Extending Role Based Access Control Model for Distributed Multidomain Applications

  • Yuri Demchenko
  • Leon Gommans
  • Cees de Laat
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 232)


This paper presents the results related to the development of a flexible domain-based access control infrastructure for distributed Grid-based Collaborative Environments and Complex Resource Provisioning. The paper proposes extensions to the classical RBAC model to address typical problems and requirements in the distributed hierarchical resource management such as: hierarchical resources policy administration, user roles/attributes management, dynamic security context and authorisation session management, and others. It describes relations between the RBAC and the generic AAA access control models and defines combined RBAC-DM model for domain-based access control management and suggests mechanisms that can be used in the distributed service-oriented infrastructure for security context management. The paper provides implementation details on the use of XACML for finegrained access control policy definition for domain based resources organisation and roles assignments in RBAC-DM. The paper is based on experiences gained from the major Grid-based and Grid-oriented projects in collaborative applications and complex resource provisioning.


Access Control Access Control Policy Access Control Model Virtual Laboratory Role Base Access Control 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Foster, I. et al (2006). The Open Grid Services Architecture, Version 1.5. Global Grid Forum. Retrieved October 30, 2006, from
  2. 2.
    “Web Services Architecture”. W3C Working Draft 8, August 2003. —
  3. 3.
    Vollbrecht, J., P. Calhoun, S. Farrell, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, D. Spence, “AAA Authorization Framework,” Informational RFC 2904, Internet Engineering Task Force, August 2000.
  4. 4.
    RFC2903 — “ Generic AAA Architecture”, C. de Laat, G. Gross, L. Gommans, J. Vollbrecht, D. Spence, IETF Aug 2000,
  5. 5.
    GFD.38 Conceptual Grid Authorization Framework and Classification. M. Lorch, B. Cowles, R. Baker, L. Gommans, P. Madsen, A. McNab, L. Ramakrishnan, K. Sankar, D. Skow, M. Thompson —
  6. 6.
    Demchenko, Y., L. Gommans, C. de Laat, A., van Buuren, R. Domain Based Access Control Model for Distributed Collaborative Applications“. Accepted, The 2nd IEEE International Conference on e-Science and Grid Computing.Google Scholar
  7. 7.
    Using SAML and XACML for Complex Authorisation Scenarios in Dynamic Resource Provisioning, by Demchenko Y., L. Gommans, C. de Laat. The Second International Conference on Availability, Reliability and Security (ARES 2007), April 10-13, 2007, Vienna. Accepted paper.Google Scholar
  8. 8.
    Sandhu, R. & Samarati, P., 1994. “Access Control: Principles and Practice“, IEEE Communication Magazine, September 1994, pp. 40–48.Google Scholar
  9. 9.
    Sandhu, R., Coyne, E. J., Feinstein, H. L. & Youman, C.E. 1996, “Role-Based Access Control Models”, IEEE Computer, February 1996, pp. 38–47.Google Scholar
  10. 10.
    Information Technology — Role Based Access Control, Document Number: ANSI/INCITS 359-2004, InterNational Committee for Information Technology Standards, 3 February 2004, 56 p.Google Scholar
  11. 11.
    ITU-T Rec. X.812(1995) ISO/IEC 10181-3:1996, Information technology — Open systems interconnection — Security frameworks in open systems: Access control framework.Google Scholar
  12. 12.
    Caelli W., Rhodes A., “Implementation of active role based access control in a collaborative environment“,
  13. 13.
    Thomas, R. K. 1997, “Team-based Access Control (TMAC): A Primitive for Applying Role-based Access Controls in Collaborative Environments”, Proceeding of the Second ACM Workshop on Role-Based Access Control, ACM, November 1997, pp. 13–19.Google Scholar
  14. 14.
    Park J.S., R Sandhu, “The UCONabc usage control model”, ACM Transaction on Information and System Security, 7(1), February 2004.Google Scholar
  15. 15.
    Xinwen Zhang, Masayuki Nakae, Michael J. Covington, and Ravi Sandhu, A Usagebased Authorization Framework for Collaborative Computing Systems, in the proceedings of ACM Symposium on Access Control Models and Technologies (SACMAT), 2006.Google Scholar
  16. 16.
    Godik, S. et al, “extensible Access Control Markup Language (XACML) Version 2.0”, OASIS Working Draft 04, 6 December 2004, available
  17. 17.
    Demchenko, Y., L. Gommans, C. de Laat, A. Taal, A. Wan, O. Mulmo, “Using Workflow for Dynamic Security Context Management in Complex Resource Provisioning”, 7th IEEE/ACM International Conference on Grid Computing (Grid2006), Barcelona, September 28-30, 2006, pp. 72–79.Google Scholar
  18. 18.
    “Core and hierarchical role based access control (RBAC) profile of XACML v2.0”, OASIS Standard, 1 February 2005, available from
  19. 19.
    “Hierarchical resource profile of XACML 2.0”, OASIS Standard, 1 February 2005, available from
  20. 20.
    “XACML 3.0 administrative policy,” OASIS Draft, 10 December 2005. [Online]. Available from
  21. 21.
    Generic Authorization Authentication and Accounting. [Online], Available:
  22. 22.
    OGSA Authorization WG (OGSA-AUTHZ-WG). [Online]. Available:

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Yuri Demchenko
    • 1
  • Leon Gommans
    • 1
  • Cees de Laat
    • 1
  1. 1.University of Amsterdam, System and Network Engineering GroupAmsterdamThe Netherlands

Personalised recommendations