An Evaluation of RBAC Policy Languages for Web Applications

The rapid growth of the Internet and a range of web applications bring the urgency of security issues, especially for access control. Role-based Access Control (RBAC) is recognized as a superior alternative and less error-prone to traditional discretionary and mandatory access controls. In this paper, we examine the representation of RBAC policies in web applications under distributed environments. Firstly, several important requirements and features for RBAC policy languages, especially with the consideration of web applications are identified. They are expressive, inter-operable, applicable to heterogeneity, flexible, manageable, and efficient. Then we categorized the existing RBAC policy languages into four categories: XML-based, UMLbased, Object-oriented programming languages, and Constraint logic languages. Each category is carefully examined and evaluated, and a comparison with respect to the requirements is given. We conclude with recommendations for XML as a basis for a RBAC policy language.