Role Based Access Control in Enterprise Application - Security Administration and User Management

One of the most challenging problems in managing large Web-applications is the complexity of security administration and user-profile management. Role based access control (RBAC) has become the predominant model for advanced access control due to the reduced complexity and cost of administration. Under RBAC, security administration is greatly simplified by using roles, hierarchies and privileges, and user management is uncomplicated by using LDAP API specification within the J2EE application. System administrators create roles according to the job functions performed in an organization, grant permissions to those roles, and then assign users to the roles on the basis of their specific job responsibilities and qualifications. We introduce in this paper RBAC in a typical J2EE enterprise application and present architectural details, along with security administration and user-profile management for RBAC. Netegrity SiteMinder provides the RBAC foundation, and J2EE framework serves as the reference model for administration in the application. Then we emphasize the design and implementation of a custom RBAC-model, and the possibilities of optimization of this model