I.J.

Modern Education and Computer Science, 2011, 5, 47-53

Published Online August 2011 in MECS (http://www.mecs-press.org/)

H-RBAC: A Hierarchical Access Control Model

for SaaS Systems
Dancheng Li
Software College of Northeastern University, Shenyang, China
Email: [email protected]

Cheng Liu and Binsheng Liu

Software College of Northeastern University, Shenyang, China
Email: {lectery, lbs.neu}@gmail.com

Abstract—SaaS is a new way to deploy software as a hosted effectively prevent the invasion of illegal users and the
service and accessed over the Internet which means the unauthorized access to system resources of legal users.
customers don’t need to maintain the software code and There are three most widely recognized access control
data on their own servers. So it’s more important for SaaS models: Discretionary Access Control (DAC), Mandatory
systems to take security issues into account. Access control
is a security mechanism that enables an authority to access
Access Control (MAC), and Role Based Access Control
to certain restricted areas and resources according to the (RBAC) [3]. MAC and RBAC are both non-discretionary.
permissions assigned to a user. Several access models have DAC is very flexible, but security is not strong,
been proposed to realize the access control of single instance authorization management is complex. MAC is a more
systems. However, most of the existing models couldn’t stringent access control method, but it is inflexible and
address the following SaaS system problems: (1) role name not suitable for the large-scale application, because it
conflicts (2) cross-level management (3) the isomerism of carries into execution complexly [4]. RBAC is an access
tenants' access control (4) temporal delegation constraints. control strategy which is between DAC and MAC, it has
This paper describes a hierarchical RBAC model called H- a strong ability to represent the semantic meaning of the
RBAC solves all the four problems of SaaS systems
mentioned above. This model addresses the SaaS system
relationship between users [5]. It is not only able to
access control in both system level and tenant level. It express the "responsibility" in complex social
combines the advantages of RBDM and ARBAC97 model organizations, but also to reduce the complexity of access
and introduces temporal constraints to SaaS access control control management. Now it has been widely accepted as
model. In addition, a practical approach to implement the an alternative to traditional discretionary and mandatory
access control module for SaaS systems based on H-RBAC access controls [6, 7].
model is also proposed in this paper.
II. RELATED RESEARCHES
Index Terms—H-RBAC, access control, SaaS, RBAC, RBAC is an enabling technology for managing and
hierarchical model, multi-tenant enforcing security in large-scale and enterprise-wide
systems. It was first proposed by David Ferraiolo and
Rick Kuhn in 1992 [8]. RBAC model introduces the
I. INTRODUCTION "role" concept between "user" and "permission", every
SaaS is a new way to deploy software as a hosted user is related to one or more roles, one role is related to
service and accessed over the Internet [1], by which users one or more permission, and the roles can be created or
can rent web-based software from the service providers to deleted according to needs. After that, professor Ravi
manage business activities instead of purchasing and Sandhu of George Mason University put forward the
maintaining software by themselves. At the same time, most famous RBAC96 model with his colleagues; they
this new method brings new challenges to data security, added the role hierarchy and assign constraints to RBAC
consistency and integrity in SaaS systems. In order to model, the RBAC96 model can be divided to RBAC0,
make users be assured of the safety of important or RBAC1, RBAC2, RBAC3 the four conceptual models [9].
confidential data, permission management and access RBAC0 is the base model which consists of users (U),
control are particularly important in the process of SaaS roles (R), permissions (P), and sessions (S). This RBAC0
system development. supports the least-privilege principle. A user belonging to
Access control as an important part of security services several roles can invoke any subset of them that enables
is an essential measure to ensure the security of tasks to be accomplished in a session. Thus, a user who is
information system [2]. It is a defensive method to prevent a member of a powerful role can normally keep this role
unauthorized resource use, and make sure the system is deactivated and explicitly activate it when needed.
used safely. Access control determines what the user can RBAC1 introduces role hierarchies (RH) to the base
do, and what types of resources can be used, it can RBAC model. Role hierarchies are invariably discussed
along with roles in the literature [10] and they are

