Skip to main content

How to securely break into RBAC: the BTG-RBAC model

Ferreira, Ana and Chadwick, David W. and Farinha, Pedro and Cruz-Correia, Ricardo and Zhao, Gansen and Chilro, Rui and Antunes, Luis (2009) How to securely break into RBAC: the BTG-RBAC model. In: 2009 Annual Computer Security Applications Conference. IEEE, pp. 23-31. ISBN 978-0-7695-3919-5. (doi:10.1109/ACSAC.2009.12) (KAR id:31989)

PDF (Published paper) Publisher pdf
Language: English

Click to download this file (949kB)
[thumbnail of Published paper]
This file may not be suitable for users of assistive technology.
Request an accessible format
Official URL:


Access control models describe frameworks that dictate how subjects (e.g. users) access resources. In the Role-Based Access Control (RBAC) model access to resources is based on the role the user holds within the organization. Although flexible and easier to manage within large-scale authorization frameworks, RBAC is usually a static model where access control decisions have only two output options: Grant or Deny. Break The Glass (BTG) policies can be provided in order to break or override the access controls within an access control policy but in a controlled and justifiable manner. The main objective of this paper is to integrate BTG within the NIST/ANSI RBAC model in a transparent and secure way so that it can be adopted generically in any domain where unanticipated or emergency situations may occur. The new proposed model, called BTG-RBAC, provides a third decision option BTG. This allows break the glass policies to be implemented in any application without any major changes to either the application or the RBAC authorization infrastructure, apart from the decision engine. Finally, in order to validate the model, we discuss how the BTG-RBAC model is being introduced within a Portuguese healthcare institution where the legislation requires that genetic information must be accessed by a restricted group of healthcare professionals. These professionals, advised by the ethical committee, have required and asked for the implementation of the BTG concept in order to comply with the said legislation.

Item Type: Book section
DOI/Identification number: 10.1109/ACSAC.2009.12
Uncontrolled keywords: access control; glass; NIST; permission; engines; medical services; legislation; fires; computer security; application software
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: David Chadwick
Date Deposited: 25 Oct 2012 14:42 UTC
Last Modified: 16 Nov 2021 10:09 UTC
Resource URI: (The current URI for this page, for reference purposes)
Chadwick, David W.:
  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.