In role-based access control (RBAC), permissions are associated with roles and users are made members of appropriate roles, thereby acquiring the roles' permissions. The principal motivation behind RBAC is to simplify administration. In this paper, we investigate one aspect of RBAC administration concerning assignment of users to roles. We introduce a constrained user-role assignment model, called CONUGA (CONstrained User-Group Assignment) and describe its implementation in the Windows NT system. Rather than set user and file rights individually for each and every user, the administrator can give rights to various groups, then place users within those groups in Windows NT. Each user within a group inherits the rights associated with that group. We demonstrate how to extend the Windows NT group mechanism supporting our model that is useful in managing group-based access control.
ASJC Scopus subject areas
- Hardware and Architecture
- Computer Science Applications
- Computer Networks and Communications