Deriving a role-based access control model from the OBBAC model

Abstract

The object-based access control model (OBBAC), a conceptual access control model, has been proposed to deal with the high-level specification of a security policy in an object-oriented environment. This model is based on the notion of security labels which, however, are associated to operations rather than to objects as in the classic label-based access control models. It was used to specify the security policy of a distance learning system. The key issue that has arisen from the OBBAC model is the handling of security labels during the application development. The goal of the paper is to prove that there exists a mapping from an OBBAC model to a role-based access control model (RBAC) which can be used to specify the system security policy.