Enforcing Information Flow Constraints in RBAC Environments

While role-based access control (RBAC) as an alternative to traditional discretionary and mandatory access controls is very effective and popular, subsequent attempts to apply it in various application environments also revealed some limitations of RBAC. We developed a new type of security policy, called label-based access control policy (LBACP) that can be used for enhancing RBAC. Unlike other access control policies, LBACP is not used independently. On the contrary, it should be combined with other access control policies. The basic principle is defining some labels that specify information flow constraints, and then assigning these labels to other access control policies or their components. The usage of the labeled policy components must conform to the information flow constraints defined by the labels in order to avoid being misused. Thus, some potential information leaks can be avoided. This paper investigates how the LBACP can be used to enhance RBAC.