Support for ANSI RBAC in CORBA

Konstantin Beznosov ; Wesam Darwish

04 May 2007

Abstract: We describe access control mechanisms of the Common Ob ject Request Broker Architecture (CORBA) and define a configuration of the CORBA protection system in more precise and less ambiguous language than the CORBA Security specification (CORBASec). Using the configuration definition, we suggest an algorithm that formally specifies the semantics of authorization decisions in CORBA. We analyze support for the American National Standard Institute (ANSI) specification of Role-Based Access Control (RBAC) components in CORBA and identify the functionality that needs to be implemented—in addition to compliance with the CORBASec—in order to support Core, Hierarchical, and Constrained RBAC. We illustrate the discussion with a single access-policy domain as well as a multi-domain examples of the CORBASec protection system configuration. We also analyze support for the functional specification of ANSI RBAC in CORBA. Our results indicate that CORBA Security falls short of supporting even Core RBAC. Custom extensions are necessary in order for implementations compliant with CORBA Security to support ANSI RBAC required or optional components. These results can be interpreted as either a demonstration of CORBA’s inadequacy in supporting ANSI RBAC, or as a sign of ANSI RBAC not being sufficiently general. This paper sets up a framework for implementing and assessing implementations of ANSI RBAC using CORBA Security, provides directions for CORBA Security implementing ANSI RBAC in their systems, and offers criteria to users for selecting these CORBA Security implementations that support required and optional components of ANSI RBAC.

Keyword(s): ANSI RBAC ; CORBA ; CORBASec ; RBAC ; access control ; protection state ; Access Control Models and Languages

Published in: Konstantin Beznosov, Wesam Darwish "Support for ANSI RBAC in CORBA," Laboratory for Education and Research in Secure Systems Engineering, Vancouver, Canada, University of British Columbia, technical report LERSSE-TR-2007-01, 26 July, 2007, pp.42.:

The record appears in these collections:
Access Control Models and Languages
Technical Reports

 Record created 2009-04-27, last modified 2013-05-22

Transfer from CDS 0.99.7:
Download fulltext

Rate this document:

Rate this document:
(Not yet reviewed)