An integrity enforcement application design and operation framework in role-based access control systems: A session-oriented approach

Abstract

Role-based access control (RBAC) policy is being widely accepted not only as an access control policy but as a flexible permission management framework in various commercial environments. RBAC simplifies the process of security management by assigning permissions to roles not directly to individual users. As security administrators can design and manage security policies by changing the configuration of RBAC components to meet their organization's own security needs, RBAC is called policy-neutral and has ability to articulate enterprise-specific security policies. While most researches on RBAC are for defining, describing model in formal method and other important properties such as separation of duty, little work has been done on how applications should be designed and then executed in automated information systems based on RBAC security model. In this paper, we describe important, dynamic features of a session that can be used as a vehicle for building applications, and present a basic framework for session-oriented integrity enforcement application design and operation applicable to commercial environments.