Abstract:
Current access control administration models that are designed to manage given access control models are not suitable for enterprise environment in which different access control models coexist. An administration model is needed for efficiently administrating different access control models in enterprise environment. The main reason why an administration model can't be used to manage other access control models is that the administration scopes defined in the model include characteristic components of the given access control model. This paper uses subject and permission that are common in different access control models to describe administration scope, abstracts interface between administration model and access control model to policy\+* functions and proposes a generic administration model. The model introduces the concept of management space that corresponds with real enterprise structure and makes the model easily understood by managers, and the administration tasks are achieved hierarchically. For autonomy, the model differentiates the direct manager's administration privileges from the indirect manager's administration privileges of one management space. Also discussed are the administration rules and semantics of the model. The model soundness is proved, and policy\+* algorithms of RBAC, MAC and HRU are analyzed. This model can be used to administrate different access control model in an enterprise environment. An example is given, which explains how to use this model to manage RBAC, MAC and HRU.