S.P.Kodituwakku / International Journal of Engineering Science and Technology Vol. 2(11), 2010, 6617-6621 DESIGN AND IMPLEMENTATION OF ROLE BASE ACCESS CONTROL SYSTEM FOR NETWORK RESOURCES S.R. Kodituwakku Department of Statistics & Computer Science University of Peradeniya, Sri Lanka Abstract Role Based Access Control is very useful for providing a high level description of access control for organizational applications. This paper proposes a role based framework that deals with security problems in an intranet environment. The proposed framework protects intranet resources from unauthorized users. The salient feature of the framework is that it allows intranet users to access only authorized resources. It consists of two kinds of role hierarchies: global role hierarchy and local role hierarchy, and two levels of permissions: server permission and object permission. They simplify the way of structuring authority and responsibility in the whole intranet and the allocation of privileges for different objects within a particular server. The proposed framework is implemented over Windows platform and tested for the validity. The test results indicated that it can successfully be used to control accessing network objects. 1. Introduction Now a day’s most of the organizations use computer networks, in particular intranets, for sharing resources. In an organizational environment, users are not allowed to access each and every network object as they wish. For instance, access to file servers, web servers and printers may be allowed for some users only. Although networked operating systems provide access control mechanism, it is difficult to use such facilities to reflect organizational structure and its security policies. Role-based access control (RBAC) [1], [2], [3], [4], [5], [6], [7], [8], [9], [10] has recently received considerable attention as a promising solution to this problem. In RBAC, permissions are associated with roles, and users are made members of appropriate roles thereby acquiring the roles' permissions. This greatly simplifies management of permissions. Roles are created for the various job functions in an organization and users are assigned roles based on their responsibilities and qualifications. Users can be easily reassigned from one role to another. Roles can be granted new permissions as new applications and systems are incorporated, and permissions can be revoked from roles as needed. Role-role relationships such as role hierarchies can be established to lay out broad policy objectives. This paper presents a theoretical framework, which is an extension of the framework proposed by Tari et. al. [11], to overcome main security issues in an enterprise intranet and its implementation. Two kinds of role hierarchies: global role hierarchy and local role hierarchy, and two levels of permissions: server permission and object permission are proposed. Two role hierarchies simplify the way of structuring authority and responsibility within a particular intranet environment. Global role hierarchy deals with roles that are common to the whole intranet while local role hierarchies deal with roles with a limited scope from server to server. Two levels of permissions simplify the allocation of privileges for different objects within a particular server. According to two levels of permissions, if a user needs to access an object in a particular server he is required to satisfy access privileges corresponding to both server and object role. 2. Related Work The framework proposed by Tari et. al. [11] is based on the use of roles to specify both local and global permissions to network objects. In that framework, a global role contains a list of local roles for each server of the intranet, while each local role contains an access control list (ACL) consisting a permission set applied upon a list of accessible local network objects. It uses a permission set containing six attributes: Supervisor, Write, Delete, Read, Create and Execute. In addition to that it uses two kinds of databases, local role database and global role database. A local role database is designed to keep all the access privilege hierarchy information of global server objects within a specific intranet. There are six permission domain tables in each local role database with respect to each type of attribute mentioned above. The global role database is designed to record all the accessible network objects from any server of the intranet. The global role database is replicated on each ISSN: 0975-5462 6617