TY - JOUR
T1 - Functionality and implementation issues for complex authorisation models
AU - Longstaff, Jim
AU - Lockyer, M.
AU - Howitt, A.
PY - 2006/2/1
Y1 - 2006/2/1
N2 - The concepts and benefits of Role-Based Access Control (RBAC) are first reviewed. As an example of enhanced authorisation functionality, the Tees Confidentiality Model (TCM), which is an authorisation model suitable for complex web applications in addition to computer systems administration is then presented. The TCM is based on a range of permission types, called Confidentiality Permission Types, which are processed in a defined order. Confidentiality permissions may have negative values (i.e. they may deny access), and may be overridden by authorised users in carefully specified ways. An arbitrary number of Authorisation Classifiers for users and protected objects may be specified. Confidentiality Permission Types are defined in terms of classifiers. A single concept of Collection is used for structuring classifier values, including roles, although the RBAC general and limited role hierarchies can be used if desired. Confidentiality permissions specify inheritance within collections, thereby providing a mechanism for confidentiality permission assignment. A demanding scenario from electronic health records is used to illustrate the power of the model.
AB - The concepts and benefits of Role-Based Access Control (RBAC) are first reviewed. As an example of enhanced authorisation functionality, the Tees Confidentiality Model (TCM), which is an authorisation model suitable for complex web applications in addition to computer systems administration is then presented. The TCM is based on a range of permission types, called Confidentiality Permission Types, which are processed in a defined order. Confidentiality permissions may have negative values (i.e. they may deny access), and may be overridden by authorised users in carefully specified ways. An arbitrary number of Authorisation Classifiers for users and protected objects may be specified. Confidentiality Permission Types are defined in terms of classifiers. A single concept of Collection is used for structuring classifier values, including roles, although the RBAC general and limited role hierarchies can be used if desired. Confidentiality permissions specify inheritance within collections, thereby providing a mechanism for confidentiality permission assignment. A demanding scenario from electronic health records is used to illustrate the power of the model.
UR - http://www.scopus.com/inward/record.url?scp=33644503223&partnerID=8YFLogxK
U2 - 10.1049/ip-sen:20045056
DO - 10.1049/ip-sen:20045056
M3 - Article
AN - SCOPUS:33644503223
SN - 1462-5970
VL - 153
SP - 7
EP - 15
JO - IEE Proceedings: Software
JF - IEE Proceedings: Software
IS - 1
ER -