Abstract
M.Sc.
Role-based access control (RBAC) associates roles with privileges and users with roles.
These associations are, however, static in that changes are infrequent and explicit. In
certain instances this does not reflect business requirements. Access to an object should be
based not only on the identity of the object and the user, but also on the actual task that
must be performed. Context-sensitive access control meets the requirements in that it also
considers the actual task, i.e. the context of the work to be done, when deciding whether an
access should be granted or not. Workflow technology provides an appropriate
environment for establishing the context of work. This dissertation discusses the
implementation of a context-sensitive access control mechanism within a workflow
environment. Although the prototype represents scaled-down workflow functionality, it
illustrates the concept of context-sensitive access control.
Access control was traditionally aimed at physically controlling access to a computer
terminal. Large doors were put in place and time was divided between users who needed to
work on a terminal. Today, however, physical means of restraining access have to a large
extent given way to logical controls.
Current access control mechanisms frequently burden the end-users with unnecessary
security-related tasks. A user may, for example, be expected to assume a specific role at
the beginning of a session, resulting in unnecessary multi-logons. Alternatively, users can
automatically play the most senior role that they can hold and consequently receive the
permissions associated with that role. The user is therefore trusted to implement the
security policy and not misuse granted privileges.
It is also possible for an end-user to bypass security functionality inadvertently- end-users
do not always remember to do the correct thing. End-users are furthermore not necessarily
adequately educated in security principles and may thus regard security-related tasks as
hampering the tasks that they regard as being more important.