Skip to main content
Kent Academic Repository

How to securely break into RBAC: the BTG-RBAC model

Ferreira, Ana and Chadwick, David W. and Farinha, Pedro and Cruz-Correia, Ricardo and Zhao, Gansen and Chilro, Rui and Antunes, Luis (2009) How to securely break into RBAC: the BTG-RBAC model. In: 2009 Annual Computer Security Applications Conference. IEEE, pp. 23-31. ISBN 978-0-7695-3919-5. (doi:10.1109/ACSAC.2009.12) (KAR id:31989)


Access control models describe frameworks that dictate how subjects (e.g. users) access resources. In the Role-Based Access Control (RBAC) model access to resources is based on the role the user holds within the organization. Although flexible and easier to manage within large-scale authorization frameworks, RBAC is usually a static model where access control decisions have only two output options: Grant or Deny. Break The Glass (BTG) policies can be provided in order to break or override the access controls within an access control policy but in a controlled and justifiable manner. The main objective of this paper is to integrate BTG within the NIST/ANSI RBAC model in a transparent and secure way so that it can be adopted generically in any domain where unanticipated or emergency situations may occur. The new proposed model, called BTG-RBAC, provides a third decision option BTG. This allows break the glass policies to be implemented in any application without any major changes to either the application or the RBAC authorization infrastructure, apart from the decision engine. Finally, in order to validate the model, we discuss how the BTG-RBAC model is being introduced within a Portuguese healthcare institution where the legislation requires that genetic information must be accessed by a restricted group of healthcare professionals. These professionals, advised by the ethical committee, have required and asked for the implementation of the BTG concept in order to comply with the said legislation.

Item Type: Book section
DOI/Identification number: 10.1109/ACSAC.2009.12
Uncontrolled keywords: access control; glass; NIST; permission; engines; medical services; legislation; fires; computer security; application software
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: David Chadwick
Date Deposited: 25 Oct 2012 14:42 UTC
Last Modified: 16 Nov 2021 10:09 UTC
Resource URI: (The current URI for this page, for reference purposes)

University of Kent Author Information

  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.