Internal/Rbac/RbacResources: ferraiolo-kuhn-92.ps

%!PS-Adobe-2.0
%%Creator: dvips 5.47 Copyright 1986-91 Radical Eye Software
%%Title: paper.dvi
%%Pages: 11 1
%%BoundingBox: 0 0 612 792
%%EndComments
%%BeginProcSet: texc.pro
/TeXDict 200 dict def TeXDict begin /N /def load def /B{bind def}N /S /exch
load def /X{S N}B /TR /translate load N /isls false N /vsize 10 N /@rigin{
isls{[0 1 -1 0 0 0]concat}if 72 Resolution div 72 VResolution div neg scale
Resolution VResolution vsize neg mul TR matrix currentmatrix dup dup 4 get
round 4 exch put dup dup 5 get round 5 exch put setmatrix}N /@letter{/vsize 10
N}B /@landscape{/isls true N /vsize -1 N}B /@a4{/vsize 10.6929133858 N}B /@a3{
/vsize 15.5531 N}B /@ledger{/vsize 16 N}B /@legal{/vsize 13 N}B /@manualfeed{
statusdict /manualfeed true put}B /@copies{/#copies X}B /FMat[1 0 0 -1 0 0]N
/FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{/nn 8 dict N nn begin
/FontType 3 N /FontMatrix fntrx N /FontBBox FBB N string /base X array
/BitMaps X /BuildChar{CharBuilder}N /Encoding IE N end dup{/foo setfont}2
array copy cvx N load 0 nn put /ctr 0 N[}B /df{/sf 1 N /fntrx FMat N df-tail}
B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0]N df-tail}B /E{pop nn dup definefont
setfont}B /ch-width{ch-data dup length 5 sub get}B /ch-height{ch-data dup
length 4 sub get}B /ch-xoff{128 ch-data dup length 3 sub get sub}B /ch-yoff{
ch-data dup length 2 sub get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B
/ch-image{ch-data dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0
N /rw 0 N /rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S
dup /base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx 0
ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff setcachedevice
ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff .1 add]/id ch-image N
/rw ch-width 7 add 8 idiv string N /rc 0 N /gp 0 N /cp 0 N{rc 0 ne{rc 1 sub
/rc X rw}{G}ifelse}imagemask restore}B /G{{id gp get /gp gp 1 add N dup 18 mod
S 18 idiv pl S get exec}loop}B /adv{cp add /cp X}B /chg{rw cp id gp 4 index
getinterval putinterval dup gp add /gp X adv}B /nd{/cp 0 N rw exit}B /lsh{rw
cp 2 copy get dup 0 eq{pop 1}{dup 255 eq{pop 254}{dup dup add 255 and S 1 and
or}ifelse}ifelse put 1 adv}B /rsh{rw cp 2 copy get dup 0 eq{pop 128}{dup 255
eq{pop 127}{dup 2 idiv S 128 and or}ifelse}ifelse put 1 adv}B /clr{rw cp 2
index string putinterval adv}B /set{rw cp fillstr 0 4 index getinterval
putinterval adv}B /fillstr 18 string 0 1 17{2 copy 255 put pop}for N /pl[{adv
1 chg}bind{adv 1 chg nd}bind{1 add chg}bind{1 add chg nd}bind{adv lsh}bind{
adv lsh nd}bind{adv rsh}bind{adv rsh nd}bind{1 add adv}bind{/rc X nd}bind{1
add set}bind{1 add clr}bind{adv 2 chg}bind{adv 2 chg nd}bind{pop nd}bind]N /D{
/cc X dup type /stringtype ne{]}if nn /base get cc ctr put nn /BitMaps get S
ctr S sf 1 ne{dup dup length 1 sub dup 2 index S get sf div put}if put /ctr
ctr 1 add N}B /I{cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI
save N @rigin 0 0 moveto}N /eop{clear SI restore showpage userdict /eop-hook
known{eop-hook}if}N /@start{userdict /start-hook known{start-hook}if
/VResolution X /Resolution X 1000 div /DVImag X /IE 256 array N 0 1 255{IE S 1
string dup 0 3 index put cvn put}for}N /p /show load N /RMat[1 0 0 -1 0 0]N
/BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V
statusdict begin /product where{pop product dup length 7 ge{0 7 getinterval
(Display)eq}{pop false}ifelse}{false}ifelse end{{gsave TR -.1 -.1 TR 1 1 scale
rulex ruley false RMat{BDot}imagemask grestore}}{{gsave TR -.1 -.1 TR rulex
ruley scale 1 1 false RMat{BDot}imagemask grestore}}ifelse B /a{moveto}B
/delta 0 N /tail{dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}
B /c{-4 M}B /d{-3 M}B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B
/k{4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{p 1
w}B /r{p 2 w}B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p a}B /bos{
/SS save N}B /eos{clear SS restore}B end
%%EndProcSet
%%BeginProcSet: special.pro
TeXDict begin /SDict 200 dict N SDict begin /@SpecialDefaults{/hs 612 N /vs
792 N /ho 0 N /vo 0 N /hsc 1 N /vsc 1 N /ang 0 N /CLIP false N /BBcalc false N
/p 3 def}B /@scaleunit 100 N /@hscale{@scaleunit div /hsc X}B /@vscale{
@scaleunit div /vsc X}B /@hsize{/hs X /CLIP true N}B /@vsize{/vs X /CLIP true
N}B /@hoffset{/ho X}B /@voffset{/vo X}B /@angle{/ang X}B /@rwi{10 div /rwi X}
B /@llx{/llx X}B /@lly{/lly X}B /@urx{/urx X}B /@ury{/ury X /BBcalc true N}B
/magscale true def end /@MacSetUp{userdict /md known{userdict /md get type
/dicttype eq{md begin /letter{}N /note{}N /legal{}N /od{txpose 1 0 mtx
defaultmatrix dtransform S atan/pa X newpath clippath mark{transform{
itransform moveto}}{transform{itransform lineto}}{6 -2 roll transform 6 -2
roll transform 6 -2 roll transform{itransform 6 2 roll itransform 6 2 roll
itransform 6 2 roll curveto}}{{closepath}}pathforall newpath counttomark array
astore /gc xdf pop ct 39 0 put 10 fz 0 fs 2 F/|______Courier fnt invertflag{
PaintBlack}if}N /txpose{pxs pys scale ppr aload pop por{noflips{pop S neg S TR
pop 1 -1 scale}if xflip yflip and{pop S neg S TR 180 rotate 1 -1 scale ppr 3
get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip
not and{pop S neg S TR pop 180 rotate ppr 3 get ppr 1 get neg sub neg 0 TR}if
yflip xflip not and{ppr 1 get neg ppr 0 get neg TR}if}{noflips{TR pop pop 270
rotate 1 -1 scale}if xflip yflip and{TR pop pop 90 rotate 1 -1 scale ppr 3 get
ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip not
and{TR pop pop 90 rotate ppr 3 get ppr 1 get neg sub neg 0 TR}if yflip xflip
not and{TR pop pop 270 rotate ppr 2 get ppr 0 get neg sub neg 0 S TR}if}
ifelse scaleby96{ppr aload pop 4 -1 roll add 2 div 3 1 roll add 2 div 2 copy
