{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T19:40:32Z","timestamp":1654112432328},"reference-count":23,"publisher":"IGI Global","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,1,1]]},"abstract":"<p>The authors propose a business-oriented approach to support accurate and dynamic user-role assignments for the Role Based Access Control (RBAC) model. Their model, called Business-Driven Role Based Access Control (BD-RBAC), is composed of three layers. The first layer extends the RBAC model with the concepts of business roles, system roles, credentials, and users\u2019 capabilities. The second layer dynamically assigns users to business and system roles, and filters outdated (abnormal) user-role assignments. The third layer supports exception handling and partial authorization. The novel aspect of the work is the adaptation of RBAC-based access control systems to changes in organizational needs, while reducing the burden of security administration. To this end, the authors have developed (1) a series of algorithms to compute internal and external user-role assignments based on organizational policies, users\u2019 requests and capabilities, (2) and shown that their outputs are permissible, i.e., a legitimate user is authorized to activate the role, complete, i.e., a legitimate user can activate the roles necessary to perform all the requested tasks, and minimal, i.e., a legitimate user does not receive any non-authorized or not-needed privileges.<\/p>","DOI":"10.4018\/jisp.2013010104","type":"journal-article","created":{"date-parts":[[2013,7,10]],"date-time":"2013-07-10T13:54:47Z","timestamp":1373464487000},"page":"45-62","source":"Crossref","is-referenced-by-count":1,"title":["Business Driven User Role Assignment"],"prefix":"10.4018","volume":"7","author":[{"given":"Ousmane Amadou","family":"Dia","sequence":"first","affiliation":[{"name":"Department of Computer Science and Engineering, University of South Carolina, Columbia, SC, USA"}]},{"given":"Csilla","family":"Farkas","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, University of South Carolina, Columbia, SC, USA"}]}],"member":"2432","reference":[{"key":"jisp.2013010104-0","author":"M. A.Al-Kahtani","year":"2002","journal-title":"A model for attribute-based user-role assignment"},{"key":"jisp.2013010104-1","doi-asserted-by":"crossref","unstructured":"Baumgrass, A., Strembeck, M., & Rinderle-Ma, S. (2011). Deriving role engineering artifacts from business processes and scenario models. In Proceedings of the SACMAT 2011, Innsbruck, Austria.","DOI":"10.1145\/1998441.1998445"},{"key":"jisp.2013010104-2","doi-asserted-by":"crossref","unstructured":"Bertino, E., Squicciarini, A. C., & Mevi, D. (2004). A fine-grained access control model for web services. In Proceedings of the 2004 IEEE International Conference on Services Computing.","DOI":"10.1109\/SCC.2004.1357987"},{"key":"jisp.2013010104-3","unstructured":"Bolan, C. (2004). Need to know: Security or liability. In Proceedings of the AISM."},{"key":"jisp.2013010104-4","doi-asserted-by":"crossref","unstructured":"Brucker, A. C., & Petritsch, H. (2009). Extending access control models with break-glass. In Proceedings of the SACMAT 2009.","DOI":"10.1145\/1542207.1542239"},{"key":"jisp.2013010104-5","doi-asserted-by":"publisher","DOI":"10.1109\/MITP.2011.105"},{"key":"jisp.2013010104-6","unstructured":"Dana, Z., Ramamohanarao, K., & Ebringer, T. (2007). Role engineering using graph optimization. In Proceedings of the SACMAT 2007, ACM."},{"key":"jisp.2013010104-7","unstructured":"Dongwan, S., Ahn, G. H., Cho, S., & Jin, S. (2003). On modeling system-centric information for role. In Proceedings of the SACMAT 2003, ACM."