ROLE-BASED ACCESS CONTROL (RBAC) 1

Role-Based Access Control (RBAC)

Class Name: ISOL 531 – ACCESS CONTROL

Date: 6/28/2018

Student’s Name: Yamuna Venkata Sri Lakshmi Nune

ROLE-BASED ACCESS CONTROL (RBAC) 2

Table of Contents

Introduction......................................................................................................................................3

Literature Research..........................................................................................................................4

Access Control Models................................................................................................................4

Role-Based Access Control.........................................................................................................4

Team Collaboration......................................................................................................................5

Methodology and Findings..........................................................................................................6

Analysis...........................................................................................................................................7

RBAC Model...............................................................................................................................7

Collaboration................................................................................................................................7

Constraints...................................................................................................................................8

Valuable Information from the Findings.....................................................................................8

Future Developments and Trends................................................................................................9

Application of the Proposed Improved RBAC Model....................................................................9

Appropriate Application for the Improved Role Base Model......................................................9

Benefits of the Improved RBAC Model to Organizations.........................................................10

Challenges for Implementing the Improved RBAC Model.......................................................11

Cost implications of the improved RBAC...............................................................................11

Ethical implications of the improved RBAC...........................................................................12

Conclusion.....................................................................................................................................13

Recommendation...........................................................................................................................14

References......................................................................................................................................15
ROLE-BASED ACCESS CONTROL (RBAC) 3

Role-Based Access Control (RBAC)

Introduction

Access to information is a vital element in any organization to ensure its growth and

productivity. In a distributed working environment, access control among different users is the

primary focus of the security management team. Therefore, the role-based model can resolve this

issue. The concept of role-based access control is introduced among different individual who

should access the system, and access authorization of objects is permitted depending on a

specific role. Due to the RBAC model, individuals in an organization are capable of getting any

authorization that corresponds to their roles. The capability of the RBAC model in simplifying

the authorization and security management in a distributed workflow has created an interest of

researching among scholars, and governmental and non-governmental organizations. The Role-

Based Access Model has done much in ensuring that users within an organization attend to their

specific roles without having to individualize the update of every user.

From the late 1960s, research firms have suggested various information access control

models including discretionary, mandatory, and role-based among others (Sandhu, 2015). These

models are initiated in different applications to govern data access. Nonetheless, little of these

models address matters on governing data access in a teamwork collaborative workflow. Despite

the ability of RBAC authorizing users to access only the information they are permitted to access

the model has failed to promote teamwork among employees in a multi-organizational

environment. Therefore, this paper discusses how the role-based access control framework can

be improved to encourage teamwork collaboration among employees in a multi-organizational

framework.
ROLE-BASED ACCESS CONTROL (RBAC) 4

Literature Research

Access Control Models

Access Control Model is a necessity for improving information security. Besides, access

control model is also responsible for filtering irrelevant data, providing customized views, and

improving efficiency in information management. In 1969, Lampson introduced the first Access

Matrix, which was the first access control model (Chappell & Ballad, 2014). The model was

simple in structure, representing two components: access authorization and user identification.

The RBAC model came after the access matrix in 1973 under the proposal of Lapadule and Bell.

In the role-based approach, access permission was permitted to individuals basing on the rules.

Later on, the MAC invention was launched; access permission was governed in regards to

individual users. The MAC model was too complex and it consumed a lot of resources in

managing a large organization. This created the need of having a role based system in the earlier

1990s.

Role-Based Access Control

Role-Based Access Control manages restriction of unauthorized access to information by

individuals in an organization and is now one of the primary methods for advanced information

security management. The model is designed only to allow employees access specific

information that defines their duties in the organization (Moses, Rowe, & Cunha, 2015).

Nevertheless, access to information is governed by various factors such as authority,

responsibility, and job competency. Additionally, despite users having the ability to access

specific information, the level of access can be limited to viewing, modification, or creation of

files. As a result, entry-level and low-level employees do not have access to sensitive

information; it will positively contribute to full filing their responsibilities. The existing RBAC is
ROLE-BASED ACCESS CONTROL (RBAC) 5

efficient at improving compliance, maximizing operational efficiency, and reducing

administrative work and IT support. However, the system does not adequately support teamwork

among employees, which is a vital factor in an organization.