TR .96 dup scale neg S neg S TR}if}N /cp{pop pop showpage pm restore}N end}if}
if}N /normalscale{Resolution 72 div VResolution 72 div neg scale magscale{
DVImag dup scale}if}N /psfts{S 65536 div N}N /startTexFig{/psf$SavedState save
N userdict maxlength dict begin /magscale false def normalscale currentpoint
TR /psf$ury psfts /psf$urx psfts /psf$lly psfts /psf$llx psfts /psf$y psfts
/psf$x psfts currentpoint /psf$cy X /psf$cx X /psf$sx psf$x psf$urx psf$llx
sub div N /psf$sy psf$y psf$ury psf$lly sub div N psf$sx psf$sy scale psf$cx
psf$sx div psf$llx sub psf$cy psf$sy div psf$ury sub TR /showpage{}N
/erasepage{}N /copypage{}N /p 3 def @MacSetUp}N /doclip{psf$llx psf$lly
psf$urx psf$ury currentpoint 6 2 roll newpath 4 copy 4 2 roll moveto 6 -1 roll
S lineto S lineto S lineto closepath clip newpath moveto}N /endTexFig{end
psf$SavedState restore}N /@beginspecial{SDict begin /SpecialSave save N gsave
normalscale currentpoint TR @SpecialDefaults}N /@setspecial{CLIP{newpath 0 0
moveto hs 0 rlineto 0 vs rlineto hs neg 0 rlineto closepath clip}if ho vo TR
hsc vsc scale ang rotate BBcalc{rwi urx llx sub div dup scale llx neg lly neg
TR}if /showpage{}N /erasepage{}N /copypage{}N newpath}N /@endspecial{grestore
clear SpecialSave restore end}N /@defspecial{SDict begin}N /@fedspecial{end}B
/li{lineto}B /rl{rlineto}B /rc{rcurveto}B /np{/SaveX currentpoint /SaveY X N 1
setlinecap newpath}N /st{stroke SaveX SaveY moveto}N /fil{fill SaveX SaveY
moveto}N /ellipse{/endangle X /startangle X /yrad X /xrad X /savematrix matrix
currentmatrix N TR xrad yrad scale 0 0 1 startangle endangle arc savematrix
setmatrix}N end
%%EndProcSet
TeXDict begin 1000 300 300 @start /Fa 8 104 df<90381FFFFC90B5FCD803F0C7FCEA07
80000EC8FC5A5A12301270126012E05AA77E12601270123012387E7E6C7EEA03F0C6B512FC131F
90C8FCA8007FB512FCA21E277C9F27>18 D<156015701530153881150C150E81B712C082C91278
163EEE0F80EE03E0EE0F80EE1E0016785EB712C05EC80007C7FC150E5DA25D1530157015602B1C
7D9932>41 D<EB3FFF90B5FC3803E000EA0780000EC7FC5A5A123012701260A212E05AA2B6FCA2
00C0C7FCA27E1260A21270123012387E7E6C7EEA03F0C6B5FC131F181E7C9A21>50
D<1403A214071406140E140C141C1418143814301470146014E014C013011480130314005B1306
130E130C131C1318A2133813301370136013E05B12015B120390C7FC5A1206120E120C121C1218
123812301270126012E05AA2183079A300>54 D<00C01430A26C147000601460007014E0003014
C0A20038130100181480A2001C1303000C1400000E5B3807FFFEA2EB000E6C130CA2EB801C0001
1318EBC03800001330A2EBE070EB6060EB70E0EB30C0A21339EB1980A2131F6DC7FCA21306A21C
2480A21D>56 D<1303A2EA01FBEA07FFEA0F0F381C0780A238380FC0130D007813E0EA700C131C
131800F013F0A213381330A313701360A213E013C0A312F11380007113E0A21273EA7B01003B13
C0A2381F0380EA1E07380F0F00EA07FEEA0FF8000CC7FCA3142A7EA519>59
D<EB0FC0133FEBFE0013F8485A5BAF1203485A485AB4C7FC12FCB4FCEA0F806C7E6C7E1201AF7F
6C7E13FEEB3FC0130F12317DA419>102 D<12FCB4FCEA1FC012076C7E1201AF7F6C7E137CEB3F
C0130F133FEB7C005B485A5BAF1203485A121FB4C7FC12FC12317DA419>I
E /Fb 18 121 df<127012F812FCA2127C120CA3121C1218A21238127012E0A2060F7C840E>59
D<EC01C0A21403A21407140FA2141B811431A2146114C1A2EB0181A2EB030113071306010C7FA2
EB1800EB3FFFA2EB6000A25BA2485A48C7FC5A81121F3AFFC00FFF80A221237EA225>65
D<90387FFFE090B512FC903807803E150F010F1480EC0007A349130F131EA2ED1F00013E131E01
3C5B5D4A5A90387FFFC092C7FC9038780F80EC03C013F8EBF001811403120113E0A21407120301
C0EBC0C015E0000714E13A7FFC03E38000FF903801FF00C85A22237EA125>82
D<001FB512FEA2903801E03E003C140EEA3803003013C00070140C1260EAE007148012C0A2D800
0F130091C7FCA35B131EA3133E133CA3137C1378A313F85BA21201387FFFC0B5FC1F227EA11D>
84 D<EBFCE0EA03FEEA07CFEA0F07381E03C0A2123C127C00781380A2130712F800F01300140C
130F1418EA701EEB3E383878FF30383FE7F0380F83E016157E941A>97 D<EA07C0123F5B1207A3
90C7FCA35A120EA3121EEA1CFCEA1FFE138FEA3F07003E1380123C123812781270A2130F00F013
0012E0A2131EA25BEA7078EA78F0EA3FE0EA1F8011237DA215>I<137F3801FFC0EA03E1EA0F83
1303121E48C7FCA25AA312F85AA314C0EA7801EB0380383C1F00EA1FFEEA07F012157E9415>I<
13FEEA03FF380F8380EA1F01123C127CEA780338F81F00EAFFFE13F000F0C7FCA25AA3EB0180EA
F00338700700EA7C3EEA3FFCEA0FE011157D9417>101 D<13381378A31300A9EA0F80EA1FC0EA
3DE0123012701261EAE1C012011203138012071300A2EA0F0CEA0E1C1318121EEA1C38EA1E70EA
0FE0EA07C00E2280A111>105 D<14E01301A390C7FCA9133E137FEBE780EA01C3EA03831303EA
070712001400A25BA2130EA2131EA2131CA2133CA21338A21378A2137013F0EA70E012F1EAF3C0
B45A007EC7FC132C81A114>I<EA03E0121F13C01203A31380A21207A21300A25AA2120EA2121E
A2121CA2123CA21238A21278A21270EA718012F112F3EAE300A212F7127E123E0B237DA20F>
108 D<381F03F8383F8FFC383BDE3C3871F81E3861F00E13E000E3131E3803C01CA21380000713
3C14381300EC786048EB70E015C0000E13F014E1001EEBF380EC7F00001C133E1B1580941D>
110 D<137F3801FF803803C3C0380F81E0381F00F0121E5AA25AA2130100F813E012F0130314C0
13070070138038781F00EA3C3EEA1FF8EA0FE014157E9417>I<381F07E0383F9FF0383BFC70EA
71F83861F0F013E038E3C0E0000313005BA21207A290C7FCA25AA2120EA2121EA2121C14158094
16>114 D<137E3801FF80EA03C3EA07871307A2EB0300138013F813FE6C7EC67EEB0F80130712
7000F01300A2485AEAF03EEA7FF8EA1FE011157E9417>I<136013E0A4120113C0A31203EAFFFC
A2EA038012071300A35A120EA3121E121C130C131CEA3C18EA38381370EA3CF0EA1FE0EA0F800E
1F7F9E12>I<380F800EEA1FC0383DE01E12300070131C126138E1C03C12010003133813801478
1207EB007015C014F0ECF180EB01E1EB03E3903887F3003803FE7F3801F83E1A1580941C>I<38
03E1F0380FF3FC381C3F1CEA383E38701C3C126038E03C38000013001338A213781370A2140C38
70F01C00F01318EBE03838F1F07038E3F8F0387F3FC0383E1F8016157E941C>120
D E /Fc 78 123 df<90381FC3F090387FEFF89038F0FE783801C0FC380380F800071400EB0070
A8B612C0A23907007000B1397FE3FF80A21D2380A21C>11 D<EB0FE0EB7FF0EBF878EA01E0EA03
C0EA0780EB003091C7FCA7B512F8A2380700781438B0397FE1FF80A2192380A21B>I<EB0FF813
