The general theme for this thesis is computer security. In particular, attention is directed towards secure distributed systems and how role-based access control can be introduced into such systems.
Access control is an important building block for creating secure computer systems. Role-based access control (RBAC) is an efficient way of organizing access control information, both from an administrative and system architectural point of view. To benefit from the advantages of this in a distributed system, several building blocks are necessary. We need a distributed infrastructure that can enforce access control and allows applications to communicate securely. Within the infrastructure, roles and access rights must be managed efficiently. To protect existing investments we must cater for legacy systems and demonstrate how existing applications can be integrated into the distributed infrastructure. This thesis provides contributions in these areas.
An object-oriented architecture for secure distributed systems is presented. The architecture can use role-based access control and allows existing applications to be adapted to the secure environment without need of modification. We also propose a mechanism whereby centralized security management can be introduced into an otherwise distributed system.
The thesis presents a general framework for representing roles and constructing organizational models from roles and their inter-relationships.
We present a design and implementation for introducing role-based access control in already existing systems. In the design, an NFS server is adopted to use role-based access control information. A performance comparison between the original and the enhanced NFS server is included.
The thesis also includes an overview of computer security methods in general and a survey of existing distributed protocols, systems, and frameworks designed with security in mind.
Looking forward to future research, we envision an extended formal framework that includes authorizations and constraints. We also see the need for support-tools that help in the process of translating high-level access control policies into explicit assignment of access rights.