Role-Based Access Control -- Contents vii -- Preface xv -- Acknowledgements xvii -- Chapter 1 Introduction 1 -- 1.1 The purpose and fundamentals of access control 2 -- 1.2 A brief history of access control 6 -- 1.3 Comparing RBAC to DAC and MAC 16 -- 1.4 RBAC and the enterprise 18 -- References 23 -- Chapter 2 Access Control Policy, Models, and Mechanisms--Concepts and Examples 27 -- 2.1 Policy, models, and mechanisms 27 -- 2.2 Subjects and objects 30 -- 2.3 Reference monitor and security kernel 31 -- 2.4 DAC policies 35 -- 2.5 Access control matrix 36 -- 2.6 MAC policies and models 39 -- 2.7 Biba's integrity model 41 -- 2.8 Clark-Wilson model 42 -- 2.9 The Chinese wall policy 44 -- 2.10 The Brewer-Nash model 45 -- 2.11 Domain-type enforcement model 46 -- References 48 -- Chapter 3 Core RBAC Features 51 -- 3.1 Role versus ACL groups 53 -- 3.2 Core RBAC 55 -- 3.3 Mapping the enterprise view to the system view 59 -- Chapter 4 Role Hierachies 67 -- 4.1 Building role hierarchies from flat roles 68 -- 4.2 Inheritance schemes 69 -- 4.3 Hierarchy structures and inheritance forms 75 -- 4.4 Accounting for role types 83 -- 4.5 General and limited role hierarchies 84 -- 4.6 Accounting for the Standford model 87 -- References 89 -- Chapter 5 SoD and Constraints in RBAC Systems 91 -- 5.1 Types of SoD 94 -- 5.2 Using SoD in real systems 101 -- 5.3 Temporal constraints in RBAC 112 -- References 117 -- Chapter 6 RBAC, MAC, and DAC 121 -- 6.1 Enforcing DAC using RBAC 122 -- 6.2 Enforcing MAC on RBAC systems 125 -- 6.3 Implementing RBAC on MLS systems 130 -- 6.4 Running RBAC and MAC simultaneously 136 -- References 138 -- Chapter 7 NIST's Proposed RBAC Standard 141 -- 7.1 Overview 141 -- 7.2 Funtional specification packages 142 -- 7.3 The RBAC reference model 144 -- 7.4 Functional specification overview 145 -- 7.5 Functional specification for core RBAC 146.

7.6 Functional specification for hierarchical RBAC 147 -- 7.7 Functional specification for SSD relation 150 -- 7.8 Functional specification for a DSD relation 152 -- Reference 153 -- Chapter 8 Role-Based Administration of RBAC 155 -- 8.1 Background and terminology 155 -- 8.2 URA02 and PRA02 158 -- 8.3 Crampton-Loizou adminstrative model 162 -- 8.4 Role control center 169 -- References 178 -- Chapter 9 Enterprise Access Control Framework Using RBAC and XML Technologies 179 -- 9.1 Conceptual view of EAFs 179 -- 9.2 Enterprise Access Central Model Requirements 182 -- 9.3 EAM specification and XML schemas 184 -- 9.4 Specification of the ERBAC model in the XML schema 186 -- 9.5 Encoding of enterprise access control data in XML 193 -- 9.6 Verification of the ERBAC model and data specifications 197 -- 9.7 Limitations of XML schemas for ERBAC model constraint representation 198 -- 9.8 Using XML-encoded enterprise access control data for enterprisewide access control implementation 202 -- 9.9 Conclusion 208 -- References 208 -- Chapter 10 Integrating RBAC with Enterprise IT Infrastructures 211 -- 10.1 RBAC for WFMSs 212 -- 10.2 RBAC intergration in Web environments 220 -- 10.3 RBAC for UNIX envrionments 231 -- 10.4 RBAC in Java 239 -- 10.5 RBAC for FDBSs 246 -- 10.6 RBAC in autonomous security service modules 249 -- 10.7 Conclusions 251 -- References 251 -- Chapter 11 Migrating to RBAC--Case Study: Multiline Insurance Company 255 -- 11.1 Background 256 -- 11.2 Benefits of using RBAC to manage extranet users 256 -- 11.3 Benfits of using RBAC to manage employees (intranet users) 259 -- 11.4 RBAC implementation costs 260 -- 11.5 Time series of benefits and costs 262 -- Reference 264 -- Chapter 12 RBAC Features in Commerical Products 265 -- 12.1 RBAC in relational DBMS products 266 -- 12.2 RBAC in enterprise security administration software 274.

12.3 Conclusions 292 -- References 293 -- Appendix A 295 -- Appendix B 299 -- About the authors 303 -- Index 305.