Role-based access control (RBAC) is a well-accepted model for access control in an enterprise environment. When we apply RBAC model to large enterprises, effective role administration is a major issue. ARBAC97 is a well-known solution for decentralized RBAC administration. ARBAC97 authorizes administrative roles by means of role ranges and prerequisite conditions, where prerequisite conditions effectively work as a restricted pool for administrative roles to pick users or permissions. Although attractive and elegant in their own right, these mechanisms have significant shortcomings. In this paper, we propose an improved role administration model named ARBAC02 to overcome the weaknesses of ARBAC97. ARBAC02 introduces the concept of organization structure for defining user and permission pools independent of roles and role hierarchies, with a refined prerequisite condition specification. In addition, we present a bottom-up approach of permission-role administration in contrast to the top-down approach in ARBAC97. As a general solution, we illustrate the applications of organization structured-based security administration with other access control models, such as access control list model and lattice-based access control model.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Biba, K. J. 1977. Integrity Considerations for Secure Computer Systems. Mitre Corp. Report No.TR3153, Bedford, MA. (Also available through Nat'l Technical Information Service, Springfield, Va., Report No. NTIS AD--A039324.)
	2	Bell, D. E. and Lapadula, L.J. 1975. Secure Computer Systems: Mathematical Foundations and Model. Mitre Corp. Report No. M74-244, Bedford, MA. (Also available through Nat'l Technical Information Service, Springfield, VA, Report No. NTIS AD-771543.)
	3	Jason Crampton, Administrative scope and role hierarchy operations, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA  [doi>10.1145/507711.507736]
	4	Ids share. Aris house. http://www.ids-scheer.com
	5	James B. D. Joshi , Walid G. Aref , Arif Ghafoor , Eugene H. Spafford, Security models for web-based applications, Communications of the ACM, v.44 n.2, p.38-44, Feb. 2001  [doi>10.1145/359205.359224]
	6	Jonathan D. Moffett, Control principles and role hierarchies, Proceedings of the third ACM workshop on Role-based access control, p.63-69, October 22-23, 1998, Fairfax, Virginia, United States  [doi>10.1145/286884.286900]
	7	Jonathan D. Moffett , Emil C. Lupu, The uses of role hierarchies in access control, Proceedings of the fourth ACM workshop on Role-based access control, p.153-160, October 28-29, 1999, Fairfax, Virginia, United States  [doi>10.1145/319171.319186]
	8	Matunda Nyanchama , Sylvia Osborn, The role graph model and conflict of interest, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.3-33, Feb. 1999  [doi>10.1145/300830.300832]
	9	Oh, S. and Park, S. 2001. An improved administration method on role-based access control in the enterprise environment. Journal of Information Science and Engineering 17, 921--944.
	10	Sylvia Osborn , Yuxia Guo, Modeling users in role-based access control, Proceedings of the fifth ACM workshop on Role-based access control, p.31-37, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344299]
	11	Sylvia Osborn , Ravi Sandhu , Qamar Munawer, Configuring role-based access control to enforce mandatory and discretionary access control policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.2, p.85-106, May 2000  [doi>10.1145/354876.354878]
	12	Najam Perwaiz, Structured management of role-permission relationships, Proceedings of the sixth ACM symposium on Access control models and technologies, p.163-169, May 2001, Chantilly, Virginia, United States  [doi>10.1145/373256.373292]
	13	Ravi S. Sandhu, Lattice-Based Access Control Models, Computer, v.26 n.11, p.9-19, November 1993  [doi>10.1109/2.241422 ]
	14	Ravi S. Sandhu , Venkata Bhamidipati, The URA97 Model for Role-Based User-Role Assignment, Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI: Status and Prospects, p.262-275, August 10-13, 1997
	15	Ravi Sandhu , Venkata Bhamidipati , Edward Coyne , Srinivas Ganta , Charles Youman, The ARBAC97 model for role-based administration of roles: preliminary description and outline, Proceedings of the second ACM workshop on Role-based access control, p.41-50, November 06-07, 1997, Fairfax, Virginia, United States  [doi>10.1145/266741.266752]
	16	R. Sandhu , Q. Munawer, The RRA97 Model for Role-Based Administration of Role Hierarchies, Proceedings of the 14th Annual Computer Security Applications Conference, p.39, December 07-11, 1998
	17	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845 ]
	18	Sandhu, R. and Bhamidipati, V. 1999. Role-based administration of user-role assignment: The URA97 model and its Oracle implementation. Journal of Computer Security, 7.
	19	Ravi Sandhu , Qamar Munawer, The ARBAC99 Model for Administration of Roles, Proceedings of the 15th Annual Computer Security Applications Conference, p.229, December 06-10, 1999
	20	Ravi Sandhu , Venkata Bhamidipati , Qamar Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.105-135, Feb. 1999  [doi>10.1145/300830.300839]