HyungHyo Lee, YoungLok Lee and BongNam Noh
Wonkwang Univ. and Chonnam National Univ.
email: hlee@wonkwang.ac.kr
RBAC model is renowned as a security model for corporate environment, since its components, especially role hierarchy, are suitable for modeling an organization structure. But the functional role hierarchy constructed through the existing role engineering approaches does not reflect an organization structure, because they do not take the structural characteristics of the organization into account. Also, it has been observed that the unconditional permission inheritance property in functional role hierarchy may breach a least privilege security principle and make it impossible to define separation of duty requirements on roles that have a common senior role.
The authors found that elements of an organization structure such as departments and teams inherently provide a important means for deriving functions(i.e., permissions) and a natural interface for managing user-to-role assignment task for security administrator. For example, departments Personnel and Accounting have their own functionalities, and organizational roles Personnel Manager and Accounting Director are authorized in the context of their departments' tasks. In addition, it is natural for security administrator to assign a user to organizational role, i.e., Personnel Manager rather than to several functional roles, such as Personnel Information Management and Personal Rating Information Management, which are the job functions of the Personnel Manager role. Unlike functional role hierarchy, a senior role in organizational role hierarchy need not inherit the permissions of its junior roles, since the inheritance scope of organizational role hierarchy is typically bound to their structural elements.
In this paper, we propose a role engineering methodology considering organizational roles as well as functional roles to provide a practical RBAC model for corporate environment. We also elaborate the characteristics of organizational roles relatively neglected in the previous work, and compare them with those of functional roles. And models for associating organizational and functional roles and those role hierarchies(unified vs. separate) are proposed and the advantages and shortcomings of those models are given.