Copyright © 2011 MECS I.J. Modern Education and Computer Science, 2011, 5, 47-53
48 H-RBAC: A Hierarchical Access Control Model for SaaS Systems

commonly implemented in systems that provide roles. solves the problems of the hierarchical delegation and
RBAC2 is unchanged from RBAC0 except for requiring multistep delegation effectively. But RDM2000 still
that there be constraints to determine the acceptability of doesn’t bring the temporal constraints to access control
various components of RBAC0. Only acceptable values model.
will be permitted. RBAC3 combines both RBAC1 and Researchers and vendors have proposed many
RBAC2 and provides role hierarchies and constraints [9]. enhancements of RBAC models in the past decades. Chen
But in modern large enterprise wide systems, there may Nanping and his colleagues proposed a RBAC model with
be a large number of roles and many users. The www extends, they added role proxy layer between users
relationships among the roles, permissions and users and roles to implement role assign dynamically, and
change continuously, so the previous centralized RBAC improve the efficiency of network transmission [16]. Xia
models have several drawbacks to do access control in Luning and his team proposed the N-RBAC, a hierarchical
this situation. In 1997, Sandho and Bhamidipati raised the namespace-based RBAC model. They used namespace to
ARBAC97 model which consists of URA97 (User-Role organize roles and resources in order to simplify the
Assignment ‘97), PRA97 (Permission-Role Assignment complexity of the role hierarchy structure [17]. Ma Lilin
‘97), and RRA97 (Role-Role Assignment ’97). They and Li Hong did some research on admission control,
based on the basic idea that using RBAC to manage operation control, data access control of SaaS systems, but
RBAC and further to provide administrative convenience they didn’t do deeply research on access control and
and scalability, especially in decentralizing administrative didn’t provide a feasible implementation of access control
authority, responsibility, and chores [11]. After that, they module [18].
have extended the ARBAC97 model to ARBAC99 where The features of multi-tenant, configurability and
they separate users/permissions into mobile and immobile security make SaaS systems so different with the
users/permissions [12], and later to ARBAC02, where traditional systems. If we apply existed access control
they use an organization structure to define user-role models to SaaS systems directly, the following problems
assignment and role-permission assignment [13]. will appear:
ARBAC02 contains the main features of ARBAC97, and
A. Role Name Conflicts
add the concept "organization" to improve many
imperfect aspects in ARBAC97. In SaaS applications, there are always a large number
In RBAC, permissions are associated with roles, and of tenants using the system services at the same time.
roles are assigned to users. With the increment of roles Each tenant usually needs very large number of roles,
and permissions, we need to reassign some roles from which means that there are many nodes in the roles
one user to another in short term or long term to make hierarchy structure. However, these nodes cannot have
sure the business activities performed normally. And also duplicate names, so we have to take measures to modify
permissions can be revoked from roles as needed. All the role names to avoid naming conflicts, such as adding a
roles delegation actions were performed via the prefix to the role names. In this way, the roles inheritance
administrator’s temporary user-role configuration before. become more complex, and the roles’ names will be
But with the development of business, the number of longer.
roles in a company is increasing all the time. If we use the B. Cross-level Management
old method to achieve the delegation work, the system
administrator will face with so heavy burden that some of According to the regulations of ARBAC97, the system
the delegations will not be accomplished in time. And administrators inherit the permissions of all the following
administrators in different tenants. This means that system
this practice will affect the efficiency of enterprises
directly. So we need a mechanism to realize the user-role administrators can do some changes within each tenant‘s
reassignments in enterprise systems. Based on this theory, permission scope and can ignore the “can_assign”
Barka and Sandhu proposed the RBDM0 model [14] constraint in URA97. But in fact, a tenant is usually an
which introduced the “delegation” to the traditional independent company or a department of a big business.
That means that each tenant must be an autonomous unit.
RBAC model. In RBDM0, a user has the ability to
authorize the assigned roles to another user to help him The tenant’s resources such as permissions, roles, users
perform the works. But the RBDM0 model is so simple etc. must be managed by the system administrator of the
tenant instead of the SaaS system administrator which is
that it’s hard to be used in the real enterprise applications
directly. In 2005, they did some improvement to the usually a staff of the SaaS service provider.
previous model and put forward the RBDM1 model [15]. C. The Isomerism of Tenants' Access Control.
In RBDM1, hierarchical roles were added to the basic SaaS System is a multi-tenant online rental system,
model, like that happened in RBAC1. This change makes although in theory the tenants should belong to a same
the model more practical in actual application field, but from the practical point of view, each tenant’s
environment. But there are still many problems that the development is uneven, and thus there’re many
RBDM models didn’t take into account, such as the differences in access control among the various tenants.
temporal constraints to the roles delegation, multistep The differences are mainly as follows:
delegation and the delegated roles revocation mechanism.
In 2000, Longhua Zhang’s team proposed the RDM2000 1) The Different Control Scope of Permissions
model based on the basic RBDM models. This model