Taking into consideration a contextual framework based on biomedical research, clinical

studies, and patients’ care environment, the need of having collaborative teamwork is essential.

According to Montrieux (2013), various access control models that are in existence have been

designed to collaborate on teamwork between biomedical and patients’ care. According to

Talwalkar, & Fahs et al. (2016), of the access control models has been designed to incorporate

biomedical research, patient’s care, and clinical studies, which calls for the need of conducting

more research to enhance the existing Role-Based Access Control model so that it can

incorporate all the three departments working in the same industry.

Team Collaboration

Collaboration is when two or more individuals work together with the aim of achieving a

common goal. Team collaboration allows individuals working in the same industry meet on

common platform and work with each other towards the attainment of a specific objective

through brainstorming, thinking, and providing different ideas in generating the desired solution

(Boadu, & Armah, 2014). Besides, working together on a common platform inspires team

members with a strong sense of purpose and equal partaking. In an effort to promote teamwork

among individuals, various computer applications have been invented to improve

communication among team members. However, some of the industries like biomedical require

multi-disciplinary cooperation to achieve its purpose adequately (Brownson, Colditz, & Proctor,

2018). Previous inventions have aimed at applying Computer-Support Cooperative Work

(CSCW) to enhance communication among team members in biomedical studies and to

ROLE-BASED ACCESS CONTROL (RBAC) 6

coordinate health management activities. Thus, governing access to information is an essential

aspect of this streamlined workflow.

Methodology and Findings

In developing an access control model that defines access permission to the context of

team cooperation and workflow governance, different principals were used: firstly, effectiveness

whereby the model could be initiated to determine the specific extent of data access in a

collaborative process. Secondly, simplicity: whereby the system will constitute of simple

structures for more straightforward implementation. Nevertheless, the model had to be general.

The model should perform the impetus of information access governance; also, it should have

the ability of generalizing to other domains and software.

Having these common principles, the existing RBAC models were reviewed to determine

whether the new improved model could be developed basing on the previous studies. After

reviewing some models, it was found that RBAC model is widely used in many organizations.

Besides, it was also found that the structural layout of the RBAC is simple and its internal

structure can be modified to include other features. As a result, the RBAC would be used as the

primary model and new model as an improvement to the RBAC.

To expand the existing role-based system so that it accommodates both teamwork

collaboration and managing the workflow, the creation of a new improved constraint with

universal constraints is necessary (Le & Doll et al., 2013). These constraints could be responsible

for differentiating duties as it is in the current role-based model, access delegation constraint

with a role delegating access authorization basing on a given set of rules, collaboration constraint

to enhance teamwork collaboration, and finally the organizational constraint to separate duties

within organizations. With alliance to the universal constraint, the model poses an improved
ROLE-BASED ACCESS CONTROL (RBAC) 7

permission option within the specific workflow status, which will then be joined with the action

and assets on the RBAC core. It will have the responsibility of defining access authorization for

collaboration and workflow management.

Analysis

RBAC Model

Access control has been introduced in many organizations with a purpose of enhancing

how information is managed and management of the workflow. From a healthcare perspective,

clinical records are much sensitive; thus, most studies on RBAC have been focusing on ways to

protect the confidentiality of patients’ records. However, as the need for collaborating in clinical

education with the workflow is a demanding factor for improving patients’ care, having an

RBAC system that incorporates clinical academicians with the workflow is a necessity.

The literature on the functionality and structure of the existing RBAC model has provided

important background on identifying which part of the model needs improvement. Most of the

current RBAC models are designed to manage workflow and access to information within one

organizational structure. However, in the case of multi-organizational like in healthcare whereby

the workflow should collaborate with clinical educationists to increase efficiency is not

supported. As a result, it creates a new gap in conducting research.

Collaboration

Besides, the literature regarding teamwork collaboration indicates the need for

developing an RBAC model that promotes cooperation among individuals in an organization. As

mentioned earlier, teamwork collaboration is vital in supporting the development of ideas that

lead to the attainment of a common goal. Besides, the previous efforts on improving
ROLE-BASED ACCESS CONTROL (RBAC) 8

communication amongst workers through the introduction of CSCW provide a strong

background for stimulating this study. The introduction of CSCW systems in the healthcare

industry calls for the need of defining ways in which the workflow would be managed.

