th IFIP WG 11.3 Working Conference on Database and Application Security (Ont., Canada, July 15-18). IFIP.]]

Google Scholar

[32]

PARK,J.S.AND SANDHU, R. S. 2000a. Binding identities and attributes using digitally signed certificates. In Proceedings of 16th Annual Conference on Computer Security Application (New Orleans, LA, Dec. 11-15).]]

Digital Library

Google Scholar

[33]

PARK,J.S.AND SANDHU, R. S. 2000b. Secure cookies on the Web. IEEE Internet Comput. 4,4 (July-Aug.), 36-44.]]

Digital Library

Google Scholar

[34]

PARK,J.S.AND SANDHU, R. S. 1999a. RBAC on the Web by smart certificates. In Proceedings of 4th ACM Workshop on Role-Based Access Control (RBAC '99, Fairfax, VA, Oct. 28-29). ACM, New York, NY.]]

Digital Library

Google Scholar

[35]

PARK,J.S.AND SANDHU, R. S. 1999b. Smart certificates: Extending X.509 for secure attribute services on the Web. In Proceedings of 22nd National Conference on Information Systems Security (Crystal City, VA, Oct.).]]

Google Scholar

[36]

PARK,J.S.,SANDHU,R.S.,AND GHANTA, S. 1999. RBAC on the Web by secure cookies. In Proceedings of the IFIP WG11.3 Workshop on Database Security (July). Chapman & Hall, London, UK.]]

Digital Library

Google Scholar

[37]

PARKER,T.AND PINKAS, D. 1995. SESAME V4-OVERVIEW: Version 4. SESAME Technology.]]

Google Scholar

[38]

RESCORLA,E.AND SCHIFFMAN, A. 1998. Security extensions For HTML. Draft. draft-ietf-wts-shtml-05.txt.]]

Digital Library

Google Scholar

[39]

RIGNEY, C., RUBENS, A., SIMPSON,W.A.,AND WILLENS, S. 1997. Remote authentication dial In user service RADIUS. RFC 2138.]]

Digital Library

Google Scholar

[40]

RIVEST, R. 1992. The MD5 message digest algorithm. RFC 1321.]]

Digital Library

Google Scholar

[41]

RIVEST, R., SHAMIR, A., AND ADELMAN, L. 1978. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 2 (Feb.), 120-126.]]

Digital Library

Google Scholar

[42]

SANDHU, R. S. 1995. Rationale for the RBAC96 family of access control models. In Proceedings of the First ACM Workshop on Role-Based Access Control (RBAC '95, Gaithersburg, MD, Nov. 30,-Dec. 1), C. E. Youman, R. S. Sandhu, and E. J. Coyne, Eds. ACM Press, New York, NY.]]

Digital Library

Google Scholar

[43]

SANDHU,R.S.,COYNE,E.J.,FEINSTEIN,H.L.,AND YOUMAN, C. E. 1994. Role-based access control: A multi-dimensional view. In Proceedings of the 10th Conference on Computer Security Applications (Dec.). IEEE Computer Society Press, Los Alamitos, CA, 54-62.]]

Crossref

Google Scholar

[44]

SANDHU,R.S.,BHAMIDIPATI, V., AND MUNAWER, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 1, 2 (Feb.), 105-135.]]

Digital Library

Google Scholar

[45]

SANDHU,R.S.AND PARK, J. S. 1998. Decentralized user-role assignment for Web-based intranets. In Proceedings of the Third ACM Workshop on Role-Based Access Control (RBAC '98, Fairfax, VA, Oct. 22-23), C. Youman and T. Jaeger, Chairs. ACM Press, New York, NY, 1-12.]]

Digital Library

Google Scholar

[46]

SANDHU,R.S.,COYNE,E.J.,FEINSTEIN,H.L.,AND YOUMAN, C. E. 1996. Role-based access control models. IEEE Computer 29, 2 (Feb.), 38-47.]]

Digital Library

Google Scholar

[47]

SCHIFFMAN,A.AND RESCORLA, E. 1998. The secure HyperText transfer protocol. Draft. draft-ietf-wts-shttp-06.txt.]]

Digital Library

Google Scholar

[48]

STEINER, J., NEUMAN, C., AND SCHILLER, J. 1988. Kerberos: An authentication service for open network systems. In Proceedings on USENIX Winter Conference. USENIX Assoc., Berkeley, CA.]]

Google Scholar

[49]

VON SOLMS,S.H.AND VAN DER MERWE, I. 1994. The management of computer security profiles using a role-oriented approach. Comput. Security 13, 8, 673-680.]]

Digital Library

Google Scholar

[50]

WAGNER,D.AND SCHNEIER, B. 1996. Analysis of the SSL 3.0 protocol. In Proceedings of the USENIX Conference on Electronic Commerce. USENIX Assoc., Berkeley, CA, 29-40.]]

Digital Library

Google Scholar

[51]

YOUMAN, C., COYNE, E., AND SANDHU,R.S.,EDS. 1997. Proceedings of the Second ACM Workshop on Role-Based Access Control. (RBAC '97, Fairfax, VA, Nov. 6-7). ACM Press, New York, NY.]]

Digital Library

Google Scholar

[52]

ZIMMERMANN, P. R. 1995. The Official PGP User's Guide. MIT Press, Cambridge, MA.]]

