An Administrative Model for Role-Based Access Control Using Hierarchical Namespace

Access control is an important information security mechanism. Role-based access control is a famous access control approach with good flexibility and expandability. The classical RBAC models are RBAC96 and ARBAC97. The ARBAC97 model is an administrative model with the idea of “using RBAC to administrate RBAC”. It facilitates decentralized administration of RBAC through three assignment models: URA97, PRA97 and RRA97. Though ARBAC97 works well in traditional RBAC applications, it has some shortcomings if employed in a large organization composed of many autonomous subsidiaries. The member of an administrative role can operate directly in the role range of a junior administrative role, which violates the autonomy of subsidiaries. The authorization relationship is rather complex. And the names of the roles have to be globally unique. A new administrative model named N-RBAC is proposed to overcome these weaknesses. In N-RBAC, all resources (including users and roles) are arranged into a hierarchical namespace structure. Thus the role hierarchy is constructed in a local space instead of in a global space. The administrative role hierarchy is obsolete, and a unique administrative role is assigned to each namespace instead. Experimental results show that the N-RBAC model is more suitable to autonomous distributed role administration than the ARBAC97 model.