Abstract

To well balance the scalability and flexibility of Role Based Access Control models in business organiz-ations, an Organization-Role Based Access Control (O-RBAC) model was proposed. Organization-role pair with the attributes of actuality, management and globality was introduced as its core concept. The role specialization/management relations with specific meanings were separated from the traditional role hierarchy. By combining these relations with the organization hierarchy respectively, two novel inheritance mechanisms, the organization-role specialization/management relations, were defined. Based on organization-roles and their relations, static/dynamic separation of duty constraints were enforced. Comparison with related work on a B2B example indicates that: in decentralized structured organizations, O-RBAC has almost the same manual authorization costs as the most scalable model so far, but some typical constraints are expressed more concisely, and more complicated security policies are supported.

Paper Details