ABSTRACT With the increasing availability of networks and the advancements in their underlying infrastructure of mobile devices, access control and authorization issues will be enablers of future technologies in collaborative environments. Recent works demonstrate efforts to dynamically authorize users without prior knowledge and with no security configuration attributes or roles previously assigned to them. Moreover, current role-based engineering approaches construct role hierarchies without reflecting the organizational structure, since they do not take into account structural organizational characteristics. In this paper we propose an innovative role structure, not solely dependent on naming methods but also that takes into account organizational as well as functional characteristics to provide a practical role assignment methodology between organizations in a collaborative environment. More specifically, we argue that beyond the fact that a role represents a job assignment to perform certain function(s), it is also a composite element representing several organizational characteristics such as organizational function, organizational domain and level of authority. The proposed role structure enables role-to-role assignment as external nonlocal users request access in a particular information system (e.g., people on the move, users logged in from a collaborative organization) and acquire local role(s). A clear advantage in the proposed framework is its flexibility in the role assignment process, since the proposed role decomposition does not require an exact match of predefined credentials. The methodology is autonomous, as no prior trust establishment is required between interactive organizations, expendable as new organizations can join the collaboration without affecting the existing ones, flexible as it does not affect the local access control policy, scalable as the collaboration can increase arbitrary and efficient as the comparison methodology guarantees the selection of the appropriate local role, if such one exists.
Read full abstract