Digital Library

Google Scholar

Cited By

View all

Iqal ZSelamat AKrejcar O(2024)A Comprehensive Systematic Review of Access Control in IoT: Requirements, Technologies, and Evaluation MetricsIEEE Access10.1109/ACCESS.2023.334749512(12636-12654)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3347495
Ohri PDaniel ANeogi SMuttoo S(2024)Blockchain-based security framework for mitigating network attacks in multi-SDN controller environmentInternational Journal of Information Technology10.1007/s41870-024-01933-8Online publication date: 17-Jun-2024
https://doi.org/10.1007/s41870-024-01933-8
Pandit AChatterjee KSingh A(2023)Secure fine grained access control for telecare medical communication systemTelecommunications Systems10.1007/s11235-023-01033-184:1(1-21)Online publication date: 29-Jun-2023
https://dl.acm.org/doi/10.1007/s11235-023-01033-1
Show More Cited By

Index Terms

Role-based access control on the web

Recommendations

Security analysis in role-based access control

The administration of large role-based access control (RBAC) systems is a challenging problem. In order to administer such systems, decentralization of administration tasks by the use of delegation is an effective approach. While the use of delegation ...
Configuring role-based access control to enforce mandatory and discretionary access control policies

Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Delegation in role-based access control

User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...

Reviews

Reviewer: Stanley A. Kurzban

Current approaches to access control on the Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and efficient RBAC access control technology in large-scale Web environments. To satisfy this requirement, we identify two different architectures for RBAC on the Web, called user-pull and server-pull. To demonstrate feasibility, we implement each architecture by integrating and extending well-known technologies such as cookies, X.509, SSL, and LDAP, providing compatibility with current web technologies. We describe the technologies we use to implement RBAC on the Web in different architectures. Based on our experience, we also compare the tradeoffs of the different approaches. — Authors’ Abstract The past decade has seen a growing awareness that roles are key to the effectiveness of access control. This extremely well-written and self-contained paper does an excellent job of expositing for researchers and practitioners alike a proposal for useful treatment of this concept in the important context of the Web. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 February 2001

Published in TISSEC Volume 4, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

150
Total Citations
View Citations
5,625
Total Downloads

Downloads (Last 12 months)97
Downloads (Last 6 weeks)13

Reflects downloads up to 17 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Iqal ZSelamat AKrejcar O(2024)A Comprehensive Systematic Review of Access Control in IoT: Requirements, Technologies, and Evaluation MetricsIEEE Access10.1109/ACCESS.2023.334749512(12636-12654)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3347495
Ohri PDaniel ANeogi SMuttoo S(2024)Blockchain-based security framework for mitigating network attacks in multi-SDN controller environmentInternational Journal of Information Technology10.1007/s41870-024-01933-8Online publication date: 17-Jun-2024
https://doi.org/10.1007/s41870-024-01933-8
Pandit AChatterjee KSingh A(2023)Secure fine grained access control for telecare medical communication systemTelecommunications Systems10.1007/s11235-023-01033-184:1(1-21)Online publication date: 29-Jun-2023
https://dl.acm.org/doi/10.1007/s11235-023-01033-1
Martins HGuerreiro S(2021)Access Control Challenges in Enterprise EcosystemsResearch Anthology on Blockchain Technology in Business, Healthcare, Education, and Government10.4018/978-1-7998-5351-0.ch029(503-528)Online publication date: 2021
https://doi.org/10.4018/978-1-7998-5351-0.ch029
Zhong TChang JShi PLi LGao F(2021)Dyacon: JointCloud Dynamic Access Control Model of Data Security Based on Verifiable Credentials2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00054(336-343)Online publication date: Sep-2021
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00054
Zhu H(2021)Role ConceptsE‐CARGO and Role‐Based Collaboration10.1002/9781119693123.ch2(35-67)Online publication date: 19-Nov-2021
https://doi.org/10.1002/9781119693123.ch2
Lian ZSu MFu AWang HZhou C(2020)Proxy Re-Encryption Scheme For Complicated Access Control Factors Description in Hybrid CloudICC 2020 - 2020 IEEE International Conference on Communications (ICC)10.1109/ICC40277.2020.9149306(1-6)Online publication date: Jun-2020
https://doi.org/10.1109/ICC40277.2020.9149306
Dubey AMishra V(2020)Crowd review and attribute-based credit computation for an access control mechanism in cloud data centersInternational Journal of Computers and Applications10.1080/1206212X.2020.174650045:2(212-219)Online publication date: 3-Apr-2020
https://doi.org/10.1080/1206212X.2020.1746500
Dubey AMishra V(2020)Review and Analysis of Access Control Mechanism for Cloud Data CentresComputing Algorithms with Applications in Engineering10.1007/978-981-15-2369-4_38(439-451)Online publication date: 3-Mar-2020
https://doi.org/10.1007/978-981-15-2369-4_38
Martins HGuerreiro S(2019)Access Control Challenges in Enterprise EcosystemsGlobal Cyber Security Labor Shortage and International Business Risk10.4018/978-1-5225-5927-6.ch004(51-76)Online publication date: 2019
https://doi.org/10.4018/978-1-5225-5927-6.ch004
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Security analysis in role-based access control

Configuring role-based access control to enforce mandatory and discretionary access control policies

Delegation in role-based access control

Reviews

Access critical reviews of Computing literature here

Comments

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Security analysis in role-based access control

Configuring role-based access control to enforce mandatory and discretionary access control policies

Delegation in role-based access control

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations