In complex and dynamic computing networks easy but secure access for the users must be provided to the objects accessible via the network. Typically, the users include humans who wish to read or write information or data objects, use resources to accomplish some task, or run application objects. Such widespread information sharing creates a foundation for critical systems such as virtual enterprises and even coalition warfare. Mechanisms allowing the requisite information flow, exchange, and dissemination must preserve the security of the underlying information and provide traceability of all attempts to access the information. Otherwise, the information may be compromised or the resources and applications may be used by unauthorized personnel.
Recently, the National Institute of Science and technology created a role based access control concept to enhance information sharing while preserving security. Briefly, a system implementing role based access control allows access to objects within the system by determining whether the user requesting access to the object is administratively assigned a role permitting such access. If so, the system allows the user access. If not, the system denies the user access.
Unfortunately, roles change rapidly in large, complex projects such as for example virtual enterprises or coalition warfare. A subcontractor on one project may enter competition for additional subcontracts related to the subcontractor's current contractual responsibilities. While before the competition it would have been desirable to share much information with the contractor, sharing too much information during the competition may unfairly impart an advantage to the subcontractor. Accordingly, the competition suffers with attendant inefficiencies and expenses. During coalition warfare, shifting political alliances may necessitate that a heretofore ally be excluded from access to coalition information and resources.
These changes in roles necessitate administrative tracking of the rapidly shifting roles. Moreover, as the roles shift, access control lists must be updated continuously or else the virtual system may be compromised. Additionally, because of the frequency of role changes, some entity must evaluate each request for access to the system against a current role list. Maintaining the currency of the access list thus consumes large resources in the form of administrative departments and actions associated with these activities. Accordingly, a need exists to minimize the overhead associated with role based access control systems.