1

Scalable Role & Organization Based Access Control and Its Administration

A PhD Dissertation DefenseZhixiong "Jim" Zhang

Co-Director: Professor Ravi SandhuCo-Director: Professor Daniel Menasce

George Mason UniversitySpring 2008

2

Presentation Outline

• Introduction• Motivating Examples • Problem Summary• ROBAC Models• AROBAC07 Model• Manifold ROBAC and Secure Collaboration• Contributions • Future Work• Q & A

3

Introduction

• Wide adoption of RBAC in commercial software and enterprises in last decades

• ANSI RBAC standard [2004] is based on RBAC96 [1996] and NIST-RBAC [2001]

• Existing large RBAC systems – Number of permissions: 1000s – Number of roles: 1000s– Number of users: 10,000s – 100,000s

• Usually apply RBAC in one organization (B2E)

4

User-RoleAssignment

(UA)

Users Roles

Permission-RoleAssignment

(PA)

●

●

.

.●

Sessions

Role Hierarchy (RH)

Constraints

user roles Permissions(P)

Operations

Objects

Traditional RBAC Model (RBAC96 with ANSI RBAC Permission)

5

Director (DIR)

Project Lead 1 (PL1)

Production Engineer 1 (PE1) Quality Engineer 1 (QE1)

Engineer 1 (ENG1)

Engineering Department Staff (ED)

(a) An example of regular role hierarchy in RBAC

Senior Security Officer (SSD)

Department Security Officer (DSO)

Project Security Officer 1 (PSO1)

(b) An example of administrative role hierarchy in ARBAC97

Project Lead 2 (PL2)

Production Engineer 2 (PE2) Quality Engineer 2 (QE2)

Engineer 2 (ENG2)

Employee (EMP)

Project Security Officer 2 (PSO2)

6

• Large number of users (100 thousands to millions)

• Involves many organizations (B2B)

• Some user identifiers may be unknown in advance (B2C, user creates username via self-registration)

• ……

Characteristics of Internet Based Applications

7

Motivating Examples

• B2B Example– Web-based report delivery System

• B2C Example– Online subscription-based tutoring system

8

B2B Example

• Web-based Report Delivery System– 10,000s organizations (states, districts, schools in USA)– 100s types of reports– 100,000s end users– Some constraints, such as

• An organization only can access its own reports and its subordinate’s reports

• A school principle can access some types of his/her school’s reports but it cannot access other types of his/her school’s reports which can be access by the school’s consoler

• How to apply RBAC here?

9

Using Traditional RBAC in the B2B example

• How many permissions do we need?– Access type_A_report_for_school_1 is different from

access type_A_report_for_school_2– May need 100x10000 permissions

e.g., p1 – can access type_A_report_for_school_1

• How many roles do we need?– 10,000 x number of report types

e.g., school_1_type_A_report_viewer role which has permission p1

10

B2C Example

• Online subscription-based tutoring system ( its customers are families whose children are elementary school students)– Millions of families– Parents can pay subscription fee, create /

update the family profile, and view their children’s progress reports

– Children can take lessons, view their family profile, and their progress reports on the web

11

Using Traditional RBAC in the B2C example

• How many permissions do we need?– updating family_1_profile is different from the

updating family_2_profile– May need millions permissions e.g., p1 – can update Family_1’s profile

• How many roles do we need?– Millions of rolese.g., Family_1_parent role which has

permission p1

12

Efforts to Scale Up RBAC

• Giuri and Iglio [1997]: Role Templates– parameterized privilege– restricting access to a subset of contents

• Thomas [1997]: Team-based Access Control (TMAC)– scalable permission assignment and fine-grained, run-time

permission activation at the level of individual users and objects• Perwaiz and Sommerville [2001]: Organizational Units

– a mechanism for viewing role-permission relationships in the context of organizational structures

• Park et al. [2004]: Composite RBAC for large and complex organizations– categorizes roles into different classes and maps roles between

them to achieve role class reusability and scalability

13

Problem Summary

• Most existing RBAC and ARABC models do not scale up well when applying to applications involving a large number of organizations

• Several RBAC extensions try to address RBAC scalability problem in the context of one enterprise but lack either formalization or systematic administrative models

14

Solution: ROBAC Models

• Informal description:– Utilize both role and organization information

during the authorization process in order to reduce the number of permissions and roles

• Four models: ROBAC0, ROBAC1, ROBAC2, and ROBAC3

User-(Role, Org)Assignment

(UA)Users

(U) (Roles, Orgs)

Permission-RoleAssignment

(PA)

●

●

.

.●

Sessions(S)

useractive_role-orgs

Organizations

Permissions(P)

Operations

Asset Types

Roles

Assets (A)

aorg atype

ROBAC0Note: Changes From RBACBlue - modified elementsRed - new elements

16

ROBAC0 Formal Definition

• ROBAC0 has the following components:– U -- a set of users (same as U in RBAC96);– S -- a set of sessions (same as S in RBAC96);– R -- a set of roles (same as R in RBAC96);– O -- a set of organizations;– Op -- a set of operations;– A -- a set of assets;– At -- a set of asset types;– P Op At -- a set of permissions;– RO R O -- a set of applicable role and organization associations;– PA P R -- a many-to-many permission-to-role assignment relation;– UA U RO -- a many-to-many user-to-role-and-organization

assignment relation; • to be continued

17

ROBAC0 Formal Definition (cont’d)

• user: S U -- a function mapping a session si to a single user user(si) (same as user in RBAC96);

• atype: A At -- a function mapping an asset to its type;• aorg: A O -- a function mapping an asset to the organization it

relates to; • assigned_role-orgs: U 2RO -- a function mapping a user to a set of

role-organization pairs assigned to the user; assigned_role-orgs(u) = (r,o) | (u, (r,o)) UA ;

• active_role-orgs: S 2RO -- a function mapping a session si to a set of active role-organization pairs;

active_role-orgs(si) assigned_role-orgs(user(si));• can_access: S Op A {true, false} -- a predicate defined as

can_access(s, op, a) is true iff (r, o) active_role-orgs(s) aorg(a) = o ((op, atype(a)), r) PA ;

18

can_access Predicate in ROBAC0

• a user user(s) in a session s can perform an operation op over an asset a if and only if the user has an active role and organization pair (r, o) in the session and role r has permission to perform operation op over asset a’s type and asset a is related to organization o.

User-(Role, Org)Assignment

(UA)Users

(U) (Roles, Orgs)

Permission-RoleAssignment

(PA)

●

●

.

.●

Sessions(S)

useractive_role-orgs

Organizations

Permissions(P)

Operations

Asset Types

Roles

Assets (A)

aorg atype

ROBAC1Note: Changes From RBACBlue - modified elementsRed - new elements

Organization Hierarchy (OH)

Role Hierarchy (RH)

20

ROBAC Formal Definition (3)• ROBAC1 has the following components :

– U, S, R, O, Op, A, At, P, RO, PA, UA, user, atype, aorg -- same as those from ROBAC0;

– OH O O -- a partial order relation on O called organization hierarchy;

– RH R R -- role hierarchy (same as RH in RBAC96); – assigned_role-orgs: U 2RO -- a function mapping a user to a set of

role-organization pairs assigned to the user; assigned_role-orgs(u) = (r,o) | r’ r o’ o (u, (r’,o’)) UA ;

– active_role-orgs: S 2RO -- a function mapping each session si to a set of active role-organization pairs; active_role-orgs(si) assigned_role-orgs(user(si));

– can_access : S Op A {true, false} – a predicate defined as can_access(s, op, a) is true iff (r, o) active_role-orgs(s) aorg(a) o ( r’ r, ((op, atype(a)), r’) PA ) ;

User-(Role, Org)Assignment

(UA)Users

(U) (Roles, Orgs)

Permission-RoleAssignment

(PA)

●

●

.

.●

Sessions(S)

useractive_role-orgs

Organizations

Permissions(P)

Operations

Asset Types

Roles

Assets (A)

aorg atype

ROBAC2Note: Changes From RBACBlue - modified elementsRed - new elements

Constraints

User-(Role, Org)Assignment

(UA)Users

(U) (Roles, Orgs)

Permission-RoleAssignment

(PA)

●

●

.

.●

Sessions(S)

useractive_role-orgs

Organizations

Permissions(P)

Operations

Asset Types

Roles

Assets (A)

aorg atype

ROBAC3Note: Changes From RBACBlue - modified elementsRed - new elements

Organization Hierarchy (OH)

Role Hierarchy (RH)

Constraints

23

ROBAC Formal Definition (4)

• ROBAC2 is ROBAC0 plus constraints, and ROBAC3 is the consolidated model of ROBAC1 and ROBAC2

• Constraints can be defined on RO, role activations (sessions), UA, and PA

• Two levels of constraints– Global constraints: applicable to all organizations– Local constraints: applicable to specified

organizations

24

Separation of Duty Constraint

• Separation of duty (SoD) constraints: Sod ( 2RO+ x N ) where RO+ RO+; O+ = O { ?, *};

N is a natural number set such that (ros, n) SoD, |ros| ≥ n ≥ 2

• Static SoD: (ros, n) SSD, t ros: |t| ≥ n ≥ 2 => ∩ assigned_users((r,o)) = .

(r,o) t

• Dynamic SoD: (ros, n) DSD, s S, ro_subset 2RO, ro_subset active_role-orgs(s), ro_subset ros => |ro_subset| n.

25

SoD ExamplesElement in SoD Meaning

( { (ri, ?), (rj, ?)}, 2 ) no user can be assigned to both ri and rj for any same organization in O (global SoD).

( { (ri, ok), (rj, ol)}, 2 ) no user can be assigned to both ri in organization ok and rj in organization ol (local SoD).

( { (ri, ok), (rj, ?)}, 2 ) no user can be assigned to ri in organization ok while the user has role rj in any organization.

( { (ri, ok), (rj, *)}, 2 ) same as above.

( { (ri, *), (rj, *) }, 2 ) no user can be assigned to both ri and rj in any organizations in O.

26

Applying ROBAC to The B2B and

B2C Examples • How many permissions and roles do we

need for the B2B example?– Permissions: about the number of report types(100)

e.g., p1 -- can access type_A_report

– Roles: about the number of job functions

e.g., type_A_report_viewer role which has permission p1

• How many roles do we need for the B2C example?– Two roles: parent and kid

27

When Using ROBAC?

• Using ROBAC when situation involves many organizations and job functions are similar across organizations

• Not using ROBAC when there is no job function similarity across organizations

28

ROBAC Applicability

• homogeneous index, hindex: 2R [0, 1] – a function mapping a role set to a number between 0 to1 (including 0 and1);

formally,

hindex(Rc) = |compatible_O*(Rc)| / |O|

wherecompatible_O*(Rc) = { o | r Rc, (r, o) RO }

e.g. hindex({parent, kid}) = 1

29

Comparison with Classic RBAC |Rc|RBAC = |O| [ 1 + ( |Rc|ROBAC -1 ) hindex(Rc) ]

Best scenario for N organizations and M job titles RBAC ROBAC

Number of permissions NM M

Number of roles NM M

Organization hierarchy N/A Yes

Role hierarchy Yes Yes

Constraints Yes Yes

User-role-(org) assignment

URA97 UROA07 (be covered in AROBAC07)

Permission-role assignment

PRA97 PRA07(be covered in AROBAC07)

Role administration RRA97 RRA07(be covered in AROBAC07)

Number of role-org pairs

N/A NM

Role-org pairs administration

N/A ROA07(be covered in AROBAC07)

Org administration N/A OOA07(be covered in AROBAC07)

30

Comparison with Some RBAC Extensions

• Role templates [Giuri and Iglio, 1997]– parameterized privilege– restricting access to a subset of contents

• Team-based Access Control (TMAC) [Thomas, 1997]– scalable permission assignment and fine-grained, run-time permission

activation at the level of individual users and objects • Organizational Units [Perwaiz and Sommerville, 2001]

– permissions of a role in an organization unit are the intersection of the role’s permissions and the organization unit’s permissions

• Organization Entity in Credential Based Access Control [Biskup and Wortmann, 2004] – a collection of objects (assets) those may belong to different owners

and act like a namespace• Comparison with Group Based RBAC (GB-RBAC) [LZQX06]

- Roles in GB-RBAC are divided as group roles and user roles. - Groups are assigned to group roles. Users are assigned to user roles.

