International Federation for Information Processing
Role-Based Access Control (RBAC) has become the de facto standard for realizing authorization requirements in a wide range of organizations. Existing RBAC models suffer from two main shortcomings; lack of expressiveness of roles/permissions and ambiguities of their hierarchies. Roles/permissions expressiveness is limited since roles do not have the ability to express behavior and state, while hierarchical RBAC cannot reflect real organizational hierarchies. In this paper, the authors propose a novel access control model: the Role-Oriented Access Control model (ROAC), which is based on the concepts of RBAC but inspired by the object-oriented paradigm.