7FEBF878EA01E0EA03C0380780381300A8B512F8A238070038B1397FF3FF80A2192380A21B>I<
90390FE03F8090397FF9FFC09039F83BE1E03901E03F81D803C013013807803E9039003C00C002
1C1300A7B712E0A23907001C011500B03A7FF1FFCFFEA2272380A229>I<EA7038EAF87CEAFC7E
A2EA7C3EEA0C06A3EA1C0EEA180CA2EA381CEA7038EAE070A20F0F7EA218>34
D<127012F812FCA2127C120CA3121C1218A21238127012E0A2060F7CA20E>39
D<137013E0EA01C0A2EA0380EA0700120EA25AA25AA35AA4126012E0AE12601270A47EA37EA27E
A27EEA0380EA01C0A2EA00E013700C327DA413>I<12E012707EA27E7E7EA2EA0380A2EA01C0A3
EA00E0A413601370AE136013E0A4EA01C0A3EA0380A2EA0700A2120E5A5AA25A5A0C327DA413>
I<127012F812FCA2127C120CA3121C1218A21238127012E0A2060F7C840E>44
D<EAFFE0A30B037F8B10>I<127012F8A3127005057C840E>I<EB0180A213031400A25B1306A213
0E130CA2131C1318A313381330A213701360A213E05BA212015BA2120390C7FCA25A1206A2120E
120CA3121C1218A212381230A212701260A212E05AA211317DA418>I<EA01F0EA07FCEA0E0E48
7E38380380A2007813C0EA7001A300F013E0AE007013C0A3EA780300381380A2381C0700EA0E0E
EA07FCEA01F013227EA018>I<EA01801203120F12FF12F31203B3A8EAFFFEA20F217CA018>I<EA
03F8EA0FFEEA3C3F38380F80387007C0126038E003E012F8A21301A2EA7003120014C01307A2EB
0F801400131E5B5B5B5B485A485A38070060120E5A4813E04813C0B5FCA313217EA018>I<EA03
F8EA0FFEEA1E1F38380F80387007C01278127C1278A21200A21480130FEB1F00133EEA03FC5BEA
001E7FEB078014C0EB03E0A2127012F8A438E007C0127038780F80383E1F00EA0FFEEA03F81322
7EA018>I<130EA2131EA2133EA2136E13EE13CE1201138EEA030E12071206120E120C1218A212
301270126012E0B512F8A238000E00A73801FFF0A215217FA018>I<38180180EA1E07EA1FFF14
0013FC13F00018C7FCA6EA19F8EA1FFE130F381E0780381C03C01218EA000114E0A4127012F0A3
38E003C0A238700780EA380F383E1F00EA0FFCEA07F013227EA018>I<137E3801FF803803C3C0
EA0703120E121E123C0038C7FC1278A3EA7020EAF3FCEAF7FF38FE0F80EAFC0738F803C0A2EB01
E012F0A51270A2127814C0EA3803003C1380EA1E07380F1F00EA07FEEA03F813227EA018>I<12
601270387FFFE0A3386001C000E01380EAC003EB07001306EA000E130C131C5B13301370A25BA3
1201A25BA31203AA13237DA118>I<EA03F8EA0FFEEA1F1F383C0780EA3803007013C01301A312
78EA7C03383E0780383F8700EA1FDEEA0FFC6C5A13FE487E381E3F80383C1FC0EA7807387003E0
EAF00112E01300A37E387001C0EA7803383C0780381E0F00EA0FFEEA03F813227EA018>I<EA03
F8EA0FFCEA1F1EEA3C0700381380EA7803007013C012F01301A214E0A513031278A2EA3C07EA3E
0FEA1FFDEA07F9EA0081EB01C01303A21480EA780714005B131E137CEA3FF8EA0FE013227EA018
>I<127012F8A312701200AB127012F8A3127005157C940E>I<127012F8A312701200AB127012F8
A312781218A4123812301270A212E012C0051F7C940E>I<B612FEA2C9FCA8B612FEA21F0C7D91
26>61 D<497E497EA3497EA3497E130CA2EB1CF8EB1878A2EB383C1330A2497EA3497EA348B512
80A2EB800739030003C0A30006EB01E0A3000EEB00F0001F130139FFC00FFFA220237EA225>65
D<B512F814FE3907800F80EC07C0EC03E0140115F0A515E01403EC07C0EC0F8090B512005C9038
801F80EC07C0EC03E0EC01F0140015F8A6EC01F0140315E0EC0FC0B6120014FC1D227EA123>I<
90380FF030EB7FFC9038FC1E703803F0073907C003F0380F8001EA1F001400123E003C1470127C
A215305AA21500A71530127CA36C147015606C14E015C0380F80013907C003803903F007003800
FC1EEB7FFCEB0FF01C247DA223>I<B512F014FE3807801FEC07C01403EC01E0EC00F015F81578
157C153CA3153EA9153CA2157C1578A215F0EC01E01403EC07C0EC1F00B512FE14F81F227EA125
>I<B612C0A23807800F14031401140015E0A215601460A3150014E0138113FFA2138113801460
A21518A214001530A4157015F01401EC07E0B6FCA21D227EA121>I<B612C0A23807800F140314
01140015E0A21560A21460A21500A214E0138113FFA2138113801460A491C7FCA8EAFFFEA21B22
7EA120>I<90380FF018EB3FFC9038FC0F383903F003B83907C001F8380F800090C7FC48147812
3E15385AA215185AA21500A6EC1FFFA2007CEB0078A37EA27E6C7E7F6C6C13F83803F0013900FE
079890383FFF1890380FF80020247DA226>I<39FFFC3FFFA239078001E0AD90B5FCA2EB8001AF
39FFFC3FFFA220227EA125>I<EAFFFCA2EA0780B3ACEAFFFCA20E227EA112>I<3803FFF0A23800
0F00B3A612F8A35BEAF01EEA703EEA787CEA3FF8EA0FE014237EA119>I<39FFFC07FFA2390780
03F8EC01E04A5A4A5A92C7FC140E5C5C5C5CEB81C013831387EB8FE0EB9DF013BDEBF8F8EBF078
EBE07C497EEB801E141F6E7EA26E7E6E7EA26E7EA215FC3AFFFC07FF80A221227EA126>I<EAFF
FEA2EA0780B3EC0180A41403A215005CA25C143FB6FCA219227EA11E>I<D8FFC0EB03FF6D5B00
0715E0A2D806F0130DA301781319A36D1331A36D1361A36D13C1A29038078181A3903803C301A3
EB01E6A3EB00FCA31478EA1F80D8FFF0EB3FFF143028227EA12D>I<39FF800FFF13C03907E001
F8EC00607F12067F137C133C133E131E131FEB0F80130714C0130314E0EB01F0130014F8147CA2
143E141E141FEC0FE0A214071403A21401EA1F8038FFF000156020227EA125>I<EB0FE0EB7FFC
EBF83E3903E00F8039078003C0390F0001E0A2001EEB00F0003E14F8003C1478007C147CA20078
143CA200F8143EA9007C147CA3003C1478003E14F8001E14F06CEB01E0EB80033907C007C03903
E00F803900F83E00EB7FFCEB0FE01F247DA226>I<B512F014FC3807803FEC0F801407EC03C0A2
15E0A515C0A2EC0780140FEC3F00EBFFFC14F00180C7FCADEAFFFCA21B227EA121>I<EB0FE0EB
7FFCEBF83E3903E00F803907C007C0390F8003E0EB0001001EEB00F0003E14F8003C1478007C14
7CA20078143CA200F8143EA90078143C007C147CA2003C1478393E07C0F8391E0FE0F0390F1C71
E0EB98330007EB1BC03903F81F803900FC3E0090387FFC02EB0FECEB000CEC0E06A2EC0F1EEC07
FCA3EC03F8EC01F01F2D7DA226>I<B512E014F83807803E140F6E7E816E7EA64A5A5D4AC7FC14
3EEBFFF85CEB80F8143C80A280A381A4ED818015C1EC07C3D8FFFCEBE7006EB4FCC85A21237EA1
24>I<3807F060EA0FFE381E1FE0EA3807EA70031301EAE000A21460A27E14007E127C127FEA3F
F0EA1FFE380FFF80000313C0EA007FEB07E0130114F01300A200C01370A37E14F06C13E0EAF801
00FC13C038FF078038C7FF00EAC1FC14247DA21B>I<007FB512F8A2387C078000701438006014
18A200E0141C00C0140CA500001400B3A20003B5FCA21E227EA123>I<39FFFC0FFFA239078001
F8EC0060B3A515E06C6C13C01401D801E0138014033900F80700EB7C1EEB1FFCEB07F020237EA1
25>I<D8FFF0EBFFC0A2D80F80EB3E00151C00071418A26C6C5BA36C6C5BA26D13E000005CA2EB
F80101785BA26D48C7FCA3EB1E06A2EB1F0EEB0F0CA2149CEB0798A2EB03F0A36D5AA36D5A2223
7FA125>I<3BFFF03FFC07FEA23B1F8007C001F8260F0003EB00E0A2D807806D13C0A33B03C007
F001801406A216032701E00C781300A33A00F0183C06A3903978383E0CEC301EA2161C90393C60