Copyright © 2011 MECS I.J. Modern Education and Computer Science, 2011, 5, 47-53
 H-RBAC: A Hierarchical Access Control Model for SaaS Systems 49

Since the tenants of different sizes have distinct access article is focused on level-3 SaaS systems, therefore, when
control needs, the control scopes of permissions among all designing the access control model, the purpose is very
the tenants are not the same. Some tenants would like to clear that all the users and tenants’ information must be
restrict all the resources, while some only want to do stored in the same database server, so there are high
access control on certain permissions. Even some tenants demands in the clarity of the access control model. In
do not need the access control mechanism which means addition, taking into account the upgrade and maintenance,
all the members in the tenant can access all the functions the access control model the systems use should have
and data. All the above exist objectively in the real world. some scalability. The models mentioned above are all
unable to fully meet the three conditions that SaaS
2) The Heterogeneous Relations of Roles
systems access control model must satisfy.
Since the departments and jobs are different within Therefore, this article proposed a hierarchical access
different tenants, the roles and role-permission relations in control model named with H-RBAC for SaaS systems
different tenant are different. If the traditional RBAC after summarizing advantages and disadvantages of the
model is used in SaaS systems, all roles will be defined in existing access control models. This model solves the
global scope, they are visible to any tenants. This will not access control problems from both system and tenant
only bring the naming conflicts problems, but also it’s perspective.
inconvenient to manage the roles within a tenant.
3) The Heterogeneous Constraints of Permission III. H-RBAC MODEL
Assignments This paper proposes a RBAC model based on hierarchy
Each tenant in SaaS system is a highly autonomous structure, defines the management scope from both system
entity, so the constraints of role assignments in different and tenant point. In a SaaS system, each tenant has its own
tenants are different. If we define the constraints of role users with the features distinct from others’, so that each
assignments in the global scope, this will bring the tenant should have its own access control policy and
assignment constraints conflicts, which may bring administrative scope. Therefore, SaaS systems need not
confusion in the roles relationship management. only provide access control for tenants, but also provide
users’ access control within every tenant. On the system
D. Temporal Role Delegations
level, the target objects of access control model to address
Sandhu has formally defined the role-based delegation are the tenants, not the detailed users. So, from the whole
model based on hierarchical relationship between the roles system perspective, the access control in SaaS systems
involved to realize the roles delegation between should contain several sub-access controls, that means
users. According to the enterprise actual needs, the access system access control include tenant access control, tenant
control model should include the constraints or rules of access control is based on the system access control.
roles delegation and revocation. These limitations may Above all, we propose the H-RBAC model, it improves
include whether to allow the original user revoke the tenant-based RBAC model, the static model as shown in
permissions from delegated user directly or get back the Fig. 1. Furthermore, this paper realizes the access control
roles after the authorized users’ use. If we allow the in SaaS systems from two aspects: tenant-level access
directly revocation, the mandatory operations may bring control and system-level access control. The tenant-level
system data loss or the system may face the data access control uses the organization-based access control
consistency problem. Because some functions may be in model, and the system-level access control uses the
operating state when the revocation performing. In administrative role-based access control model based on
addition, time constraint is also an indispensable part of ARBAC97 which provide the mechanism to distinguish
role delegation model. After a user delegate some roles to administration roles from general roles. In addition, we
another user, the original user should also define the take the roles delegation into account so the H-RBAC
permissions’ valid period to prevent the abuse of authority. model combines the advantages of ARBAC97 model and
The temporal constraint based delegation in SaaS RBDM and we also do several improvements based on
systems includes two levels: the system level and the them.
tenant level. The system level time constraints are the
constraints that SaaS services providers define to limit the A. H-RBAC Basic Structure
valid period of SaaS services according to how much the We can see the hierarchical structure of H-RBAC
tenants pay for them, such as the system expired time model from Fig. 1 clearly. The top level elements are all
constraints. The tenant level time constraints are the belong to the SaaS system provider. These elements are
limitations that the tenant system administrator formulates used to implement the tenant authorization. While the
to assign available permissions to system users reasonably bottom elements are belong to every tenant, and used to
after the tenant gets the use authorization of SaaS services realize the access control in a tenant. The H-RBAC model
and further to ensure the system security. However, all the contains the following elements:
existing models don’t meet all the requirements of SaaS z System User: it represents all the individuals that use
systems’ temporal roles delegation. the SaaS system directly, such as the system
In SaaS systems, the services every tenant has belong to administrators in SaaS services provider companies and
different instances of system though, but all these services the clients (tenants) that rent the system services from the
are deployed at one time. Taking into account that this services provider.

