In principle RBAC supports the definition of arbitrary constraints on the different parts of an RBAC model.

However, at most efforts concerning RBAC constraints focused primarily on Separation of Duty constraints. With the increasing interest in RBAC in general and constraint based RBAC in particular, research pertaining to other types of RBAC constraints also gained in importance.

Types of Constraints#

Static constraints #

Static constraints refer to constraints that can be evaluated directly at design time or upon assignment of a role within an RBAC model (e.g. Static Separation of Duty).

Dynamic constraints #

Dynamic constraints can only be checked at run-time according to the actual values of specific attributes, or with respect to characteristics of the current session (e.g. Dynamic Separation of Duty, or time constraints)

Endogenous constraints#

Endogenous constraints are constraints that relate to intrinsic properties of an RBAC model, and inherently affect the structure and construction of a concrete instance of an RBAC model.

For example, a static separation of duties (SSD) constraint on two mutual exclusive Permissions prohibits an assignment of these permissions to the same Role.

Moreover, it also influences the definition of the respective role-hierarchy since it further prohibits that two distinct roles to which these permissions are assigned can have a common senior role. Otherwise a common senior could acquire both (mutual exclusive) permissions and thereby violate the corresponding SSD constraint. Similar effects can be observed for cardinality constraints for instance.

Exogenous constraints#

Exogenous constraints are constraints that apply to attributes that do not belong to the core elements of an RBAC model, but are defined as side conditions for certain operations or decisions of an access control service.

An example can be time constraints that restrict role activation to a specific time interval, or allow access operations for a particular resource only on a specific weekday.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-17) was last changed on 31-Jan-2012 12:35 by jim