0F18A390391EC007B0A3010F14E0EC8003A36D486C5AA32F237FA132>I<387FFFFEA2EB003E00
7C137C0070137814F838E001F0A238C003E014C01307EB0F801200EB1F00131E133E5BA25B5B00
011303EA03E0A2EA07C01380000F1307EA1F001406003E130E003C131E007C133E4813FEB5FCA2
18227DA11E>90 D<12FEA212C0B3B3A912FEA207317BA40E>I<EA1C0EA2EA381CEA7038EA6030
A2EAE070EAC060A3EAF87CEAFC7EA2EA7C3EEA381C0F0F7AA218>I<12FEA21206B3B3A912FEA2
07317FA40E>I<EA1FF0EA3FFCEA3C3E130FA2C67EA25BEA03FF121FEA3F07127C12F8A200F013
18A2130FEAF81F387C3FB8383FF3F0381FC3C015157E9418>97 D<120E12FEA2121E120EAAEB3F
C0EBFFE0380FE1F0EB8078EB003C120E141EA8143CA2000F137CEB80F8EBE1F0380CFFE0EB3F80
17237FA21B>I<EA03FE380FFF80EA1F07123E123C48C7FCA25AA7127814C0EA3C01003E1380EA
1F87380FFF00EA03FC12157E9416>I<14E0130FA213011300AAEA03F8EA0FFEEA1F0FEA3E03EA
7C01EA7800A25AA71270EA7801A2EA3C03381F0FF0380FFEFEEA03F017237EA21B>I<EA01FCEA
07FF381F0F80383E03C0EA3C01007813E0A2B5FCA200F0C7FCA5127814606C13E0383E01C0EA0F
833807FF00EA01FC13157F9416>I<133E13FFEA01EFEA03CF138FEA0700A9EAFFF8A2EA0700B1
EA7FF8A2102380A20F>I<14F03803FBF83807FFB8380F1F38381E0F00383C0780A7381E0F00EA
1F1E13FCEA1BF80018C7FCA2121CEA1FFF6C13C0003F13F0EA7C013870007812F0481338A36C13
78007813F0383F07E0381FFFC03803FE0015217F9518>I<120E12FEA2121E120EAAEB3F80EBFF
E0EA0FE1EB80F0EB0070A2120EAD38FFE7FFA218237FA21B>I<121E123EA3121EC7FCA8120E12
FEA2121E120EAFEAFFC0A20A227FA10E>I<EA01C0EA03E0A3EA01C0C7FCA8EA01E0120FA21201
1200B3A412F113C012F3EAFF80EA3E000B2C82A10F>I<120E12FEA2121E120EAAEB0FFCA2EB07
E014801400131E5B5B13F8EA0FFCA2131EEA0E0F14801307EB03C014E0130114F038FFE3FEA217
237FA21A>I<120E12FEA2121E120EB3ABEAFFE0A20B237FA20E>I<390E3FC0FF26FEFFF313C039
FFE0F7833A1F807E01E0390F003C00A2000E1338AD3AFFE3FF8FFEA227157F942A>I<380E3F80
38FEFFE0EAFFE1381F80F0380F0070A2120EAD38FFE7FFA218157F941B>I<EA01FCEA07FF380F
0780381C01C0383800E0007813F00070137000F01378A700701370007813F0003813E0381C01C0
380F07803807FF00EA01FC15157F9418>I<380E3FC038FEFFE038FFE1F0380F80F8EB007C000E
133C143E141EA6143E143CA2000F137CEB80F8EBE1F0380EFFE0EB3F8090C7FCA8EAFFE0A2171F
7F941B>I<3803F860EA0FFEEA1F0F383E03E0EA7C011278130012F85AA612781301EA7C03EA3E
07EA1F0FEA0FFCEA03F0C7FCA8EB0FFEA2171F7E941A>I<EA0E7EEAFEFFEAFFEFEA1F8FEA0F0F
1300A2120EACEAFFF0A210157F9413>I<EA1FD8EA3FF8EA7878EAF038EAE018A212F0EAF800EA
7F8013E0EA1FF0EA03F8EA007CEAC03C131C12E0A2EAF03CEAF878EAFFF0EACFE00E157E9413>
I<1206A5120EA3121E123EEAFFF8A2EA0E00AA130CA5EA0F1CEA073813F8EA03E00E1F7F9E13>
I<000E137038FE07F0A2EA1E00000E1370AB14F0A21301380787F8EBFF7FEA01FC18157F941B>
I<38FFC3FEA2381E00F8000E137014E06C13C0A338038180A213C300011300A2EA00E6A3137CA3
1338A217157F941A>I<39FF8FF9FFA2391E01E07C391C03C038000EEBE030A2EB06600007EB70
60A2130E39038C30C01438139C3901D81980141DA2EBF00F00001400A2497EEB600620157F9423
>I<387FC1FFA2380781F8000313E03801C1C014803800E3001377133E133C131C133E13771367
EBC3803801C1C0380380E0000713F0001F13F838FFC1FFA2181580941A>I<38FFC3FEA2381E00
F8000E137014E06C13C0A338038180A213C300011300A2EA00E6A3137CA31338A21330A2137013
60A2EAF0C012F1EAF380007FC7FC123E171F7F941A>I<383FFFC0A2383C0780EA380F00301300
EA701EEA603C5B13F8C65A485A3803C0C012071380EA0F00EA1E01003C1380EA7C03EA7807B5FC
A212157F9416>I E /Fd 37 122 df<EB01E01303130F137FEA1FFFB5FCA213BFEAE03F1200B3
AF007FB512F0A41C2E7AAD29>49 D<EB3FF00003B5FC4814C0001F14E0D83F8113F0397E003FF8
007FEB1FFC39FF800FFEEBC00715FF80A3EA7F80EA3F00C7FCA2EC07FEA2EC0FFC15F8141F15F0
EC3FE0EC7FC0ECFF005C495AEB03F0495A90380FC00FEB1F80EB3E0049131F49131E485AD803C0
133E48B512FE5A5A5A5AB612FCA4202E7CAD29>I<EB1FFC90387FFF8048B512E03903F83FF039
07C00FF8D80FE07F381FF00701F87FA5EA0FF0D807E05B3801800FC75BA24A5A4A5AECFFC0011F
90C7FC5CECFFC09038001FF0EC0FFC6E7E6E7E16808016C0120EEA3F80EA7FC0EAFFE0A316805C
A26C4848130001805B393FE01FFC6CB55A00075C0001148026003FFCC7FC222E7DAD29>I<15F8
1401A214031407140F141F143FA2147F14F71301EB03E714C7EB0787EB0F07131E133E137C1378
13F0EA01E01203EA07C01380EA0F00121E5A127C5AB712F0A4C7380FF800A8010FB512F0A4242E
7EAD29>I<000E1438390FE003F890B5FC15F015E015C01580150014FC14F0148090C8FCA7EB1F
F890B5FC15C09038F03FF09038800FF8EB0007000E14FCC7EA03FEA315FFA2123EEA7F8012FF13
C0A3018013FE1407D87F0013FC007C130F003FEB1FF8391FE07FF06CB512E06C14800001EBFE00
38007FF0202E7CAD29>I<ECFFC0010713F0011F7F90387FE0FC9038FF003E484813FED803F87F
00075BEA0FF0121F13E0003F6D5AA2007F91C7FC5BA2142039FFC3FF8001C713E001CF13F89038
DC07FC9038F801FE01F07F80491480A216C05BA4127FA4123F6D1480121F4A1300EA0FF06D485A
3907FE0FFC6CB55AC614E0013F5BD90FFEC7FC222E7DAD29>I<123C123F90B612C0A448158016
005DA25D397C0001F80078495A4A5A00F85C48495A141F4AC7FCC7127E5C5C13015C13031307A2
495AA3131FA25C133FA4137FAA6D5A6DC8FC22307BAF29>I<EB0FFC90387FFF8090B512E03901
F80FF03903E003F848486C7E380F800081001F147EA27F7F7F01FC13FE01FF5B14816CEBE3F8EC
FFF06C5C6C148081C614F0810003804880D80FE37FD81FC01480383F803F387F000F007E6D13C0
00FE130148EB007F153F151F150FA26C1580A2007F141F6DEB3F006C6C137E391FF803FC6CB55A
6C5C000114C026001FFEC7FC222E7DAD29>I<157CA215FEA34A7EA24A7FA24A7FA34A7F157F02
1F7FEC1E3FA2023E7FEC3C1F027C7FEC780FA202F87FECF0070101804A7EA20103814A7E010781
4A7EA249B67EA24981A2011EC7123F4981161F017C810178140FA2496E7EA2000182B5D8C001B5
12FEA437317DB03E>65 D<B712F816FF17E083C6903980003FF8EE0FFC707E8382188082A55E18
00A24C5A4C5A4C5AEEFFE091B6128094C7FC17E0913980001FF8EE07FE707E701380A27013C0A2
18E0A718C05E18805E040F1300EE3FFEB85A17F017C04CC7FC33317EB03B>I<913A07FF800380
027FEBF8070103B5EAFE0F010FECFF9F499038803FFF90397FFC0007D9FFE07F484913004890C8
127F4848153F120F4848151F49150F123F5B1707127FA24992C7FC12FFAB127F7FEF0780123FA2
7F001F160F6D16006C6C5D0007161E6C6C153E6C01C05C6C01F0495AD97FFCEB07F0903A1FFF80
3FE06D90B55A010392C7FCD9007F13FC020713C031317BB03C>I<B712F016FF17C017F0C69039
C0007FFCEE0FFEEE03FF7013807013C0EF7FE0173F18F0171F18F8A2EF0FFCA418FEAB18FCA418