Copyright © 2011 MECS I.J. Modern Education and Computer Science, 2011, 5, 47-53
50 H-RBAC: A Hierarchical Access Control Model for SaaS Systems

z AURC: Administrative User-Role Constraint, it

defines the rules that apply to the user-roles assignments.
Since in the actual SaaS system services provider
company, there must be a large number of administrative
tasks to be performed, the top level administrator may
divide the tasks to many other administrators. Each
administrator can only use the permissions that assigned
to him. The AURC ensure the administrator doesn’t have
the rights that not be assigned and ensure one
administrator will not get the exclusive permissions.
z APRC: Administrative Permission-Role Constraint,
it is used to separate duties, to ensure different roles own
different permissions.
Figure 1. H-RBAC model.
z TTC: Tenant Time Constraint, it represents all the
z General Role: in SaaS systems, it represents the
time related rules that SaaS system providers define and to
release suits that the service provider provide for renting,
be applied to the tenants, such as the tenant authorization
such as the standard edition, advanced edition, starter
activation time constraints, the tenant authorization valid
edition etc.
time period constraints and so on.
z Admin Permission: express the permission to operate
z User: all the individuals that use the system services
the model itself, such as adding a new role, deleting a user
directly, including both the persons and other entities,
etc.
such as the personal computers, agents, networks etc.
z Admin Role: it corresponds to the jobs in the system
z Role: a job function within the organization that
whose responsibility is managing the access control model
describes the authority and responsibility conferred on a
itself. Such as the permission to modify the set of users,
user assigned to the role.
roles, permissions and modify the user assignments or
z Permission: a description of the operation types of
permission assignment relations are all included in the
authorized interactions a subject can have with one or
administrative jobs.
more objects.
z GPRC: in real life, certain functions cannot be
z RE: short for resource, anything used or consumed
assigned to the same role, that is the separation of duties,
while performing a function in the system. The resources
which is aim to divide different skills and different
can be divided into several categories, such as time,
interests to different kinds of people in order to prevent or
information, objects, and processors etc.
reduce the chance of fraud and cut down the loss made by
z Role Hierarchy: a partial order relationship
mistakes. General Permission-Role Constraints define
established among roles.
some rules to avoid a role has some exclusive permissions.
z User Group: a set of users that are in the same
z GURC: General User-Role Constraint, it defines the
department in the tenant company or have the similar
authorize rules between the roles and users.
duties. In the system, the user group can be regarded as an
z Admin Constraint: the “admin” means the
access control unit. A major difference between groups
and roles is that groups are typically treated as a collection management of access control model，including the user-
of users but not as a collection of permissions. A role, role assign management, permission-role assign
serving as an intermediary, is both a collection of users management etc. It ensures the separation of exclusive
and a collection of permissions. administrative duties.
z URTC: User-Role Time Constraint, the limitations z Tenant: the client of SaaS systems, tenants pay on
that used to define the assigned roles valid activation time demand to SaaS services providers. Each tenant requires
and the roles available time period for a user. SaaS system to ensure a high degree isolation of data and
z URDC: User-Role Dynamic Constraint, it is a kind configuration to ensure the security and privacy also
of dynamic duties separation constraints, which is used to requires the customization of user interface, business logic
avoid assigning overmuch permissions to one user. The and data structures etc. In practice, each tenant is the form
URDC is only act on the permissions activated in the of enterprise, so each tenant can have many users.
current session to ensure the exclusive roles that defined z Session: a session is a mapping from a user to
in the URDC will not be assigned to one user. It’s multiple roles, a session is established when the user
established when a user logs in the system, and if the user activates some or all authorized roles. What the user can
logs out, the constraints will become invalid. do is within the tasks set activated during this session.
z General Permission: a description of the type of z URC: User-Role Constraint, it defines the
authorized interactions a subject can have with an object authorization rules between the users and roles in a tenant,
in the system. The permissions include the resources and to avoid assign the exclusive roles to the same user.
operations. The resources include all resource entities that z PRC: Permission-Role Constraint, it defines the
the system functions need, such as data tables, properties assign rules between the permissions and roles within a
etc. The operations contain all the actions of accessing the tenant, to avoid the exclusive permissions authorized to
system resources, such as database queries, update, delete the same role.
and modification and so on. z UGRTC: User Group-Role Time Constraint, it is the
limitations or rules of user group-role assignment. That

Copyright © 2011 MECS I.J. Modern Education and Computer Science, 2011, 5, 47-53
 H-RBAC: A Hierarchical Access Control Model for SaaS Systems 51

