Modeling Mandatory Access Control in Role-Based Security Systems

This paper discusses the realization of mandatory access control in role-based protection systems. Starting from the basic de nitions of roles, their application in security and the basics of the concept of mandatory access control, we develop a scheme of role-based protection that realizes mandatory access control. The basis of this formulation develops from the recognition that roles can be seen as facilitating access to some given information context. By handling each of the role contexts as independent security levels of information, we simulate mandatory access by imposing the requirements of mandatory access control. Among the key considerations, we propose a means of taming Trojan horses by imposing acyclic information ow among contexts in role-based protection systems. The acyclic information ows and suitable access rules incorporate secrecy which is an essential component of mandatory access control.