F8171FA2EF3FF018E0177FEFFFC04C13804C1300EE0FFEEE7FFCB812F05F94C7FC16F037317EB0
3F>I<B812F0A4C69038C0007FEE0FF816031601A216001778A4923807803CA41700150F151F15
3F91B5FCA4ECC03F151F150F1507A592C8FCABB612F0A42E317EB034>70
D<B612C0A4C6EBC000B3B3A5B612C0A41A317EB01F>73 D<B612F0A4C601C0C8FCB3A717F0A416
0117E0A21603A31607160F161F163F16FF030313C0B8FCA42C317EB032>76
D<B712E016FEEEFF8017E0C6D9C00013F0EE3FF8EE1FFC160F17FE160717FFA717FEA2160F17FC
EE1FF8EE3FF0EEFFE091B612C0170016F802C0C8FCB2B612C0A430317EB038>80
D<B712C016FCEEFF8017E0C6D9C0007FEE3FF8EE0FFC707E838284A695C7FCA24C5AA24C5AEE3F
F8923801FFE091B6128004FCC8FC829139C007FF8003017F6F7F707E163F83161FA483A4F001E0
17FEA21803EE0FFFB6D8C007EB87C070EBFF8004001400EF1FFC3B317EB03E>82
D<90393FF8038048B512074814CF000F14FF381FF00FEBC00148487E48C7123F007E141FA200FE
140FA215077E7F6D90C7FC7F13FE387FFFE014FF6C14E0816C14FC6C806C807EC61580011F14C0
1300140F020013E0157F153F151F12F0150FA37E16C06C141F6C15806C143F01C0EB7F009038FC
01FE90B55A00F95CD8F07F13E0D8E007138023317BB02E>I<B6D8C003B512C0A4C601C0C73803
C000B3AD1707A26D6C5D170FA26D6C4AC7FC6D6C5C6D6C147E6D6C495A903A03FFC01FF86D90B5
5A6D6C14C0020F91C8FC020013F03A317EB03F>85 D<EBFFFC0007EBFF804814E0391FE03FF090
38F00FF86E7E14036E7EEA0FE0A2EA0100C7FCA2EB01FF133F3801FFF93807FE01EA1FF8EA3FE0
EA7FC0138012FF1300A3EB800314076C6C487E263FF03E13F8381FFFFC0007EBF07FC6EB801F25
207E9F28>97 D<90380FFF80017F13F048B512F83903FE03FC3807F807EA0FF0EA1FE0EA3FC0EC
03F8127F903880004000FF1400AA6C7EA2003F141E7F001F143E6C6C137CD807FC13F83903FF03
F06CEBFFE06C6C138090380FFE001F207D9F25>99 D<ED07E0EC03FFA4EC003F151FACEB0FFC90
387FFF9F48B6FC3803FE07380FF8004848137F49133F4848131FA2127F5B12FFAA127F7FA2003F
143F6C6C137F15FF260FF80113F02607FE0F13FF0001B512DF6C141FEB1FF828327DB12E>I<EB
0FFE90387FFFC048B512F03903FE0FF8390FF803FC48486C7EEBE000003F147F485A811680485A
A390B6FCA30180C8FCA46C7EA2003FEC07807F001F140F6C6C131FD807FCEB3F003903FF01FEC6
EBFFF8013F13E0010790C7FC21207E9F26>I<ECFF80010713E0011F13F0EB7FC79038FF8FF848
130F13FE120313FCEC07F0EC01C091C7FCA7B512F8A4D803FCC7FCB3A6387FFFF0A41D327EB119
>I<90393FF80FE09039FFFE3FF0000390B512F83907F83FF3390FE00FE3001F14F19039C007F0
F0003FECF800A7001F5CEBE00F000F5C3907F83FC090B55A000E49C7FCEB3FF890C9FC121EA212
1F7F90B512C06C14FC15FF6C158016C016E0121F393F80007F007EC7EA0FF000FE1407481403A3
6C1407007E15E0007F140FD83FC0EB3FC03A1FF801FF800007B5EAFE00000114F8D8001F138025
2F7E9F29>I<EA03C0EA0FF0487EA27FA35BA26C5AEA03C0C8FCA8EA01F812FFA4120F1207B3A4
B51280A411337DB217>105 D<EA01F812FFA4120F1207B3B3A4B512C0A412327DB117>108
D<2703F00FFCEB1FF800FFD93FFFEB7FFE91B500C1B51280903BF1F83FC3F07F903CF3C01FE780
3FC0260FF780EBEF0000079026000FFEEB1FE001FE5C495CA2495CB2B500C1B50083B5FCA44020
7D9F47>I<3903F00FFC00FFEB3FFF91B512C09038F1F83F9039F3C01FE0380FF7800007496C7E
13FE5BA25BB2B500C1B51280A429207D9F2E>I<EB07FE90383FFFC090B512F03903FC03FC3907
F000FE4848137F4848EB3F80003F15C0A24848EB1FE0A300FF15F0A8007F15E0A36C6CEB3FC0A2
6C6CEB7F80000F15003907F801FE3903FE07FC6CB55AD8003F13C0D907FEC7FC24207E9F29>I<
3901F81FF800FF90B5FC01FB14809039FFE07FE09138801FF03A07FE000FF84913074914FCED03
FEA3ED01FFA95D16FEA216FC6D1307ED0FF86D14F09038FF803F9138E0FFC001FBB5128001F8EB
FE00EC3FF091C8FCAAB512C0A4282E7E9F2E>I<3903F03F8000FFEBFFE001F113F0EBF3E79038
F78FF8000F130FEA07FEA29038FC07F0A2EC008015005BB0B512E0A41D207E9F22>114
D<3801FFC7000713FF121FEA3F80387C003F805A807E7E6C6CC7FC13FC387FFFE014F86C7F6C7F
6C7F00031480EA003F010013C0143F00F0130FA26C1307A27E6CEB0F806C131F9038C07F00EBFF
FE00FB13F800E013E01A207D9F21>I<1378A513F8A41201A212031207120F381FFFFEB5FCA338
07F800AF140FA7141F3803FC1EEBFE3E3801FFFC38007FF8EB1FE0182E7EAD20>I<D801F8EB03
F000FFEB01FFA4000FEB001F0007140FB1151FA2153F157F6C6C497E903AFE03EFFF806CB512CF
6C6C130FEB1FFC29207D9F2E>I<B538803FFEA43A07F80003C06D1307000315806D130F000115
006D5B6C141EA26D6C5AA2ECC07C013F1378ECE0F8011F5B14F1010F5B14F3903807FBC0A214FF
6D5BA26D90C7FCA26D5AA2147CA227207E9F2C>I<B538803FFEA43A07F80003C06D1307000315
806D130F000115006D5B6C141EA26D6C5AA2ECC07C013F1378ECE0F8011F5B14F1010F5B14F390
3807FBC0A214FF6D5BA26D90C7FCA26D5AA2147CA21478A214F85CEA3C01007E5BEAFF035C495A
130FD87A3FC8FCEA7FFC6C5AEA0FE0272E7E9F2C>121 D E /Fe 34 123
df<13E0EA01C012031380EA0700120EA25AA25AA212301270A3126012E0AE12601270A3123012
38A27EA27EA27EEA038013C01201EA00E00B2E7DA112>40 D<12E01270127812387E7EA27EA2EA
0380A2120113C0A3120013E0AE13C01201A313801203A2EA0700A2120EA25A5A127812705A0B2E
7DA112>I<127012F812FCA2127C120CA3121C12181238127012F01260060E7C840D>44
D<EAFFC0A30A037F8A0F>I<127012F8A3127005057C840D>I<EB0380A3497EA3EB0DE0A3EB18F0
A3EB3078A3497EA3EBE01E13C0EBFFFE487FEB800FA200031480EB0007A24814C01403EA0F8039
FFE03FFEA21F207F9F22>65 D<B512E014F83807803E80801580A515005C143E5CEBFFF880EB80
1E801580140715C0A51580140FEC1F00143EB512FC14F01A1F7E9E20>I<90381FC0C0EBFFF038
01F83D3807E00F380F80071300481303003E1301123C127C1400A25A1500A8007C14C0A3003C13
01003E14807E6C130390388007003807E00E3801F83C3800FFF8EB1FE01A217D9F21>I<B512E0
14FC3807803E140FEC0780EC03C015E0140115F01400A215F8A915F0A2140115E0A2EC03C0EC07
80EC0F00143EB512FC14E01D1F7E9E23>I<B46CEB1FF86D133F00071500A2D806E0136FA30170
13CFA3903838018FA390381C030FA3EB0E06A3EB070CA3EB0398A3EB01F0A3380F00E03AFFF0E1
FFF8A2251F7E9E2A>77 D<B57E14F0380780F8143C143E141E141FA4141E143E143C14F8EBFFF0
14C0EB81E0EB80F0A21478A4147CA3150C147EEC3E1C38FFFC3FEC1FF8C7EA07F01E207E9E21>
82 D<007FB512E0A238780F010070130000601460A200E0147000C01430A400001400B23807FF
FEA21C1F7E9E21>84 D<3BFFF07FF83FF0A23B1F000F800F806C0107EB0300A23A07800FC006A3
913819E00ED803C0140CA214393A01E030F018A33A00F0607830A3ECE07C903978C03C60A39039
3D801EC0A390383F000F6D5CA3010E6DC7FCA32C207F9E2F>87 D<EA3FE0EA7FF8EA787C131EA2
