Abstract
The Access Matrix is a useful model for understanding the behaviour and properties of access control systems. While the matrix is rarely implemented, access control in real systems is usually based on access control mechanisms, such as access control lists or capabilities, that have clear relationships with the matrix model. In recent times a great deal of interest has been shown in Role Based Access Control (RBAC) models. However, the relationship between RBAC models and the Access Matrix is not clear. In this paper we present a model of RBAC based on the Access Matrix which makes the relationships between the two explicit. In the process of constructing this model, some fundamental similarities between certain capability models and RBAC are revealed. In particular, we outline a proof that RBAC and the ACM are equivalent with respect to the policies they can represent. From this we conclude that, in a similar way to access lists and capabilities, RBAC is a derivation of the Access Matrix model.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Lampson, B.W.: Protection. Operating Systems Review 8 (1974)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19 (1976)
Sandhu, R.S., Samarati, P.: Access control: Principles and practice. IEEE Communications Magazine 32 (1994)
Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference (1992)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29 (1996)
Sandhu, R.S., Ferraiolo, D., Kuhn, R.: The NIST model for role-based access control: Towards a unified standard. In: Proceedings of the Fifth ACM Workshop on Role-Based Access Control (2000)
Saunders, G., Hitchens, M., Varadharajan, V.: An analysis of access control models. In: Proceedings of the Fourth Australasian Conference on Information Security and Privacy (1999)
Sandhu, R., Munawer, Q.: How to do discretionary access control using roles. In: Proceedings of the Third ACM Workshop on Role-Based Access Control (1998)
Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security 3 (2000)
Dearle, A., di Bona, R., Farrow, J., Henskens, F., Hulse, D., Lindström, A., Norris, S., Rosenberg, J., Vaughan, R.: Protection in the grasshopper operating system. In: Proceedings of the 6th International Workshop on Persistent Object Systems (1994)
Anderson, M., Pose, R.D., Wallace, C.S.: A password-capability system. The Computer Journal 29 (1986)
Saunders, G., Hitchens, M., Varadharajan, V.: Role-based access control and the access control matrix. Operating Systems Review 35 (2001)
Sandhu, R.S.: Lattice-based access control models. IEEE Computer 26 (1993)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Saunders, G., Hitchens, M., Varadharajan, V. (2003). Role-Based Access Control and the Access Control Matrix. In: Qing, S., Gollmann, D., Zhou, J. (eds) Information and Communications Security. ICICS 2003. Lecture Notes in Computer Science, vol 2836. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-39927-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-540-39927-8_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20150-2
Online ISBN: 978-3-540-39927-8
eBook Packages: Springer Book Archive