},{"key":"jisp.2013010104-8","doi-asserted-by":"crossref","unstructured":"Dunlop, N., Indulska, J., & Raymond, K. A. (2001). Dynamic policy model for large evolving enterprises. In Proceedings of the Fifth International Conference on Enterprise Distributed Object Computing (EDOC 2001), Seattle, Washington, USA, September, 2001.","DOI":"10.1109\/EDOC.2001.950439"},{"key":"jisp.2013010104-9","doi-asserted-by":"crossref","unstructured":"Ferreira, A., Chadwick, D., Farinha, P., Correia, R., Zao, G., & Chilro, R. (2009, December). How to securely break into rbac: The btg-rbac model. In Proceedings of the Computer Security Applications Conference. ACSAC - IEEE.","DOI":"10.1109\/ACSAC.2009.12"},{"key":"jisp.2013010104-10","doi-asserted-by":"crossref","unstructured":"Frank, M., Streich, A. P., Basin, D., & Buhmann, J. M. (2009). A probabilistic approach to hybrid role mining. In Proceedings of the CCS 2009.","DOI":"10.1145\/1653662.1653675"},{"key":"jisp.2013010104-11","doi-asserted-by":"crossref","unstructured":"Giblin, C., Graf, M., Karjoth, G., Wespi, A., Molloy, I., Lobo, J., & Calo, S. (2010, October). Towards an integrated approach to role engineering. In Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration (SafeConfig '10).","DOI":"10.1145\/1866898.1866908"},{"key":"jisp.2013010104-12","unstructured":"HIPAA. (2004, December). Break glass: Granting emergency access to critical ephi systems - hipaa security. Protecting the Privacy and Security of Health Information."},{"key":"jisp.2013010104-13","unstructured":"Jayaraman, K., Ganesh, V., Rinard, M., & Chapin, S. (2001, October). Automatic error finding in access-control policies. In Proceedings of the CCS 2001, ACM, Chicago, IL."},{"key":"jisp.2013010104-14","doi-asserted-by":"crossref","unstructured":"Lu, H., Vaidya, J., & Atluri, V. (2008). Optimal boolean matrix decomposition: Application to role engineering. In Proceedings of the ICDE.","DOI":"10.1109\/ICDE.2008.4497438"},{"key":"jisp.2013010104-15","doi-asserted-by":"crossref","unstructured":"Marinovic, S., Craven, R., & Ma, J. (2011). Rumpole: A flexible break-glass access control model. In Proceedings of the SACMAT 2011, ACM, Innsbruck, Austria.","DOI":"10.1145\/1998441.1998453"},{"key":"jisp.2013010104-16","unstructured":"McGraw, R. (2009). Risk adaptive access control (radac). In Proceedings of the Privilege Management Workshop, NIST 2009."},{"key":"jisp.2013010104-17","doi-asserted-by":"crossref","unstructured":"Neumann, G., & Strembeck, M. (2002). A scenario- driven role engineering process for functional rbac roles. In Proceedings of the SACMAT 2002, Monterey, CA.","DOI":"10.1145\/507711.507717"},{"key":"jisp.2013010104-18","author":"R.Sandhu","year":"1996","journal-title":"Role-based access control models"},{"key":"jisp.2013010104-19","doi-asserted-by":"crossref","unstructured":"Sandhu, R., Ferraiolo, D. F., & Kuhn, D. R. (2000). The NIST model for role-based access control: Towards a unified standard. In Proceedings of the Information Technology Lab, NIST 2000.","DOI":"10.1145\/344287.344301"},{"key":"jisp.2013010104-20","doi-asserted-by":"crossref","unstructured":"Vaidya, J., Atluri, V., & Wariner, J. (2006). Roleminer: Mining roles using subset enumeration. In Proceedings of the CCS 2006, ACM.","DOI":"10.1145\/1180405.1180424"},{"key":"jisp.2013010104-21","unstructured":"Vincent, C. H., Ferraiolo, F. D., & Kuhn, R. (2006). Assessment of access control systems. In Proceedings of the National Institue of Standards and Technology, NIST 2006."},{"key":"jisp.2013010104-22","doi-asserted-by":"crossref","unstructured":"Yang, J., Wijesekera, D., & Jajodia, S. (2001). Subject switching algorithms for access control in federated databases. In Proceedings of the International Federation for Information Processing (IFIP).","DOI":"10.1007\/978-0-387-35587-0_5"}],"container-title":["International Journal of Information Security and Privacy"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=78529","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T19:10:59Z","timestamp":1654110659000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jisp.2013010104"}},"subtitle":["Nimble Adaptation of RBAC to Organizational Changes"],"short-title":[],"issued":{"date-parts":[[2013,1,1]]},"references-count":23,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2013,1]]}},"URL":"https:\/\/doi.org\/10.4018\/jisp.2013010104","relation":{},"ISSN":["1930-1650","1930-1669"],"issn-type":[{"value":"1930-1650","type":"print"},{"value":"1930-1669","type":"electronic"}],"subject":[],"published":{"date-parts":[[2013,1,1]]}}}