EA000EA3EA07FE121FEA3F0E127C12F800F01330A2131E12F8387C7F70383FFFE0381FC7801414
7E9317>97 D<120E12FEA2120EA9133FEBFFC0380FC3E01381EB00F0120E1478A814F0120FEB81
E0EBC3C0380CFF80EB7F0015207F9F19>I<EA03FCEA0FFEEA1E1E123C127813005AA77E1278EA
7C03EA3E07EA1F0EEA0FFCEA03F010147E9314>I<EB0380133FA21303A9EA07F3EA0FFFEA1E1F
EA3C071278130312F0A812781307EA3C0FEA3E1F381FFBF8EA07E315207E9F19>I<EA03F0EA0F
FCEA1E1E487E487E148012F01303B5FCA200F0C7FCA37E1278387C0180EA3E03381F8700EA0FFE
EA03F811147F9314>I<137E13FFEA01EFEA038F12071300A7EAFFF0A2EA0700B0EA7FF0A21020
809F0E>I<EB01E03807F7F0380FFF70EA3E3E383C1E00487EA6EA3C1EEA3E3EEA3FF8EA37F000
30C7FCA21238EA3FFE381FFFC04813E0EA780338F000F0481370A36C13F0387801E0383E07C038
1FFF803803FC00141F7F9417>I<120E12FEA2120EA9137FEBFF80380FC7C013831301A2120EAC
38FFE7FCA216207F9F19>I<121E123EA3121EC7FCA6120E127EA2120EAFEAFFC0A20A1F809E0C>
I<120E12FEA2120EB3A9EAFFE0A20B20809F0C>108 D<390E3F03F039FEFFCFFC39FFC3DC3C39
0F81F81E903800F00EA2000E13E0AC3AFFE7FE7FE0A223147F9326>I<EA0E7F38FEFF8038FFC7
C0EA0F831301A2120EAC38FFE7FCA216147F9319>I<EA01F8EA07FE381E0780383C03C0EA3801
387000E0A200F013F0A6007013E0EA7801003813C0EA3C03381E07803807FE00EA01F814147F93
17>I<EA0E3F38FEFFC038FFC3E0EA0F81EB01F0EA0E0014F81478A614F814F0EA0F01EB81E0EB
C7C0380EFF80EB7F0090C7FCA7EAFFE0A2151D7F9319>I<EA0E7CEAFFFE13DEEA0F9E131E1300
120EACEAFFE0A20F147F9312>114 D<EA1FB0EA7FF01278EAE0701330A2EAF00012FCEA7FC0EA
3FE0EA0FF0EA00F8EAC078133812E0A2EAF078EAF8F0EAFFE0EACFC00D147E9312>I<1206A412
0EA2121E123EEAFFF8A2EA0E00AA1318A5EA0F30EA07F0EA03E00D1C7F9B12>I<380E01C0EAFE
1FA2EA0E01AC13031307EA0F0F3807FDFCEA03F916147F9319>I<38FF87F8A2381E03E0380E01
C01480A238070300A3EA0386A2138EEA01CCA213FC6C5AA21370A315147F9318>I<38FF87F8A2
381E03E0380E01C01480A238070300A3EA0386A2138EEA01CCA213FC6C5AA21370A31360A35B12
F0EAF18012F3007FC7FC123C151D7F9318>121 D<EA3FFFA2EA381FEA301EEA703CEA6078A213
F0EA01E0EA03C0A2EA0783EA0F03121E1307EA3C061278EAF81EEAFFFEA210147F9314>I
E /Ff 7 117 df<14E0A2497EA3497EA2497EA2497E130CA2EB187FA201307F143F01707FEB60
1FA201C07F140F48B57EA2EB800748486C7EA20006801401000E803AFFE01FFFE0A2231F7E9E28
>65 D<EA07FC381FFF80383F0FC01307EB03E0A2121E1200EA01FF120FEA3FC3EA7E0312FC12F8
A3EAFC07EA7E1F383FFDFEEA0FF017147F9319>97 D<B4FCA2121FAAEB1FC0EBFFF0EBE1F8EB80
7CEB007E143E143FA8143E147EEB80FCEBE1F8381CFFF038183FC018207E9F1D>I<EA03FE380F
FF80381F8FC0EA3F0F127E127C38FC078090C7FCA7127E14606C13E0381FC3C0380FFF803803FE
0013147E9317>I<EAFE3FEBFF80381EEFC0EA1FCF138FA2EB078090C7FCABEAFFF0A212147E93
16>114 D<EA0FF6EA3FFEEA781EEAE00E130612F0EAF800EAFFC0EA7FF813FCEA1FFEEA03FFEA
003FEAC00FEAE007A2EAF00FEAFC1EEAFFFCEACFF010147E9315>I<EA0180A31203A31207120F
123FEAFFFCA2EA0F80AA1386A513CCEA07FCEA01F80F1D7F9C14>I E /Fg
27 122 df<1207EA0F80121FA3120F1201A2EA0300A21206A25A5A12385A5A5A09127C8512>44
D<140814181430147014F01301EB07E0131F13F913C1EB03C0A4EB0780A4EB0F00A4131EA45BA4
5BA45BA31201387FFFC0B5FC152879A71F>49 D<EB01F8EB07FEEB0E0F903838078090387003C0
136001C013E0EA0186A2EA0306A21206A2130C000CEB07C013181580380E700F3907E01F003803
801EC75A5C14E0EB03C049C7FC131E133813E0485A485A38060003120E120C48130648130E383F
800C387FF03C3861FFF838E07FF038C01FE0EB07C01B297AA71F>I<0130136090383C03E09038
3FFFC01500495A14F8EB6FC00160C7FC5BA4485AA3EB8FC038033FE0EBF070EBC078EB003C1206
C7FCA3143E143C147CA21238127C00FC5B5A485B38C001E0A2495A38600780D8700FC7FCEA383E
EA1FF8EA07C01B2979A71F>53 D<EB01F8EB07FEEB1E0F90383C0380137001F013C0EA01E0EA03
C0A212071380120FA21407EA1F00A3140F1580141F7E143F6CEB7F00EB80DF3803FF9F3801FE1E
C7123E143C147C1478A25C5C387801C0EAF803495A4848C7FCEAC01CEA6078EA7FE0EA1F801A29
79A71F>57 D<913807F80291383FFE069138FC070E903903F0019E903907C000FC49C7FC013E14
7C5B491478485A1638485A48481430A2485A121F166048C9FCA3127EA4127C12FCA2ED0180ED03
00127CA21506A25D6C5CA2001E5C6C5C6D485A2603C003C7FC3801F81E3800FFF8EB1FC0272B77
A92B>67 D<D93FF8EBFFFCA2D900FCEB0FC00101EC0700160614BEA2D9033E5B80A301065CEC0F
80A3496C6C5AA3EC03E001185CA3EC01F001305CA2EC00F8A249EBF980157DA349017FC7FC81A3
4848131EA21203486C130ED87FFC130C12FF2E297CA82C>78 D<013FB5128016F0903901F801F8
9138F0007C163EA2163F495AA44948137EA316FC494813F8ED01F0ED03E0ED07C090391F001F80
9138FFFE0015F091C8FC133EA45BA45BA4485AA31203387FFF80B5FC28297CA829>80
D<EC3F01903801FFC3903803C0E7903807007F010E133E49131E5B13780170131C13F0A3000114
18A215007F6C7E13FF14F0EB7FFE6D7E6D1380010313C0EB007FEC0FE01403A314011218A30038
EB03C0A21580140700781400007C130E5C00775B38E3C0F038C1FFE0D8807FC7FC202B7BA922>
83 D<133EEBFF183801E1BC380380FC00075BEA0F00001E1378A2003E5B5AA348485AA448485A
ECC180A21307EC8300EA700F38781B86383873C6381FE1FC380F80F8191A79991F>97
D<EB1F80EB7FE03801F070EA03C0380780F0EA0F01121F381E00E0003E1300123C127CA25AA45A
A314201460007813C038380380383C0F00EA0FFCEA07F0141A79991B>99
D<EC03C0147FA214071580A4EC0F00A4141EA4EB3E3C13FF3801E1BC380380FC00075BEA0F0000
1E1378A2003E5B5AA348485AA448485AECC180A21307EC8300EA700F38781B86383873C6381FE1
FC380F80F81A2A79A91F>I<EB1F80EB7FC03801F0E03803C060EA0780EA0F00121E003E13C012
3C387C0380EBFF00EA7FF848C7FC12F8A45AA26C13200078136014C038380380381C0F00EA0FFC
EA07F0131A79991B>I<EC0780EC1FC0EC38E01471147314F3ECF1C0ECF000495AA5495AA390B5
FCA2EB0780A549C7FCA5131EA55BA513381378A45BA35B1230EA79C012F95B12F3007FC8FC123C
1B3681A912>I<EB07C0EB1FE6EB3C7FEB703FEBE03E0001131EEA03C0A20007133CEA0F80A338
1F0078A4001E13F0A4EB01E01303EA0E07EA070D3803FBC0EA01F3EA0003A2EB0780A3EB0F0012
70EAF81E5B485AB45AEA3F8018267C991B>I<133CEA07FCA2EA007C1378A45BA4485AA43803C3
E0EBCFF8EBDC3CEBF01C3807E01E13C0A2138048485AA4001E5BA35C5A1560EB01E015C0127890
3803C1801301ECC70038F000FE006013781B2A7BA91F>I<131C133EA2133C13381300A9EA0780
EA0FE01218EA30F0A21260A2EA61E012C11201EA03C0A2EA0780A3EA0F00A2130C121EA2131812
