A Formal Model for Flat Role-Based Access Control

Role-Based Access Control (RBAC) is very useful for providing a high level description of access control. It enables a better understanding of the security problems in an institution because it bridges the gap between their technical aspects and their managerial descriptions. Several models have been devised to describe RBAC. However, the definitions of some of the concepts of RBAC, such as subject, role and permission, were open to many interpretations. Also, the devised models for RBAC, did not detail the analysis of the access operations in RBAC. In this paper, we formalize each of the basic concepts of RBAC for their definitions to be clear and precise. Based on these definitions, a formal state-based model for Flat Role Based Access Control (FRBAC) is constructed, and described in the specification notation Z. This approach permits the close examination of the states in the system. Consequently, it helps to analyse in depth the access operations of RBAC. The model is also refined by supporting the concepts of active roles and private permissions. In the future, the model can be enhanced by extending it to model the delegation and revocation of roles. Other developments of this model include the support of the separation of duty constraints.