The user authorization query (UAQ) problem determines whether there exists an optimum set of roles to be activated to provide a set of permissions requested by a user. It has been deemed as a key issue for efficiently handling user's access requests in role-based access control (RBAC). Unfortunately, the weight is a value attached to a permission/role representing its importance, should be introduced to UAQ, has been ignored. In this paper, we propose a comprehensive definition of the weighted UAQ (WUAQ) problem with the role-weighted-cardinality and permission-weighted-cardinality constraints. Moreover, we study the computational complexity of different subcases of WUAQ, and show that many instances in each subcase are intractable. In particular, inspired by the idea of the genetic algorithm, we propose an algorithm to approximate solve an intractable subcase of the WUAQ problem. An important observation is that this algorithm can be efficiently modified to handle the other subcases of the WUAQ problem. The experimental results show the advantage of the proposed algorithm, which is especially fit for the case that the computational overhead is even more important than the accuracy in a large-scale RBAC system.

Hierarchical multi-tenancy, which enables tenants to be divided into subtenants, is a flexible and scalable architecture for representing subsets of users and application resources in the real world. However, the resource isolation and sharing relations for tenants with hierarchies are more complicated than those between tenants in the flat Multi-Tenancy Architecture. In this paper, a hierarchical tenant-based access control model based on Administrative Role-Based Access Control in Software-as-a-Service is proposed. Autonomous Areas and AA-tree are used to describe the autonomy and hierarchy of tenants, including their isolation and sharing relationships. AA is also used as an autonomous unit to create and deploy the access permissions for tenants. Autonomous decentralized authorization and authentication schemes for hierarchical multi-tenancy are given out to help different level tenants to customize efficient authority and authorization in large-scale SaaS systems.

This paper presents properties of role-based access control which were obtained through a development of a prototype of a teaching management system. These properties are related to assignment of temporal constraints and access control procedure in terms of the corresponding flow of user's view and considered to be suitable to other information systems.

This paper proposes a model for access control within object-oriented systems. The model is based on RBAC (role-based access control) and is called DRBAC (dynamic RBAC). Although RBAC is powerful in access control, the original design of RBAC required that user-role assignments and role-permission assignments should be handled statically (i.e., the assignments should be handled by human beings). Nevertheless, the following dynamic features are necessary in access control within a software system: (a) managing dynamic role switching, (b) avoiding Trojan horses, (c) managing role associations, and (d) handling dynamic role creation and deletion. DRBAC offers the dynamic features. This paper proposes DRBAC.

In 1996, Chiu and Hsu proposed a multi-role-based access control (MRBAC) policy. Nevertheless, the Chiu-Hsu scheme can be further enforced by role list, union, and intersection (i. e. containment) to deal with the problems regarding the MRBAC and the object role with different security ranks. The author presents an improvement of the Chiu-Hsu scheme using more detailed list structure. This improvement offers some significant advantages.