A Role-Based Architecture for Seamless Identity Management and Effective Task Separation

  • Evangelos Kotsovinos
  • Ingo Friese
  • Martin Kurze
  • Jörg Heuer
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 232)


Today’s on-line end user experience is compromised by the need for managing multiple redundant identities for access to various services — such as email accounts, in order to ensure a clear separation of tasks that users perform in different capacities. Approaches based on Single Sign On (SSO) have focused on the provision of interoperability and trust management solutions required to allow users to log in once and use multiple on-line services. In this paper, we argue that Single Sign On provides neither adequate privacy preservation nor sufficient fine-grained separation of tasks, as it requires that a user performs all tasks — whether e.g. personal or professional — using the same identity. We propose Identity and Role Management (IRM), a new approach to identity management, combining the benefits of SSO and user-centric frameworks: it allows a user to be authenticated as conveniently as with SSO, to still achieve an effective separation of tasks she performs in different capacities through the use of different roles, and to retain full control of her private and sensitive data. Additionally, it facilitates fine-grained service customisation, supporting a personalised on-line experience. Our experiments with real users demonstrate the effectiveness, transparency, and user acceptance of our solution.


Access Control Identity Management User Attribute Current Role Identity Provider 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    P. Bonatti and P. Samarati. A unified framework for regulating access and information release on the web. Journal of Comp. Sec., 10(3), 2002.Google Scholar
  2. 2.
    N. H. Cohen, J. Black, P. Castro, M. Ebling, B. Leiba, A. Misra, and W. Segmuller. Building Context-Aware Applications with Context Weaver. Research Report RC 23388, IBM, Oct. 2004.Google Scholar
  3. 3.
    N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Ponder Policy Specification Language. In Proc. of the Policy2001 Workshop, Jan. 2001.Google Scholar
  4. 4.
    D. Ferraiolo and R. Kuhn. Role-Based Access Controls. In Proc. of the 15th NIST-NCSC Conf, 1992.Google Scholar
  5. 5.
    R. J. Hayton, J. M. Bacon, and K. Moody. Access Control in an Open Distributed Environment. In Proc. of the IEEE Symp. on Sec. and Priv., 1998.Google Scholar
  6. 6.
    J. Merrells. DIX: Digital Identity Exchange Protocol, Mar. 2006.Google Scholar
  7. 7.
    D. Jonscher and K. R. Dittrich. Argos — A Configurable Access Control System for Interoperable Environments. In DB Sec, IX: Status and Prospects, 1996.Google Scholar
  8. 8.
    N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a Role-Based Trust Management Framework. In Proc. of the IEEE Symp. on Sec and Priv., 2002.Google Scholar
  9. 9.
    Liberty Alliance Project. Liberty ID-SIS Personal Profile Service Spec, 2003.Google Scholar
  10. 10.
    E. C. Lupu, D. A. Marriott, M. S. Sloman, and N. Yialelis. A Policy Based Role Framework for Access Control. In Proc. of the 1st ACM RBAC’ 96. Google Scholar
  11. 11.
    J. Miller. Yadis Specification, Version 1.0, Mar. 2006.Google Scholar
  12. 12.
    M. Nyanchama and S. Osborn. Access Rights Administration in Role-Based Security Systems. In Proc of the 8th IFIP WG 11.3 Working Conf. on DB Sec, volume A-60. Elsevier, Aug. 1995.Google Scholar
  13. 13.
    Organization for the Advancement of Structured Information Standards (OA-SIS). Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML), Apr. 2002.Google Scholar
  14. 14.
    Organization for the Advancement of Structured Information Standards (OA-SIS). Security Assertion Markup Language (SAML) V2.0 Technical Overview, Sept. 2005.Google Scholar
  15. 15.
    J. S. Park, R. Sandhu, and G.-J. Ahn. Role-based access control on the web. ACM Trans. Inf. Syst. Sec., 4(1), 2001.Google Scholar
  16. 16.
    A. Pashalidis and C. Mitchell. A taxonomy of single sign-on systems. In Proc. of the 8th Australasian Conf. in Inf. Sec. and Priv., July 2003.Google Scholar
  17. 17.
    A. Pfitzmann and M. Hansen. Anonymity, Unlinkability, Unobservability, Pseudonymity, and Identity Management — A Consolidated Proposal for Terminology. Research report, TU-Dresden, May 2006.Google Scholar
  18. 18.
    SXIP Networks. The SXIP 2.0 Overview, Mar. 2006.Google Scholar
  19. 19.
    K. Toth and M. Subramanium. Requirements for the persona concept. In Proc. of RHAS’03, Sept. 2003.Google Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Evangelos Kotsovinos
    • 1
  • Ingo Friese
    • 2
  • Martin Kurze
    • 2
  • Jörg Heuer
    • 1
  1. 1.Deutsche Telekom LaboratoriesGermany
  2. 2.T-SystemsGermany

Personalised recommendations