CS406: Information Security

Al-Kahtani and Sandhu have introduced an extended RBAC approach through rules, called rule-based RBAC (RB-RBAC). In this approach, users are dynamically assigned to roles based on a finite set of assignment rules derived from the security policy. These rules take into consideration the attributes of users as contextual information. Similar to RB-RBAC, Kern and Walhorn have adopted RBAC approach and proposed a rule-based provisioning system for the RBAC approach based on a limited set of user attributes as contextual information. These approaches have the limitation of considering only the user-centric contextual information as policy constraints.

Later, Zheng et al. have proposed a dynamic role-based access control (DRBAC) approach, which incorporates the required credentials of users as contextual information when making user-role and role-permission assignments. The DRBAC approach extends the basic RBAC approach and it dynamically grants and adapts permission to users according to users' contexts.

In 2012, Kayes et al. have proposed a basic Context-Aware role-based Access Control (CAAC) framework for dynamic centralized network environments that are based on semantic technologies, and later the same authors extended the initial CAAC policy model by incorporating a wide range of contextual conditions. Recently, Kayes et al. have introduced a context-aware RBAC policy model for data and information resources. The dynamically changing contextual conditions (or contexts) constitute what is widely known as contextual information. According to context-sensitive access control research, there are three groups of contextual conditions, such as user, resource, and their surrounding environment-centric information (e.g., patients' profiles, users' locations, users' request times). For instance, the interpersonal relationship between two users can be seen as user-centric contextual information.