defines the available time or period that the roles act on a system providers to get a fixed services available duration.
user group. So the SaaS system must provide a mechanism to stop the
The concepts not mentioned above are exactly the services being used once the services are expired. And
same as the corresponding ones in classical ARBAC97 this mechanism can be implemented by the system level
model. As mentioned above, the differences between H- time constraints in H-RBAC. Before we introduce the
RBAC model and ARBAC97 model are as follows: the time constraints, the tenant authorization in SaaS system
user resources are not defined in the global scope, but in is in the form of (t, r). The t represents a tenant, r means
the different tenant namespaces, in this way, we can the role assigned to the tenant. In H-RBAC, we add the
effectively solve the roles naming conflicts problem. valid time duration to it, the form of temporal tenant
Meanwhile, in a tenant, the administrator can define and authorization is (t, r, d). The d is a time interval [ts, te], in
distribute all the roles and permissions within the tenant which the ts means the start time of the authorization
on demands, which solves the inconsistent permission effect and the te means the authorization expired time.
needs problems among different tenants. In the H-RBAC The new delegation expression means assign the role r to
model, each tenant is an autonomous entity. Therefore tenant t, and the delegation relation is valid only during
inheritance exists between different roles, and the time period of d. If the current time past te, the SaaS
implementation of inheritance is similar to that in system will withdraw the assigned role r from t.
ARBAC97. In ARBAC97, the inheritance of roles for After a role assigned to a user, the user can use the
administrator is aiming to facilitate the distributed assigned rights to perform some business functions. But
management of permissions, however, in H-RBAC, the the user may need others’ help in practice and these helps
distributed management is implemented via the way of always relate to some confidential data or functions. So
tenant autonomy, and the permissions in one tenant will we define the tenant level time constraints to put some
not spread to other tenants. So in the system permission limit to the delegations. These constraints concentrate on
management level of H-RBAC, the system administrators providing the temporal limitations to all the users and
will neither inherit the permissions of tenant user groups in the tenant scope. According to the actual
administrators anymore nor be allowed to interfere with needs, we divide the tenant level time constraints into
the permission assignments within the tenant scope. That three types:
means the tenants are regarded as "black box" at the
system level, and the permissions in a tenant are managed 1) Activation time constraint
by the tenant administrator. It defines the valid roles’ activation time period, which
means the assigned roles should be only activated in a
B. Time Constraints in H-RBAC specified duration. For example, in some companies the
In the actual environment the time constraints mainly stuffs can only use the system during the worktime, or
include two aspects: the delegation starting time some peculiar functions can be only activated in a
constraints and the delegation duration constraints. specified time period.
The basic delegation model consists of three parts: (S,
