Groups and Roles

A group is a convenient method to associate a name with a set of subjectss and to use this group name for access control purposes. The kind of subject (individual user, host, application or other group) composing the group is opaque to the authorization mechanism. A group server issues group membership and non-membership certificates. In general, a principal may be a member of several groups. By default, a principal operates with the union of privileges of all groups to which it belongs, as well as all of his individual privileges. Some applications adopt role-based access control. The concept of roles is not consistent across different systems. Several definitions of roles are present in the literature. In general, a role is named collection of privileges needed to perform specific tasks in the system. Role properties [4] include:

• A user can be a member of several roles
• Role can be activated and deactivated by users at their discretion.
• Authorizations given to a role are applicable only when that role is activated.
• There may be various constraints placed on the use of roles, e.g. a user can activate just one role at a time.

Shandu et. al. [10] view roles as a policy and groups as a mechanism for role implementation. We adopt this point of view. In our framework we implement different flavors of roles using notion of group and a set of restrictions on granted privileges. Consider a role-based policy, which assigns users: Tom, Joe, and Ken role Bank_Teller. This role allows a legitimate user to perform deposit and withdraw operations on objects account_1 and account_2. This policy may be easily expressed by our EACL framework:

1. Group Bank_Teller is defined which will include Tom, Joe, and Ken
2. The EACLs for objects account_1 and account_2 will contain the following entry:

   Token Type: access_id_GROUP
   Defining Authority: X.509
   Value: /C=US/O=Globus/CN=Bank Teller

   
   
   

   Token Type: pos_access_rights
   Defining Authority: pasific_coast_bank
   Value: ACCOUNT:deposit,withdraw

   
   
   

In expressing role-based policy using groups, the issue of constrains on role activation and use should be addressed.