Therefore, the improved RBAC model aims at introduction methods in which teamwork

collaboration can be improved and managed in an organizational structure.

Constraints

Access control models generally aim at restricting unauthorized access to information.

Thus, it is more designed to minimize information access. This research work focusses on the

expansion of the existing security control system not only to restrict data access but also to

promote collaboration amongst individuals. In achieving the objective of the proposed system,

identification of various constraints was a vital area to put much focus. Besides, developing an

improved constraint in association with the universal constraint will best work when it comes to

separation of workflow, a delegation of access permissions, team collaboration, and separation of

roles between organizations.

Valuable Information from the Findings

The most valuable information obtained from the findings is that the existing studies that

have aimed at promoting workflow collaboration amongst individuals have not focused on

improving teamwork collaboration between multi-organizations. These findings provides a

critical note on the need for improving the existing system to constitute on multi-organizational

teamwork collaboration. Nevertheless, finding out that the current RBAC model can be

expanded to incorporate other constraints positively contributes to the creation of the new

improved system that supports teamwork collaboration.

ROLE-BASED ACCESS CONTROL (RBAC) 9

Future Developments and Trends

The proposed improved RBAC model has aimed at promoting teamwork collaboration

amongst different organizational disciplinary. The new system will constitute of access

delegation constraint, collaboration constraint, organizational constraint, and improved

permission option, which will work for hand in hand to ensure teamwork collaboration and

management of information access. Looking at this proposed structure, further studies should

focus on developing additional types of constraints for the enrichment of the workflow context

and delegation access thus supporting access of data in a collaborating structure.

Application of the Proposed Improved RBAC Model

Appropriate Application for the Improved Role Base Model

A role-based security system can be based on different applications like in design

environment on commercial integrity security systems. The proposed RBAC model will best

work under an Object-Oriented software design environment. According to Rhodes-Ousley

(2012), in the design of an Object-Oriented protecting model, the primary function is to exploit

the Object-Oriented paradigm in organizing users’ responsibilities, establish their privileges, and

provide strategies for understanding the significance of using the improved RBAC system.

Incorporating the proposed RBAC model with the Object-Oriented application design,

users are subdivided into groups that best describe their roles within the multi-organizational

context. In the determination of which group should have access to what particular information,

different procedures are allocated to each specific team. Procedural allocation determines which

exact segment of an object team’s interface is made observable to other parties using the RBAC

model. In doing so, the object-oriented principality of hidden information is expanded and
ROLE-BASED ACCESS CONTROL (RBAC) 10

utilized in that; no single person can execute data unless under direct authorization. Besides, for

a given object, the interface is screened out to provide various access to different teams.

Since the proposed RBAC model will support multi-organizational teamwork, there will

be need of having a two based security authorization (Harris, 2014). Therefore, users’ access to

information will be authorized in two steps. First, an authorization that defines users in their

particular environment and the relationship between them should be established. Secondly,

access privileges are then allocated to user’s duties through the task established under the

procedural assignment. Using the relationship between the stipulated roles, the specific method

assignment framework is determined; hence making the least number of roles to attain the most

appropriate functionality.

Benefits of the Improved RBAC Model to Organizations

The new improved RBAC model focusses on enhancing teamwork collaboration, which

is an important factor in productivity growth. Collaborating with individuals who have a similar

experience or different skills can directly benefit the involved parties. Besides, working as a team

improves everyone's experience as each member gets to learn new items of others. For instance,

taking into consideration the situation in healthcare care whereby there is a need for clinical

education persons to be involved in the procedures for taking care of the patients, the

introduction of the proposed RBAC system will be of great benefit since it enhances teamwork

collaboration.

Apart from enhancing collaboration among team members, the new improved model also

focusses on improving how information is managed amongst different organizational disciplines.

The new system will govern access to information and duties allocation within various sectors of

an organization. The organizational constraint added to the existing RBAC model will be
ROLE-BASED ACCESS CONTROL (RBAC) 11

responsible for ensuring roles management (Malik, Anjum & Raza, 2016). As a result, an

enterprise will be more efficient in its operations due to sharing of duties as a team.

