This is an examination. You must write the answer yourself without ANY discussion with anyone else. Your answers should be based on the material discussed in class. You are free to consult additional literature on the topic but your time is likely better spent answering the question based on the lectures.
Provide a statement with your submission stating, I have not given help or taken help from anyone on this examination.
All questions have equal weight. Your solution should be prepared in soft copy, although diagrams may be hand-drawn. Please submit hard copy on the due date in class.
1. Consider the RBAC96 model defined in
·
and the proposed NIST standard model defined in
· David F. Ferraiolo, Ravi Sandhu, Serban Gavrila, D. Richard Kuhn and Ramaswamy Chandramouli, Proposed NIST Standard for Role-Based Access Control, ACM Transactions on Information and Systems Security (TISSEC), Volume 4, Number 3, August 2001.
Give a comparison of the two models (maximum length 1 page). Do not repeat a description of the 2 models. That is already available in the papers. Focus on identifying significant similarities and differences and important pros and cons.
2. Consider
the criticism of ARBAC97 and suggested improvements in
Sejong Oh, Ravi S. Sandhu, A Model for Role
Administration Using Organization Structure, SACMAT 2002.
Give a review of this paper and an assessment of suggested modifications to
ARBAC97 (maximum length 1 page).
3. Propose a model for decentralized permission-role administration based on the notion that resource owners should determine the permissions for each role with respect to the resources they own. A resource can be an application, a server, a network, etc. There is no unique answer to this question. Motivate why you think your model is of practical benefit. (maximum length 1 page).