• Comparison with Organization Based Access Control [KBBBCDMST03]- Consider roles that subjects, actions or objects are assigned in an organization

31

Existing Work on Role Based Administration

• ARBAC97 [SBM99]: one of the most comprehensive role based administrative models. Three sub-models: URA97 (user-role assignment), PRA97 (permission-role assignment), and RRA97 (role-role assignment)

• ARBAC02 [OSZ06] enhances ARBAC97 by incorporating two external organization structures: user organization structure (OS-U) and permission organization structure (OS-P)

• SARBAC [CL03] introduces a concept called administrative scope, which can be calculated for each role based on the role hierarchy

• X-GTRBAC Admin [BJBG04] uses admin domain concept to link users, roles, and permissions together

32

Director (DIR)

Project Lead 1 (PL1)

Production Engineer 1 (PE1) Quality Engineer 1 (QE1)

Engineer 1 (ENG1)

Engineering Department Staff (ED)

(a) An example of regular role hierarchy

Senior Security Officer (SSD)

Department Security Officer (DSO)

Project Security Officer 1 (PSO1)

(b) An example of administrative role hierarchy in ARBAC97

Project Lead 2 (PL2)

Production Engineer 2 (PE2) Quality Engineer 2 (QE2)

Engineer 2 (ENG2)

Employee (EMP)

Project Security Officer 2 (PSO2)

33

AROBAC Model

• Administrative ROBAC ’07– It is a ROBAC approach to perform

administrative tasks on ROBAC systems– Has five sub-models:

• UROA07 (user to role-organization pair assignment ’07)

• PRA07 (permission to role assignment ’07)• RRA07 (role to role assignment ’07)• OOA07 (organization to organization assignment

’07)• ROA07 (role to organization assignment ’07)

User-(Role, Org)Assignment

(UA)Users

(U)(Roles, Orgs)

Permission-RoleAssignment

(PA)

●

●

.

.●

Sessions(S)

Constraints

user active_role-orgs

Organizations

Organization Hierarchy (OH)

Permissions

(P)

Operations

Asset Types

Regular Roles

Role Hierarchy (RH)

Assets (A)aorg

atype

Admin Roles

UO

PO

ARRA

AROBAC07 Model

35

Elements in AROBAC07 (1)• U, S, O, OH, Op, A, At, P, RO, PA, UA, user, atype, aorg, assigned_role-orgs, active_role-orgs,

can_access -- same as those from ROBAC;• RR -- a set of regular roles (renamed R in ROBAC);• RRH RR RR – regular role hierarchy (renamed RH in ROBAC);• AR -- a set of administrative roles (same as AR in ARBAC97), where RR AR=. • ARH AR AR -- administrative role hierarchy (same as ARH in ARBAC97);• R = RR AR -- the set of all roles;• ARRA AR RR -- a many-to-many administrative role to regular role assignment;• RH = RRH ARH -- a combined role hierarchy;• UO U O -- a set of user-organization affiliations;• PO P O -- a set of applicable permission-organization associations;• CRU – a set of applicable prerequisite condition for users;• CRP – a set of applicable prerequisite condition for permissions;• CAN_ASSIGN_USER ARRA CRU - an association defines the constraints when assigning

users to role-organization pairs;• CAN_REVOKE_USER ARRA CRU - an association defines the constraints when revoking

users from role-organization pairs;• can_assign_user: S U RO {true, false} – a predicate which indicates that if

can_assign_user(s, u, (r,o)) is true then user u can be assigned to the role-org pair (r,o) within the session s (the definition is described in UROA07);

• can_revoke_user: S U RO {true, false} – a predicate which indicates that if can_revoke_user(s, u, (r,o), c) is true then user u can be revoked from role-org pair (r,o) within the session s (the definition is described in UROA07);

36

Elements in AROBAC07 (2)• CAN_ASSIGN_PERMISSION ARRA CRP - an association defines the

constraints when assigning permissions to roles;• CAN_REVOKE_PERMISSION ARRA CRP - an association defines the

constraints when revoking permissions from roles;• can_assign_permission: S P RR {true, false} – a predicate which indicates

that if can_assign_permission(s, p, r) is true then the permission p can be assigned to the regular role r within the session s (the definition is described in PRA07);

• can_revoke_permission : S P RR {true, false} – a predicate which indicates that if can_revoke_permission(s, p, r) is true then the permission p can be revoked from the regular role r within the session s (the definition is described in PRA07);

• can_modify_R : S 2RR {true, false} -- a predicate which indicates that if can_modify_R(s, rset) is true then the user user(s) can modify the roles and their relationship inside the role set rset within the session s (the definition is described in RRA07);

• can_modify_O : S 2O {true, false} -- a predicate which indicates that if can_modify_O(s, oset) is true then the user user(s) can modify the organizations and their relationship inside the organization set oset within the session s (the definition is described in OOA07);

• can_modify_RO : S R O {true, false} -- a predicate which indicates that if can_modify_RO(s, r, o) is true then the user user(s) can associate or disassociate role r with organization o within the session s (the definition is described in ROA07);

