GROUP HIERARCHIES WITH DECENTRALIZED USER ASSIGNMENT IN WINDOWS NT RAVI SANDHU and GAIL-JOON AHN

The notion of groups in Windows NT is much like that in other operating systems. Rather than set user and le rights individually for each and every user, the administrator can give rights to various groups, then place users within those groups. In this paper we describe an experiment to extend the Windows NT group mechanism in two signi cant ways that are useful in managing group-based access control in large-scale systems. The goal of our experiment is to demonstrate how group hierarchies (where groups include other groups) and decentralized user-group assignment (where administrators are selectively delegated authority to assign certain users to certain groups) can be implemented by means of Microsoft remote procedure call (RPC) programs. In both respects the experimental goal is to implement previously published models (RBAC96 for group hierarchies and URA97 for decentralized usergroup assignment). Our results indicate that Windows NT has adequate exibility to accommodate sophisticated access control models to some extent.