ABSTRACT
Traditional access control models, such as Bell-LaPadula
and Clark-Wilson, rely on an access control matrix where
subjects are assigned specific sets of rights according to
their level of access. This approach to access control is still
the most popular form of access control today, albeit
slightly less complicated in modern operating systems;
however, the thinking surrounding access control and
access control management has slowly been shifting
away from the more traditional subject-object models,
where the focus is on the action of the subject, toward
task-or role-based models.[3,4] These models encompass
organizational needs and reflect the organizational struc-
ture, with a focus on the tasks that must be accomplished.
Although the idea of roles has been used in software
applications and mainframe computers for over 20
years,[5] the last decade has seen a rise in interest in the
field, as can be seen in the work of Thomas and Sandhu,[4]
Ferraiolo and Kuhn,[6] and Baldwin,[7] where the tradi-
tional concepts of access control are challenged and task-
and role-based approaches are presented.