A Three Tier Architecture for Role-based Access Control

This paper presents a reference architecture (or conceptual framework) for the speci cation and enforcement of role-based access control (RBAC). The architecture has three tiers in loose analogy to the well-known ANSI/SPARC architecture for database systems. (Although we take our inspiration from the database domain, we emphasize that our proposed RBAC architecture is germane to applications and systems in general and is not limited to databases per se.) The three tiers of the reference architecture consist of (i) multiple external or user views concerned with the utilization of RBAC in a speci c context within the organization, (ii) a single conceptual or community view which amalgamates diverse external views into a consistent and uni ed composite suitable for overall security administration, and (iii) multiple internal or implementation views concerned with enforcement of RBAC in various subsystems of the enterprise information system. This paper discusses these three tiers and their interrelationships. We demonstrate the usefulness of this conceptual approach, and identify issues which need further research to make this framework a reality.