An Object-Oriented Organizational Model to Support Dynamic Role-based Access Control in Electronic Commerce Applications

Role-based access control (RBAC) provides flexibility to security management over the traditional approach of using user and group identifiers. In RBAC, access privileges are given to roles rather than to individual users. Users acquire the corresponding permissions when playing different roles. Roles can be defined simply as a label, but such an approach lacks the support to allow users to automatically change roles under different contexts; this static method also adds administrative overheads in role assignment. In electronic commerce and other cooperative computing environments, access to shared resources has to be controlled in the context of the entire business process; it is therefore necessary to model dynamic roles as a function of resource attributes and contextual information. In this paper, an object-oriented organizational model, OMM, is presented as an underlying model to support dynamic role definition and role resolution in RBAC. The paper describes the OMM reference model and shows how it can be applied flexibly to capture the different classes of resources within a corporation, and to maintain the complex and dynamic roles and relationships between the resource objects. Administrative tools use the role model in OMM to define security policies for role definition and role assignment. At runtime, the resource manager queries the OMM system to resolve roles in order to authorize any access attempts. Similarly, cooperative computing software uses OMM to support task assignment and access control to business processes. Contrary to traditional approaches, OMM separates the organization model from the application model; thus it allows independent and flexible role modeling to reflect realistically a dynamic authorization subsystem in a rapidly changing business world.