O, R). S means subject user who initiate the delegation 2) Available duration constraint:
action. O means object user who is to accept the This constraint limit certain assigned roles of a user can
delegation role. R means the delegation role in this action. be only activated for a fixed duration every time. Its goal
Whether a role is valid at some time is related to the is to protect the important or confidential operations from
state of the role. In the H-RBAC model, we define that being embezzled because of the too long activation.
every role has three states based on the using condition. 3) Available times constraint:
Three states are assigned, activated and disabled as
shown in Fig 2. The available times constraint contains both the
We define two levels time constraints in the SaaS available duration constraint and the number limit of uses.
system delegation. They are the system level constraints It ensures that certain roles can be only activated fixed
and tenant level constraints. times during the specified duration.
The system level time constraints’ target objects are
the tenants. These constraints focus on controlling the IV. ACCESS CONTROL MODULE ARCHITECTURE
system available duration. Because if a company want to This paper applies H-RBAC model to the access
use SaaS services, it must pay some money to the SaaS control module of the community health services system
based on SaaS, which provides some basic functions for
small or medium sized community health organizations,
including registration management, medical record
management, outpatient clinic, pharmacy management etc.
The system follows the SaaS patterns, provides its
services in the way of single instance and multi-tenant
structure. In view of the system involves a number of
business units, roles assignments are complex, there are
too many kinds of constraints and a wide range of other
Figure 2. Role state transition. factors, we use the H-RBAC model to achieve the roles

Copyright © 2011 MECS I.J. Modern Education and Computer Science, 2011, 5, 47-53
52 H-RBAC: A Hierarchical Access Control Model for SaaS Systems

management, roles allocation, dynamic constraint access

control, dynamic permissions distribution and other access
control functions. Concrete realization of the access
control module is shown in Fig. 3.
The access control module is composed of the
following components: ACS (Access Control Server),
AFS (Access Filter Server), UDCS (User Dynamic
Constraints Server), PMC (Permission Management
Center), AUC (Authentication Center) etc. Following are
the detailed description of each section.
A. Authentication Center
The authentication center is a function to authenticate
each user that attempts to access to the system services.
Only the users passed the authentication can send further
requests to the system.
Figure 3. The structure of access control module
B. Access Filter Server
G. Delegation Server
Access Filter Server is equivalent to a control switch, it
filter access requests by using the filter configuration and The DS (Delegation Server) is used to handle all the
the capability list generated by ACS. If a user has the roles delegation requests in the system. According to the
specific permission, the AFS will forward the request to user’s assignment, the DS transfer the input from the UI
the application server, if doesn’t have, the AFS will page to formal expressions that can be easily stored and
intercept the request and return the failure messages. queried in the database.