3CEA1C301360EA0FC0EA07800F287BA712>I<1378EA0FF8A2120013F0A4EA01E0A4EA03C0A4EA
0780A4EA0F00A4121EA45AA45A13C0A312F0EAF18012711279EA3F00121E0D2A7AA90F>108
D<2607807E13F83A0FC1FF83FE3A18E383C70F3A30F603CC079026FC01F81380D860F813F0A201
F013E000C1903903C00F00EA01E0A33A03C007801EA35E3907800F00171816781730380F001EEE
F0601670EE71C0001E49EB3F80000C0118EB1E002D1A7B9931>I<3807807C380FC1FF3918E387
803830F60301FC13C0EA60F8A213F039C1E007801201A33903C00F00A3141EEA0780150C143C15
18EA0F00EC7830143815E0001EEB1FC0000CEB0F001E1A7B9922>I<EB0FC0EB7FF0EBF0783803
C03C3807801C380F001E5A001E131F123E123C127CA248133EA3143C147C48137814F814F03878
01E0EB03C038380780381E1F00EA0FFCEA03F0181A79991F>I<9038780F809038FC1FE039018E
70F039030FE070ECC07800061380EC007CA2EA0C1E1200A34913F8A315F0EB7801A215E0EC03C0
13F8EC07809038FC0F00EBFE1E3801E7F8EBE3E001E0C7FCA2485AA4485AA3120FEA7FF812FF1E
267F991F>I<380781F0380FC3FC3818E60EEA30FCEBF81E0060133E13F0141C38C1E0001201A3
485AA4485AA448C7FCA4121E120C171A7B9919>114 D<133FEBFFC03801E0E03803806014E0EA
0701A2EB00C0140013C013FC7F6C7E6C1380EA003F130713031238127CA238F80700EA7006EA60
0EEA783CEA3FF0EA0FC0131A7B9918>I<13301378A213F0A4EA01E0A4B5FCA2EA03C0A2EA0780
A4EA0F00A4121EA45A1306A2130C12781318EA3830EA3C70EA1FC0EA0F8010257AA414>I<3803
C0033907F00780EA0C70EA18780030EB0F00A2126013F000C0131E1200EA01E0A25CEA03C0A348
485A1530A3ECF060A2D8038113C0EBC3783901FE3F8039007C1F001C1A7B9920>I<3803C00339
07F00780EA0C70EA18780030EB0F00A2126013F000C0131E1200EA01E0A25CEA03C0A348485AA4
5CA2EA038113C36CB45AEA007D1301A2495A1208383C0780123E4848C7FC130EEA301CEA3878EA
1FF0EA0F8019267B991D>121 D E /Fh 35 122 df<127C12FEA212FFA3127F1203A312071206
A2120E121CA212381270126008137B8611>44 D<137F3801FFC03807C1F0380F0078000E133800
1E133C487FA3487FA400F81480AF00781400A3007C5B003C131EA36C5B000E1338000F13783807
C1F03801FFC06C6CC7FC19297EA71E>48 D<EA01FE3807FF80381F0FE0383C03F0383801F83870
00FC126000FC137C6C137EA3143EA2007C137EC7FCA2147C14FC14F81301EB03F014E0EB07C0EB
0F80EB1F00131E5B5B5B3801E006EA03C013803807000C120E5A383FFFFC5AB512F8A317287DA7
1E>50 D<137F3801FFE03807C1F0380F0078000E7F48131C0018131E0038130EA2123CA2003E13
1E003F131CEBC03C381FF0786D5A6CB45A6C5B7EC67F000313F838079FFC380F0FFEEA1E03486C
7E486C7E0070EB3F8000F0130F481307A21403A36C140000705B007813066C130E6C133C380FC0
F83803FFE0C6138019297EA71E>56 D<137F3803FFC03807C1F048C67E001E1378003E7F487FA2
127800F8131F80A31580A4141F1278127C003C133F123E001E136F380F81EF3807FFCF6C130FD8
0010130013005CA2141E121E003F5BA25C5CEA3E01381C03E0381E0FC06CB4C7FCEA03FC19297E
A71E>I<B612C015F83907F000FC0003143FED0F80ED07C0ED03E0ED01F0150016F8167CA3163E
A3163FAA163EA2167E167CA216F8A2ED01F0ED03E0ED07C0ED0F80ED1F00000714FEB612F815C0
28297EA82E>68 D<B7FCA23907F0007F0003140FED07801503A21501A4ED00C01403A21600A35C
5C90B5FCA2EBF00F8080A591C8FCAA487EB512F0A222297EA827>70 D<9138FF8030010713E090
391FC0F87090397E003CF049130ED801F013074848130348481301485A001F140090C8FC481570
123E127E1630A25A1600A84AB5FCA2007E90380007F01503A2123E123F7E7F6C7E12076C7E6C6C
1307D800FC130F017F131C90391FC07870903907FFF0300100EB8000282B7DA92F>I<B512C0A2
3807F8006C5AB3B1487EB512C0A212297EA816>73 D<B538C03FFFA23A07F8000FF06C48EB07C0
5E4BC7FC151E5D5D5D5D4A5A4A5A4AC8FC140E5C143C147E14FF13F19038F3BF809038F71FC013
FE496C7E13F8496C7E6E7EA26E7E140081157FA26F7E6F7EA26F7E82486C497EB539C07FFF80A2
29297EA82E>75 D<D8FFF0913807FFC06D5C0007EEF80000035E017C141BA36D1433A36D1463A2
6D6C13C3A3903907C00183A3903903E00303A2903801F006A3903800F80CA3EC7C18A3EC3E30A2
EC1F60A3EC0FC0A33907800780D80FC04A7ED8FFFC91B512C06E5A32297EA837>77
D<D8FFF8EB3FFFA2D803FCEB03F06DEB01E0ED00C0137F6D7EA26D7E6D7EA26D7EA26D7E6D7EA2
6D7E147FA2EC3F80EC1FC0A2EC0FE0EC07F0A2EC03F8EC01FCA2EC00FE157FA2153FA2151F150F
A21507486C1303487ED8FFFC1301150028297EA82D>I<B512FEECFFC03907F003F00003EB007C
818182150F82A55E151F93C7FC153E5DEC03F090B512C0819038F007F0EC01FC6E7E157E157F81
A9EE0180A2ED1F81486C1483B539C00FC7006FB4FCC912FC292A7EA82C>82
D<EBFF03000713C3380F83E7381E007F487F487F80127000F07FA3807E7E91C7FCB4FCEA7FC013
FC383FFFC06C13F06C13FC6C7F00017FEA003F01031380EB003FEC1FC0140F140712C01403A37E
A26CEB0780A26CEB0F007EB4131E38E7E07C38C1FFF038C03FC01A2B7DA921>I<007FB612F8A2
397E00FC010078EC00780070153800601518A200E0151CA248150CA5C71400B3A6497E48B512FE
A226297EA82B>I<EA07FE381FFF80383F07E0EB01F0130080001E1378C7FCA3EB1FF8EA01FF38
07FC78EA1FC0EA3F00127E127C00FC14605AA214F8EAFC01EA7E03393F0FFCC0391FFE3F803907
F81F001B1A7E991E>97 D<EA078012FFA2120F1207ACEB83F8EB9FFE9038BC1F809038F007C090
38E003E013C090388001F0A2140015F8A815F01401A29038C003E09038E007C09038700F809038
3C3F00EB1FFE380607F81D2A7FA921>I<EB7FE03803FFF83807E0FCEA0F80EA1F00123E481378
1400A25AA8127CA2007E130C003E131C6C1318380FC0383807F0F03803FFE038007F80161A7E99
1B>I<140F49B4FCA2EB001F80AC13FF000313CF3807E1FF380F807F48487E003E7F487FA21278
12F8A81278127CA26C5B001E5B001F5B390FC1EF803903FFCFF83800FE0F1D2A7EA921>I<13FF
000313C03807C3E0381F01F0381E00F8003E13785A143C127812F8B512FCA200F8C7FCA5127CA2
140C6C131C6C1318380F80383807E0F03803FFE038007F00161A7E991B>I<EB1FC0EB7FE0EBF9
F0EA01E3120313C3EA0783EB80C01400A8EAFFFEA2EA0780B3A37FEAFFFEA2142A7FA912>I<EC
0F803901FC3FC03807FF7B380F8FE3381E03C3003EEBE180393C01E000007C7FA6003C5BEA3E03
001E5B381F8F8048B4C7FCEA39FC0030C8FC1238A2123C383FFFE06C13F814FE80387C007F0078
EB0F80481307481303A46C13070078EB0F00003E133E381F80FC3807FFF0C613801A287E9A1E>
I<EA078012FFA2120F1207ACEB87F8EB9FFEEBBC3FEBF00F01E01380EBC007A31380B039FFFCFF
FCA21E2A7FA921>I<120FEA1F8013C0A31380EA0F00C7FCA8EA0780127FA2120F1207B3A2EAFF
F8A20D297FA811>I<EA078012FFA2120F1207B3B2EAFFFCA20E2A7FA911>108
D<3A0783FC01FE3BFF8FFF07FF80903ABC1F9E0FC03A0FF807BC03D807E001F013E00203130101
C013E0A2018013C0B03BFFFC7FFE3FFFA2301A7F9933>I<380787F838FF9FFEEBBC3F380FF00F
