Abstract
Constraints are an important aspect of role-based access control (RBAC) and are often regarded as one of the principal motivations behind RBAC. Although the importance of constraints in RBAC has been recognized for a long time, they have not received much attention. In this article, we introduce an intuitive formal language for specifying role-based authorization constraints named RCL 2000 including its basic elements, syntax, and semantics. We give soundness and completeness proofs for RCL 2000 relative to a restricted form of first-order predicate logic. Also, we show how previously identified role-based authorization constraints such as separation of duty (SOD) can be expressed in our language. Moreover, we show there are other significant SOD properties that have not been previously identified in the literature. Our work shows that there are many alternate formulations of even the simplest SOD properties, with varying degree of flexibility and assurance. Our language provides us a rigorous foundation for systematic study of role-based authorization constraints.
| Original language | English (US) |
|---|---|
| Pages (from-to) | 207-226 |
| Number of pages | 20 |
| Journal | ACM Transactions on Information and System Security |
| Volume | 3 |
| Issue number | 4 |
| DOIs | |
| State | Published - Nov 1 2000 |
| Externally published | Yes |
Keywords
- Access control models
- authorization constraints
- constraints specification
- Languages
- role-based access control
- Security
ASJC Scopus subject areas
- General Computer Science
- Safety, Risk, Reliability and Quality