Role-Based Access Control on the Web

Joon S. Park; Ravi Sandhu; Gail Joon Ahn

doi:10.1145/383775.383777

Role-Based Access Control on the Web

Joon S. Park, Ravi Sandhu, Gail Joon Ahn

Research output: Contribution to journal › Article › peer-review

164 Scopus citations

Abstract

Current approaches to access control on Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and efficient RBAC access control technology in large-scale Web environments. To satisfy this requirement, we identify two different architectures for RBAC on the Web, called user-pull and server-pull. To demonstrate feasibility, we implement each architecture by integrating and extending well-known technologies such as cookies, X.509, SSL, and LDAP, providing compatibility with current Web technologies. We describe the technologies we use to implement RBAC on the Web in different architectures. Based on our experience, we also compare the tradeoffs of the different approaches.

Original language	English (US)
Pages (from-to)	37-71
Number of pages	35
Journal	ACM Transactions on Information and System Security
Volume	4
Issue number	1
DOIs	https://doi.org/10.1145/383775.383777
State	Published - 2001
Externally published	Yes

Keywords

Cookies
Design
Digital certificates
Experimentation
Role-Based access control
Security
WWW security

ASJC Scopus subject areas

General Computer Science
Safety, Risk, Reliability and Quality

Access to Document

10.1145/383775.383777

Cite this

@article{c2425794423c486192f823fa5587d29e,

title = "Role-Based Access Control on the Web",

abstract = "Current approaches to access control on Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and efficient RBAC access control technology in large-scale Web environments. To satisfy this requirement, we identify two different architectures for RBAC on the Web, called user-pull and server-pull. To demonstrate feasibility, we implement each architecture by integrating and extending well-known technologies such as cookies, X.509, SSL, and LDAP, providing compatibility with current Web technologies. We describe the technologies we use to implement RBAC on the Web in different architectures. Based on our experience, we also compare the tradeoffs of the different approaches.",

keywords = "Cookies, Design, Digital certificates, Experimentation, Role-Based access control, Security, WWW security",

author = "Park, {Joon S.} and Ravi Sandhu and Ahn, {Gail Joon}",

year = "2001",

doi = "10.1145/383775.383777",

language = "English (US)",

volume = "4",

pages = "37--71",

journal = "ACM Transactions on Information and System Security",

issn = "1094-9224",

publisher = "Association for Computing Machinery (ACM)",

number = "1",

}

TY - JOUR

T1 - Role-Based Access Control on the Web

AU - Park, Joon S.

AU - Sandhu, Ravi

AU - Ahn, Gail Joon

PY - 2001

Y1 - 2001

N2 - Current approaches to access control on Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and efficient RBAC access control technology in large-scale Web environments. To satisfy this requirement, we identify two different architectures for RBAC on the Web, called user-pull and server-pull. To demonstrate feasibility, we implement each architecture by integrating and extending well-known technologies such as cookies, X.509, SSL, and LDAP, providing compatibility with current Web technologies. We describe the technologies we use to implement RBAC on the Web in different architectures. Based on our experience, we also compare the tradeoffs of the different approaches.

AB - Current approaches to access control on Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and efficient RBAC access control technology in large-scale Web environments. To satisfy this requirement, we identify two different architectures for RBAC on the Web, called user-pull and server-pull. To demonstrate feasibility, we implement each architecture by integrating and extending well-known technologies such as cookies, X.509, SSL, and LDAP, providing compatibility with current Web technologies. We describe the technologies we use to implement RBAC on the Web in different architectures. Based on our experience, we also compare the tradeoffs of the different approaches.

KW - Cookies

KW - Design

KW - Digital certificates

KW - Experimentation

KW - Role-Based access control

KW - Security

KW - WWW security

UR - http://www.scopus.com/inward/record.url?scp=84994391858&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84994391858&partnerID=8YFLogxK

U2 - 10.1145/383775.383777

DO - 10.1145/383775.383777

M3 - Article

AN - SCOPUS:84994391858

SN - 1094-9224

VL - 4

SP - 37

EP - 71

JO - ACM Transactions on Information and System Security

JF - ACM Transactions on Information and System Security

IS - 1

ER -

Role-Based Access Control on the Web

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this