Data flow security in Role-based access control

We show how data security concepts such as data flow, secrecy (or confidentiality) and integrity can be defined for RBAC, Role-Based Access Control. In contrast to the prevailing literature that uses a lattice model to express such concepts, we demonstrate the use of a partial order model that is more general. This is done by using the concepts of "partial order of equivalence classes" and of "security labels" that can be associated with RBAC subjects and objects and determine their mutual data flows, as well as their secrecy and integrity properties. Our model allows to reason on RBAC configurations with different assignments of roles to subjects. On the converse, we demonstrate a method for obtaining RBAC configurations from data security requirements or security label assignments. These results are supported by a proof showing that three methods for defining data flow: by access control matrices or lists, by labels and by roles, are equivalent and mutually convertible by efficient algorithms. We show how RBAC state changes, or "reconfigurations" can be defined in this framework, and what are the effects of elementary reconfigurations on data flow, secrecy and integrity of data.