H-RBAC: A Hierarchical Access Control Model for SaaS Systems

Full Text (PDF, 204KB), PP.47-53

Views: 0 Downloads: 0


Dancheng Li 1,* Cheng Liu 1 Binsheng Liu 1

1. Software College of Northeastern University, Shenyang, China

* Corresponding author.

DOI: https://doi.org/10.5815/ijmecs.2011.05.07

Received: 15 Jun. 2011 / Revised: 12 Jul. 2011 / Accepted: 26 Aug. 2011 / Published: 8 Oct. 2011

Index Terms

H-RBAC, access control, SaaS, RBAC, hierarchical model, multi-tenant


SaaS is a new way to deploy software as a hosted service and accessed over the Internet which means the customers don’t need to maintain the software code and data on their own servers. So it’s more important for SaaS systems to take security issues into account. Access control is a security mechanism that enables an authority to access to certain restricted areas and resources according to the permissions assigned to a user. Several access models have been proposed to realize the access control of single instance systems. However, most of the existing models couldn’t address the following SaaS system problems: (1) role name conflicts (2) cross-level management (3) the isomerism of tenants' access control (4) temporal delegation constraints. This paper describes a hierarchical RBAC model called H-RBAC solves all the four problems of SaaS systems mentioned above. This model addresses the SaaS system access control in both system level and tenant level. It combines the advantages of RBDM and ARBAC97 model and introduces temporal constraints to SaaS access control model. In addition, a practical approach to implement the access control module for SaaS systems based on H-RBAC model is also proposed in this paper.

Cite This Paper

Dancheng Li, Cheng Liu, Binsheng Liu, "H-RBAC: A Hierarchical Access Control Model for SaaS Systems ", International Journal of Modern Education and Computer Science(IJMECS), vol.3, no.5, pp.47-53, 2011. DOI:10.5815/ijmecs.2011.05.07


[1]Frederick Chong, Gianpaolo Carraro, Architecture Strategies for Catching the Long Tail, http://msdn.microsoft.com/enus/architecture/aa479069.aspx, 2006, 4.
[2]Messaoud Benantar, Access Control Systems: Security, Identity, Management and Trust Models, Springer US, 2009, 12.
[3]Bo Lang, Ian Foster, Frank Siebenlist, Rachana Ananthakrishnan, A Flexible Attribute Based Access Control Method for Grid Computing, Journal of Grid Computing, vol.7, pp.169-180.
[4]Jiang Yueqiu, Jiao Yan, Research and Implementation of Access control Model of Military Information System, Acta Armamentarii, 2009, 4, pp.431-437.
[5]Feng Demin, Wang Xiaoming, Zhao Zongtao, An Expanded Role-Based Access Control Model, COMPUTER ENGINEERING AND APPLICATIONS, 2003.
[6]Liu Peishun, He Dake, Application of RBAC in the Railway Passenger Ticket Network Security System, JOURNAL OF THE CHINA RAILWAY SOCIETY, 2004.
[7]J. Bacon, K. Moody, Toward open, secure, widely distributed services, Communications of the ACM - Adaptive middleware, vol. 45, 2002.
[8]David Ferraiolo and Richard Kuhn, Role-Based Access Controls, Reprinted from15th National Computer Security Conference, 1992, pp.554-563.
[9]R. S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman, Role-Based Access Control Models, IEEE Computer, IEEE Press, 1996, pp.38-47.
[10]S.H. von Solms and I. van der Menve, The Management of Computer Security Profiles Using a Role-Oriented Approach, Computers & Security, vol. 13, No. 8, 1994, pp. 673-680.
[11]R. Sandhu, V. Bhamidipati, and Q. Munawer, The ARBAC97 Model for Role-Based Administration of Roles, ACM Transactions on Information and System Security (TISSEC), vol. 2, 1999, pp. 105-135.
[12]R. Sandhu and Q. Munawer. The ARBAC99 Model for Administration of Roles, In Proceedings of 15th Computer Security Applications Conference, 1999, 2, pp. 229.
[13]S. Oh, R. Sandhu, A model for role administration using organization structure, Proceedings of the 7th ACM symposium on Access control models and technologies, Monterey, 2002.
[14]E. Barka and R. Sandhu. A role-based delegation model and some extensions. In 23rd National Information Systems Security Conference, Baltimore, MD, October 2000.
[15]Barka, R. Sandhu, Role-based delegation model/hierarchical roles (RBDM1), Computer Security Applications Conference, 2004, pp.396 – 404.
[16]Chen Nanping, Chen Chuanbo, Implementing role based access control in WWW environment, Journal of Huazhong University of science and technology, 2002.
[17]Xia Luning, Jing Jiwu. An Administrative Model for Role-Based Access Control Using Hierarchical Namespace. Journal of computer research and development. 2007.
[18]Ma Lilin, Li Hong, A permission model of SaaS system based on RBAC, Computer application and software, 2010.