An access control architecture for managing large-scale network applications

We describe an access control architecture that targets large-scale network management solutions and other systems where there are many securable objects arranged in a natural hierarchy and where user roles are primarily broken down along a parallel hierarchy. In contrast to typical hierarchical role-based access control (HRBAC) systems, this design is based on a non-hierarchical role model connecting user groups, operations, and objects and infers privilege inheritance from the object hierarchy. Furthermore, this design treats user groups and user administrative operations in the same way as application objects and operations, enabling administrative delegation to arbitrary granularity with the same implicit role inheritance. This enables key use cases for large organizations or application service providers by allowing a single application instance to be shared among multiple. noncoordinating users with fully delegated user management. We discuss the use of this design in a Lucent Worldwide Services (LWS) service offering. (C) 2004 Lucent Technologies Inc.