37

UROA07 Model

• A user prerequisite condition (upc) is a boolean expression using the usual and operators on terms of form of (r, ?), (r, ?), (r, o), and (r, o) where (r, o) is a role-org pair belongs to RO. A user prerequisite condition is evaluated for a user u by interpreting (r, o) to be true if (r’ r, o’ o) (u, (r’, o’)) UA and (r, o) is true if (r, o) is not true. Here “?” is a place holder for any oO, and (r, ?) is true for user u if (r’ r , o’ ?, (u, (r’, o’)) UA ) and (r, ?) is true if (r, ?) is not true. CRU is a set including all applicable upcs plus a null element. The null is interpreted as true for any user

• omembers*(o) = { u | o’ o, (u, o’) UO } • apermissions*(ar) = {r | ar’ ar, (ar’, r)ARRA }

38

UROA07 Model (2)

• may_manage_user : AR U RO CRU {true, false} - a predicate defined as may_manage_user(ar, u, (r,o), c) is true iff (r apermissions*(ar)) c (u omembers*(o))

• an administrative role ar may manage the user u with respect to the role-org pair (r, o) if and only if the user u satisfies the user prerequisite condition c and is affiliated to the organization o or its subordinate organizations and the administrative role ar or its junior administrative roles can perform administrative tasks on role r

39

UROA07 Grant Model

• can_assign_user(s, u, (r,o)) is true iff (o’ o, (ar, o’) active_role-orgs(s) ) (cCRU, ((ar, r),c) CAN_ASSIGN_USER may_manage_user(ar, u, (r,o), c))

• a user (user(s)) in a session s can assign a user u to a role-org pair (r, o) if and only if user(s) has an active role-org pair (ar, o) (explicitly or implicitly via organization hierarchy) in that session and user u satisfies all related user prerequisite conditions defined in CAN_ASSIGN_USER and is affiliated to the organization o or its subordinate organizations and the administrative role ar or its junior administrative roles can perform administrative tasks on role r

40

UROA07 Revoke Model

• can_revoke_user : S U RO {true, false}, a predicate controls whether a user can be revoked from a role-org pair within a session. It is defined as

can_revoke_user(s, u, (r,o)) is true iff (o’ o, (ar, o’) active_role-orgs(s) ) (c, ((ar, r), c) CAN_REVOKE_USER may_manage_user(ar, u, (r,o), c)).

41

UROA07 Example

42

UROA07 Example (2)• For example, a user with an active role-org pair (PSO, @PT1) is a

security administrator in project team 1 • may_manage_user(PSO, u, (PE, @PT1), (QE, ?)) is true if user u

is affiliated with project team 1 (@PT1) and u is not a QE inside the project team 1

• The user with active role-org pair (PSO, @PT1) can assign membership of roles: PL, PE, QE, and ENG within project team 1, to users affiliated with the project team 1 but cannot assign these users to roles within project team 2 and cannot assign users not affiliated to project team 1 to any roles

• Cannot assign both (PE, @PT1) and (QE, @PT1) to the same user because of the user prerequisite conditions, ((PSO, PE), (QE, ?)) and ((PSO, QE), (PE, ?)) , defined in CAN_ASSIGN_USER at above figure (d), which represents a global separation of duty constraint in ROBAC

43

Manifold ROBAC

• Manifold ROBAC (ROBACM)• aorg: A 2O – a function mapping an asset to a subset of the

organization set;• atype: A 2At – a function mapping an asset to a subset of the

asset type set;

• can_access(S, Op, A) in ROBAC0M is slightly different from that in

ROBAC1M.

– In ROBAC0M, can_access(s, op, a) is true iff (r, o)

active_role-orgs(s) o aorg(a) ( at atype(a), ((op, at), r) PA )

– In ROBAC1M, can_access(s, op, a) is true iff (r, o)

active_role-orgs(s) ( o’ aorg(a), o’ o ) (at atype(a), r’ r, ((op, at), r’) PA )

44

Secure Collaboration

• Gong and Qian [GQ96]: two secure collaboration principles:– Autonomy: any allowed access in an

individual system must also be allowed under secure interoperation

– Security: any denied access in an individual system must also be denied under secure interoperation

45

Related Work on Secure Collaboration

• Secure interoperation using RBAC in multi-domain environments [KACM00, JBBG04, PJ05, SJBG05, TAPH05, LZQX06]

