A policy based role framework for access control

We outline a framework for specifying management roles which defines both authorisation and obligation policies for a particular management position. The policies define a relationship between a subject (manager) domain and a target domain in terms of activities permitted or forbidden, which must be or must not be performed. Policies grouped within a role refer to the same subject domain and propagate to the managers assigned to the roles. We cater for both human and automated managers and include interactions and concurrency constraints to specify aspects of the inter-role relationships in our framework. The paper presents the role based management framework and explains the concepts of policy based roles, then briefly describes the implementation of access control based on domain membership.