Moreover, multi-organizations that will implement the new proposed RBAC system will

benefit in such a way that they can retrieve valuable information among themselves.

Furthermore, collaboration might improve the conceptual understanding of accountability within

a multi-organizational setting. Since the accountability technique is not available in most of the

multi-organizational settings, the newly proposed RBAC model that enhances teamwork will

importantly fill an existing gap. Besides, despite having voluntary collaboration, the degree of its

accountability might not be more effective in some situations. Therefore, the introduction of the

new improved RBAC model will ensure that every organization in a multi-organizational context

is accountable for its actions.

Besides, the proposed Role-Based Access Control can be re-structured and applied at the

application level; thus, facilitating integrating of security constraints. The benefit of having an

application level security constraint is that it minimizes the complexity of making sure that the

stability of such specification is in order. The improved RBAC model supports the customizing

of proposed actions to the application.

Challenges for Implementing the Improved RBAC Model

Cost implications of the improved RBAC.

The implementation of the proposed RBAC system will require additional training of

users since more features would have been added to the system. Training of staffs consumes

additional costs that an organization can use to improve other sectors of its economy.

Furthermore, the costs are much higher when an outsourced professional is required to offer the

training to the access control model users. Besides, organizations that initially did not have the
ROLE-BASED ACCESS CONTROL (RBAC) 12

RBAC model implemented in its operations, the initiation of the improved model will be costly

since it will have to use much of its resources in purchasing various devices that work hand-in-

hand with the access control systems (Samarati, 2015). Nevertheless, organizations with the

existing RBAC system installed in its workflow environment, they might also use some of its

resources to acquire the proposed model and implement it. Therefore, the implementation of the

new improved RBAC model will be costly to organizations.

Ethical implications of the improved RBAC.

Despite the ability of the improved RBAC model in restricting unauthorized access to

information, its implementation in a multi-organizational environment might increase risks of

being hacked. Introduction of an RBAC system to a multi-organizational structure exposes the

system to a wide range of users. Arguably, as the number of users increases in computerized

environment chances of the system being hacked increases. Once the system has been hacked,

the hacker might have access to people’s information and other sensitive organizational

information. Besides, the hacker can also take control of various procedures without being

noticed. Simply put, the proposed RBAC model as much as it limits access, the system can be

tampered with.

In spite of the new improved RBAC model being advantageous in promoting teamwork

collaboration in a multi-organizational environment, the system might expose company’s

information to risk. For instance, taking the case of introducing the proposed model in a

healthcare environment whereby teamwork exists amongst clinical education students and the

workforce; there is a likely hood that some of the students accessing organizational information

might expose them to third parties since they are not adequately trained.
ROLE-BASED ACCESS CONTROL (RBAC) 13

Conclusion

In an organizational workforce environment, having an access control that governs access

to information an important factor. Since the late 1960s, access control model has seen its

advancement from the invention of Access Matrix up to the introduction of the RBAC. The role

based model allows organizations especially the security team to manage how individuals access

data. Besides, the model is best at ensuring that users attend to their specific duties. Due to its

ability in enhancing information security and role allocation, the RBAC model has been

employed in many sectors of the economy in the world today. The proposed RBAC model

improves teamwork collaboration among individual in a multi-organizational structure.

Most of the existing RBAC models have tried to encourage teamwork within the internal

operation of an organization, which creates a gap for advancing the model to support multi-

organizational teamwork collaboration. In the development of the new improved RBAC model,

the effort relied on three principles, simplicity, straightforwardness, and generality to ensure that

the primary objective has been attained. Additionally, the existing RBAC provided the base

framework for the creation of the proposed model due to its capabilities to allow extended

features.

Nevertheless, three constraints were attached to the universal constraint to enable smooth

operation of the model in the new multi-organizational environment. The three constraints

included access delegation constraint, collaboration constraint, and organizational constraint.

Besides, a permission option will be introduced to the improved model that shows a work status.

