When Role Models Have Flaws: Static Validation of Enterprise Security Policies

Modern multiuser software systems have adopted Role-Based Access Control (RBAC) for authentication and authorization management. This paper presents a formal model for RBAC policy validation and a static analysis model for RBAC systems that can be used to (1) identify the roles required by users to execute an enterprise application, (2) detect potential inconsistencies caused by principal delegation policies, which are used to override a user’s role assignment, (3) report if the roles assigned to a user by a given policy are redundant or insufficient, and (4) report vulnerabilities which can result from unchecked intra-component accesses. The algorithms described in this paper have been implemented as part of IBM’s Enterprise Security Policy Evaluator (ESPE) tool. Experimental results show that the tool found numerous policy flaws, including ten previously unknown flaws from two production-level applications, with no false positive reports.

By: Marco Pistoia; Stephen J. Fink; Robert J. Flynn; Eran Yahav

Published in: RC24056 in 2006


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to reports@us.ibm.com .