• The most frequently used approach is to perform role translation or role mapping between different domains

• Three types of violations when integrating RBAC policies [SJBG05]:– user-specific separation of duty (SoD) violation– role-specific SoD violation– role-assignment violation

• Most approaches have to handle many problems, such as covert role promotion, during the collaboration setup

• Group-based RBAC [LZQX06] addresses ad-hoc collaboration among different groups. It uses a permission-driven collaboration schema to eliminate role-mapping

46

Secure Collaboration with ROBACM

• Main idea:– For a collaboration request, we create a virtual

organization and make it as a subordinate of all participating organizations in the organization hierarchy

– An administrator of a participating organization sets any of its want-to-be-shared assets as also related to the virtual organization

– Our method is simpler and cleaner

47

Secure Collaboration Example

a11

@PT1 @PT2

@VPT12

a12

a13

a21 a22

a23

Legend: @PT1 – Project Team 1; @PT2 – Project Team 2; @VPT12 – Virtual Project Team under @PT1 and @PT2 a11, a12,a13 are assets related to @PT1; a21, a22, a23 are assets related to @PT2.

Assets

48

Secure Collaboration Example (cont.)• Pre-collaboration state in the ROBAC system(note: only involved elements are listed here):

– { a11, a12, a13, a21, a22, a23 } A;

– aorg(a1i) = { @PT1 }, i = 1, 2, 3;

– aorg(a2i) = { @PT2 }, i = 1, 2, 3;

– atype(aij ) = { X } At, i = 1, 2; j = 1, 2, 3;

op Op, ( (op, X), ENG ) PA;• Before collaboration:

– (ENG, @PT1) can access asset a11, a12, a13 but not a21, a22, a23– (ENG, @PT2) can access asset a21, a22, a23 but not a11, a12, a13

• Collaboration grant:– Create a virtual project team @VPT12 under @PT1 and @PT2

• During collaboration:– (ENG, @PT1) can access asset a11, a12, a13, a21, a23 – (ENG, @PT2) can access asset a21, a22, a23, a13

• Collaboration Revoke:– Remove the @VPT12 and all related association

• After Collaboration:– System returns to its original status automatically

49

Contributions

• A family of extended RBAC models called Role and Organization Based Access Control (ROBAC) models is proposed and formalized. It scales up well for applications involving many similar organizations. Its applicability and expressive power are discussed.

• A comprehensive role and organization based administrative model called AROBAC07 is developed. It has five sub models:

– UROA07 is concerned with user to role and organization pair assignment; – PRA07 deals with permission-role assignment; – RRA07 manages roles and role hierarchy; – OOA07 handles organizations and organization hierarchy; – ROA07 controls applicable association between roles and organizations.

• A concept called application compartment (ACom) in ROBAC is introduced and its usage in ROBAC / AROBAC is discussed.

50

Contributions (2)

• Two ROBAC variants, manifold ROBAC and pseudo ROBAC, and their corresponding administrative models are presented.

• A manifold ROBAC based secure collaboration schema is proposed and formalized. The schema avoids many problems resulted from role-mapping or role-transformation. It is simpler and cleaner than existing role based secure collaboration approaches.

• The usefulness of pseudo ROBAC is demonstrated in an on-demand movie service.

51

Future Work

• Explore the enforcement and implementation aspects of ROBAC;

• Perform safety analysis in ROBAC;• Detail the implication of can_modify_R, can_modify_O,

and can_modify_RO predicates on individual administrative tasks such as add/delete nodes or edges;

• Define each administrative action using some formal specification language such as Z [PST91];

• Integrate general constraints in ROBAC;• Detail the implementation perspective of ROBACM based

secure collaboration schema;• ……

52

Published Papers On This Topic

• [ZZS06] Zhixiong Zhang, Xinwen Zhang, and Ravi Sandhu, “ROBAC: Scalable Role and Organization Based Access Control Models”, Proceedings of CollaborateCom-2006/TrustCol-2006, Atlanta, Georgia, USA, November 2006.

• [ZZS07] Zhixiong Zhang, Xinwen Zhang, and Ravi Sandhu, “Towards a Scalable Role and Organization Based Access Control Model with Decentralized Security Administration”, in Manish Gupta and Raj Sharman edit: “Handbook of Research on Social and Organizational Liabilities in Information Security”, IGI Global publications. Accepted for publishing at April 2007.

53

Thank You

• Questions?