Notably, the enhanced RBAC model will operate under Object-Oriented application. Object-

Oriented environment best defines individual’s roles and establishes frameworks for

understanding the importance of the new model.

ROLE-BASED ACCESS CONTROL (RBAC) 14

Organizations that would implement the proposed model if will be approved will have

more benefits in its operations. First, the primary focus of the model is to enhance teamwork

collaboration. Teamwork collaboration is vital in improving performance among employees thus

increased productivity to the organization. Secondly, the improved RBAC model improves

accountability in a multi-organizational environment. Finally, yet importantly, the proposed

model is expandable; thus, organizations that will initiate it in their operations will have the

advantage of expanding it to include more features. However, the improved model is at risk of

being hacked and misuse of information by clinical education trainees. Further studies should

focus on improving the security constraints and adding more constraints that support workflow

in a teamwork collaboration context.

Recommendation

Biomedical, clinical education, patient health care multi-organization are the most

relevant institutions to incorporate the improved role-based model. The model was developed

with the contextual reference framework of the multi-organization as mentioned above thus little

efforts will be applied while implementing the model. Besides, the model is also recommended

to other organizations that practice multi-organizational duties to ensure their productivity.

However, few modifications of the system might be needed for full implementation. The

expandability capability of the improved RBAC model allows relevant organizations to alter it to

meet their company’s expectation. To add on that, I would like to recommend more research

should be done to limit the limitations of the improved system. On conducting further

investigations, much focus should be on enhancing the security constraints and an addition of

more constraints that support workflow collaboration.

ROLE-BASED ACCESS CONTROL (RBAC) 15

References

Boadu, E. O., & Armah, G. K. (2014). Role-based access control (RBAC) based in hospital

management. Int. J. Softw. Eng. Knowl. Eng, 3, 53-67.

Brownson, R. C., Colditz, G. A., & Proctor, E. K. (2018). Dissemination and implementation

research in health: Translating science to practice. Oxford; New York: Oxford

University Press

Chapple, M., Ballad, B., Ballad, T., & Banks, E. K. (2014). Access control, authentication, and

public key infrastructure. (2nd ed.). Sudbury, MA: Jones & Bartlett Learning.

Harris, S. (2014). CISSP online training: Inside the access control domain. TechTarget.

Retrieved from https://searchsecurity.techtarget.com/feature/CISSP-online-training-

Inside-the-access-control-domain

Le, X. H., Doll, T., Barbosu, M., Luque, A., & Wang, D. (2014). Evaluation of an Enhanced

Role-Based Access Control model to manage information access in collaborative

processes for a statewide clinical education program. Journal of biomedical informatics,

50, 184-195.

Malik, A. K., Anjum, A., & Raza, B. (2016). Innovative solutions for access control

management. Hershey, Pennsylvania IGI Global

Montrieux, L. (2013). Model-Based Analysis of Role-Based Access Control (Doctoral

dissertation, The Open University). Retrieved from http://oro.open.ac.uk/38672/

Moses, S., Rowe, D. C., & Cunha, S. A. (2015). Addressing the Inadequacies of Role Based

Access Control (RBAC) Models for Highly Privileged Administrators: Introducing the

SNAP Principle for Mitigating Privileged Account Breaches. International Journal of

Intelligent Computing Research (IJICR), 6(3), 583-591.

ROLE-BASED ACCESS CONTROL (RBAC) 16

Rhodes-Ousley, M. (2012). Network Security the Complete Reference (Complete Reference).

New York, USA: McGraw Hill.

Samarati, P. (2015). Data and Applications Security and Privacy XXIX: 29th Annual IFIP WG

11.3 Working Conference, DBSec 2015, Fairfax, VA, USA, July 13-15, 2015,

Proceedings. Cham: Springer International Publishing: Imprint: Springer

Sandhu, R. (2015, April). Attribute-Based Access Control Models and Beyond. In ASIACCS (p.

677). Retrieved from http://www.profsandhu.com/miscppt/kth_abac_141029.pdf

Talwalkar, J. S., Fahs, D. B., Kayingo, G., Wong, R., Jeon, S., & Honan, L. (2016). Readiness

for interprofessional learning among healthcare professional students. International

journal of medical education, 7, 144. Retrieved from

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4865374/