C. Access Control Server H. Permission Management Center

Access Control Server forwards the requests to the Permission Management Center provides the
tenant-level access control module, it implements the permission management operations for system
Access(S,O,OP) function which determine whether this administrators, including system-level management and
session S has the operation OP on the object O. It use the tenant-level management. The system-level management
capability list (CL) as the control method, attached the CL provides the functions from the view of system
to the current session as an attribute. administrators it provides some management operations
based on tenants, such as tenant management, service suit
D. User Dynamic Constraints Server management, system permission management etc. While
In the process of generating the capability list, the the tenant-level management achieves the management
access control module must ensure the capability set does functions within a tenant, it involves the user management,
not include the exclusive abilities. But exclusive permission management, constraint management etc.
relationships are defined in the role-user and the role- The client initiated authentication request to access
permission constraints. The UDCS generates the control module, then the module will send the user
permission set which cannot be assigned to the specific information to the Authentication Center, after the success
user based on the user information submitted by the ACS of authentication, the center will returns the successful
and the related constraints. authentication access control mask, the user dynamic
constraint code and other information and save them to the
E. Temporal Constraints Server
session related to this user. The Access Filter Server
It is used to handle all the operations related to the time encapsulates the user's information and the authentication
constraints. The TCS get the role set or permission set result into another data structure and sends it to the Access
after the UDCS dispose. Then it gets the related time Control Server which can generate the permission
constraints from the Access Control Database according to constraints according to the request parameter, and then
the identification included in the previous step’s result. the ACS generates the capability list of this user based on
The TCS realizes the process of time validation for every the constraints and user role information. At last, the AFS
role to be assigned to the user. It ensures that the expired validates the business requests according to the capability
roles or permissions will not be authorized to any user. list and forward the valid requests to the application server.
F. System Management Server
V. CONCLUSION AND FUTURE WORK
The SMS (System Management Server) provide an
entrance of SaaS system management for the system top This paper proposed a hierarchical access control model
level administrators. These administrators usually belong for SaaS systems named with H-RBAC. And we raised a
to the SaaS service providers and are responsible for all practical implementation of access control module for
the top level system management works, such as the SaaS systems based on the H-RBAC model. First we
tenant authorization, system parameters settings and introduced the basic concepts about SaaS and access
system functions management etc. control methods. Followed by related researches on the
RBAC-based access control, this paper analyzed the

Copyright © 2011 MECS I.J. Modern Education and Computer Science, 2011, 5, 47-53
 H-RBAC: A Hierarchical Access Control Model for SaaS Systems 53

