Towards an approach for weaving Open Digital Rights Language into Role-Based Access Control

Abstract

Establishing an adequate and flexible access control over assets in an organization is one of the main pillars of a successful information and technology security-strategy. To ensure efficient use of these assets in terms of availability, safety, and confidentiality, organizations roll out different strategies and adopt different techniques. These strategies and techniques could be based on roles to set access controls (Role-Based Access Control). Despite its popularity, there is an increasing interest in addressing RBAC's limitations with focus on how to enforce an adequate level of access control over the available resources and how to define a flexible control over these resources so that accessibility and authenticity are achieved at the right time and right place. This paper addresses some of these limitations by adopting the Open Digital Rights Language (ODRL) to express who can do what, where, when, and how. ODRL is a policy language that offers flexible control over digital content. By weaving ODRL into RBAC, this paper illustrates how to specify what users are allowed, not allowed, and must be allowed to do through a set of constrained rules specialized into permissions, prohibitions, and duties.