advantages and disadvantages of existing RBAC models. Approach, Computers & Security, vol. 13, No. 8, 1994, pp.
Then we raised the H-RBAC model which solves the 673-680.
access control problem in SaaS systems. Finally, we put [11] R. Sandhu, V. Bhamidipati, and Q. Munawer, The
forward a practical way of access control module ARBAC97 Model for Role-Based Administration of
Roles, ACM Transactions on Information and System
implementation for SaaS systems. Practice shows that the Security (TISSEC), vol. 2, 1999, pp. 105-135.
access control based on H-RBAC model is practical and it [12] R. Sandhu and Q. Munawer. The ARBAC99 Model for
has several advantages: (1) flexible structure, conducive Administration of Roles, In Proceedings of 15th
to hierarchical responsibility segments and authority Computer Security Applications Conference, 1999, 2, pp.
management. (2) self-government within tenants, without 229.
overemphasizing the role hierarchies of multiple levels. (3) [13] S. Oh, R. Sandhu, A model for role administration using
intuitive permission assignments, easy to understand and organization structure, Proceedings of the 7th ACM
use for SaaS system developers. (4) good scalability, symposium on Access control models and technologies,
Monterey, 2002.
supporting the needs of different tenants of heterogeneous
[14] E. Barka and R. Sandhu. A role-based delegation model
access control. and some extensions. In 23rd National Information
However, the method proposed in this paper has some Systems Security Conference, Baltimore, MD, October
imperfections, so we need to do more in-depth research in 2000.
the future. For example, we’d better take the system [15] Barka, R. Sandhu, Role-based delegation
security and data consistency into account when designing model/hierarchical roles (RBDM1), Computer Security
models. Because when the roles revocation proceeding we Applications Conference, 2004, pp.396 – 404.
must guarantee the services are available and will not be [16] Chen Nanping, Chen Chuanbo, Implementing role based
interrupted. Another direction is promoting the efficiency access control in WWW environment, Journal of
Huazhong University of science and technology, 2002.
of the access control. Since the permission related
[17] Xia Luning, Jing Jiwu. An Administrative Model for
operations are performed frequently in SaaS systems, we Role-Based Access Control Using Hierarchical
can provide an optimization method based on H-RBAC Namespace. Journal of computer research and
model to ensure the system efficiency. development. 2007.
[18] Ma Lilin, Li Hong, A permission model of SaaS system
ACKNOWLEDGMENT based on RBAC, Computer application and software,
This Work was supported by Natural Science 2010.
Foundation of Liaoning Province. (No.20092006)
Dancheng Li was born in Shenyang,
REFERENCES
Liaoning province in 1963, earned M.S. degree
[1] Frederick Chong, Gianpaolo Carraro, Architecture
in the field of computer software in 1990 from
Strategies for Catching the Long Tail,
Shenyang Institute of Computing Technology,
http://msdn.microsoft.com/enus/architecture/aa479069.as
Chinese Academy of Sciences.
px, 2006, 4.
She is now an associate professor and
[2] Messaoud Benantar, Access Control Systems: Security,
postgraduate supervisor in Software College of
Identity, Management and Trust Models, Springer US,
Northeastern University, China (NEU). Before joining NEU,
2009, 12.
she was an associate research fellow in Shenyang Institute of
[3] Bo Lang, Ian Foster, Frank Siebenlist, Rachana
Automation, Chinese Academy of sciences for about 3 years.
Ananthakrishnan, A Flexible Attribute Based Access
Her main research directions include IT service management
Control Method for Grid Computing, Journal of Grid
and information system engineering.
Computing, vol.7, pp.169-180.
[4] Jiang Yueqiu, Jiao Yan, Research and Implementation of
Cheng Liu, born in Shenyang, Liaoning
Access control Model of Military Information System,
province in 1988, earned B.S degree in the field
Acta Armamentarii, 2009, 4, pp.431-437.
of software engineering in 2010 from
[5] Feng Demin, Wang Xiaoming, Zhao Zongtao, An
Northeastern University, China. Now he is a
Expanded Role-Based Access Control Model,
postgraduate student major in computer
COMPUTER ENGINEERING AND APPLICATIONS,
software and theory in Northeastern University,
2003.
China.
[6] Liu Peishun, He Dake, Application of RBAC in the
Railway Passenger Ticket Network Security
Binsheng Liu was born in China in 1987.
System, JOURNAL OF THE CHINA RAILWAY
He received the bachelor degree in software
SOCIETY, 2004.
engineering in Northeastern University, China
[7] J. Bacon, K. Moody, Toward open, secure, widely
in 2010. He is recently a postgraduate student
distributed services, Communications of the ACM -
in Northeastern University, China.
Adaptive middleware, vol. 45, 2002.
[8] David Ferraiolo and Richard Kuhn, Role-Based Access
Controls, Reprinted from15th National Computer Security
Conference, 1992, pp.554-563.
[9] R. S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman,
Role-Based Access Control Models, IEEE Computer,
IEEE Press, 1996, pp.38-47.
[10] S.H. von Solms and I. van der Menve, The Management
of Computer Security Profiles Using a Role-Oriented

Copyright © 2011 MECS I.J. Modern Education and Computer Science, 2011, 5, 47-53