D807E01380EBC007A31380B039FFFCFFFCA21E1A7F9921>I<137F3801FFC03807C1F0380F0078
001E7F487FA2487FA200F81480A800781400007C5B003C131EA26C5B6C5B3807C1F03801FFC06C
6CC7FC191A7E991E>I<380783F838FF9FFE9038BC3F80390FF00FC03907E007E0EBC003018013
F01401A2EC00F8A7140115F0A2140301C013E09038E007C09038F00F809038BC3F00EB9FFEEB87
F80180C7FCAAEAFFFCA21D267F9921>I<38078FC038FF9FE0EBB9F0EA0FF1EA07E1A2EBC000A2
5BAF7FEAFFFEA2141A7F9917>114 D<3807F8C0EA1FFFEA3C0FEA7003EAF001EAE000A27E6C13
0012FEEA7FF0EA3FFE6C7E0007138038007FC0EB07E0EAC0031301EAE000A27EEB01C0EAF80338
FE078038EFFF00EAC3FC131A7E9918>I<487EA41203A31207A2120F123FB51280A238078000AD
14C0A613C10003138013E33801FF00EA007E12257FA417>I<390780078000FF13FFA2000F130F
00071307AF140FA2141F3803C03F9038E0F7C03901FFE7FC38007F871E1A7F9921>I<39FFF01F
F8A2390F800FC00007EB0780150013C000031306A26C6C5AA2EBF01C00001318A2EB7830A36D5A
A26D5AA36D5AA36DC7FCA21D1A7F9920>I<39FFF01FF8A2390F800FC00007EB0780150013C000
031306A26C6C5AA2EBF01C00001318A2EB7830A36D5AA26D5AA36D5AA36DC7FCA21306A2130E13
0C1230EAFC18A25B1370EA78E0EA3FC06CC8FC1D267F9920>121 D E /Fi
15 117 df<B512FCA516057F941D>45 D<150C151EA3153FA34B7EA34B7EA24A7F159FA202037F
150FA202067F1507A24A6C7EA34A6C7EA202387FEC3000A20270800260137FA24A80163FA24948
6D7EA349B67EA249810106C71207A249811603A249811601A2496E7EA3496F7E13F084EA03F8D8
0FFE913801FFF0B500C0013FEBFFC0A33A3C7DBB41>65 D<B712F816FF17E0C69039C0001FF06D
48EB07FC707E707E82EF7F8018C0173F18E0A718C0A2EF7F8017FF18004C5A4C5AEE0FF8EE3FE0
91B61280A2913980001FE0EE03F8EE01FE707EEF7F80EF3FC018E0171F18F0170F18F8A8EF1FF0
A218E0173FEF7FC0EFFF804C13004C5A496CEB1FFCB812F017C04CC7FC353B7EBA3D>I<DBFFC0
1360020F01F813E0023F13FE9139FFC03F81903A03FE0007C3D90FF8EB01E7D91FE0EB00F74948
143F4948141F49C8FC4848150F48481507491503120748481501A2485A1700123F5B1860127FA3
48481600AD6C7E1860A2123FA27F001F17E018C06C7E17016C6C1680000316037F6C6CED07006C
6C150E6D6C141E6D6C5C6D6C5CD90FF8495AD903FEEB07E0903A00FFC03F80023FB5C7FC020F13
FC020013C0333D7BBB3E>I<B77E16F816FEC69039C001FF80903A7F80003FE0EE0FF0707E707E
707EA2838284A795C7FC5E5F5F4C5A4C5A4C5AEE3F80DB01FEC8FC91B512F85E91388003FCED00
FEEE7F80707E707E160F83A2707EA683A61930831603197004011460496C6E13E0B6D8C000EB80
C0EF3FC394381FFF80CA3801FE003C3C7EBA3F>82 D<EBFFE0000713FC381F807FEC1F80486C6C
7E6E7E6E7EA26C486C7EA2C7FCA4143FEB07FFEB7FF93801FF01EA07FCEA0FF0EA1FC0123F1380
EA7F00A200FE150CA31403A26C13076C13069039800EFC1C3A3FC03C7E383A1FE0F87FF03A07FF
E03FE0C69038800F8026257CA42B>97 D<903807FFC0011F13F090387E007CD801F813FC3903F0
01FEEA07E0EA0FC0121F90388000FC123F90C8FC5AA2127E12FEA9127E127FA26C14037F001F14
076D1306000F140E6C6C131C6C6C13386C6C13F039007E03E090381FFF80903807FE0020257DA4
26>99 D<ED07E0EC03FFA3EC001F1507B2EB03FE90381FFF8790387F03E79038FC00F7D803F013
3F4848131F4848130FA248481307123F90C7FC5AA2127E12FEA9127E127FA27EA26C6C130FA26C
6C131F6C6C133F6C6C13776C6CEBE7F83B007E07C7FFC090381FFF87903803FC072A3C7DBB30>
I<EB07FE90383FFF8090387E0FE03901F801F048486C7E4848137C4848137E4848133E153F48C7
7EA2481580A2127E12FEB7FCA248C9FCA6127E127FA26CEC01807F001F14036C6C14005D6C6C13
0E6C6C5BD800FC137890387F03F090381FFFC0D903FEC7FC21257EA426>I<EA01F812FFA31207
1201B3B3AF487EB512F0A3143C7FBB17>108 D<3901F807F800FFEB3FFF91387C1F809138E00F
C03A07F9C007E03801FB809039FF0003F05B5BA35BB3A4486C497EB500F1B512E0A32B257EA430
>110 D<EB01FE90380FFFC090383E01F09038F8007C48487FD803C0130F000715804848EB07C0
48C7EA03E04815F0A2007EEC01F8A300FE15FCA9007E15F8A2007F14036C15F0A26C6CEB07E000
0F15C06D130F6C6CEB1F80D801F0EB3E006C6C5B90387F03F890381FFFE0D901FEC7FC26257EA4
2B>I<3903F01F8000FFEB7FE0ECF3F09038F1C7F83807F3873801F70713F613FE9038FC03F0EC
00C01500A25BB3A3487EB512F8A31D257EA422>114 D<9038FFC180000713F3380F807F381E00
1F0038130F007813070070130312F01401A27E7EB490C7FCEA7FE013FF6C13F06C13FC6C7F6C7F
C61480010F13C0EB007FEC1FE000C013071403A26C1301A27EA26CEB03C07E6CEB07806CEB0F00
38F3C07E38E1FFF838C07FE01B257DA422>I<1318A51338A41378A213F8A2120112031207001F
B5FCB6FCA2D801F8C7FCB2EC0180A91403D800FC1300A2EB7E07EB3F0EEB1FFCEB03F819357EB4
21>I E end
%%EndProlog
%%BeginSetup
%%Feature: *Resolution 300
TeXDict begin 
%%EndSetup
%%Page: 1 1
bop 470 396 a Fi(Role-Based)30 b(Access)f(Con)n(trol)519 544
y Fh(Da)n(vid)19 b(F)-5 b(erraiolo)19 b(and)h(Ric)n(hard)g(Kuhn)350
619 y(National)f(Institute)h(of)g(Standards)h(and)f(T)-5 b(ec)n(hnology)574
694 y(Gaithersburg,)20 b(Maryland)f(20899)775 843 y(Reprin)n(ted)h(from)111
918 y Fg(Pr)m(o)m(c)m(e)m(e)m(dings)j(of)e(15th)f(National)g(Computer)h(Se)m
(curity)i(Confer)m(enc)m(e,)f(1992)875 1103 y Ff(Abstract)190
1186 y Fe(While)14 b(Mandatory)d(Access)h(Con)o(trols)g(\(MA)o(C\))e(are)i
(appropriate)g(for)g(m)o(ultilev)o(el)i(secure)f(mil-)122 1243
y(itary)e(applications,)j(Discretionary)e(Access)g(Con)o(trols)g(\(D)o(A)o
(C\))e(are)h(often)h(p)q(erceiv)o(ed)h(as)e(meeting)122 1299
y(the)16 b(securit)o(y)h(pro)q(cessing)g(needs)h(of)e(industry)h(and)f
(civilian)j(go)o(v)o(ernmen)o(t.)k(This)17 b(pap)q(er)f(argues)122
1356 y(that)g(reliance)j(on)e(D)o(A)o(C)f(as)g(the)h(principal)j(metho)q(d)d
(of)f(access)h(con)o(trol)g(is)h(unfounded)g(and)f(in-)122
1412 y(appropriate)h(for)g(man)o(y)g(commercial)h(and)g(civilian)i(go)o(v)o
(ernmen)o(t)c(organizations.)29 b(The)19 b(pap)q(er)122 1468
y(describ)q(es)14 b(a)f(t)o(yp)q(e)g(of)f(non-discretionary)i(access)f(con)o
(trol)f(-)h(role-based)h(access)f(con)o(trol)f(\(RBA)o(C\))122
1525 y(-)g(that)g(is)g(more)g(cen)o(tral)g(to)g(the)g(secure)g(pro)q(cessing)
h(needs)g(of)f(non-military)h(systems)f(then)g(D)o(A)o(C.)0
1691 y Fd(1)83 b(In)n(tro)r(duction)0 1801 y Fc(The)16 b(U.S.)e(go)o(v)o
(ernmen)o(t)f(has)k(b)q(een)e(in)o(v)o(olv)o(ed)f(in)h(dev)o(eloping)g
(securit)o(y)f(tec)o(hnology)h(for)h(computer)e(and)0 1861
y(comm)o(unic)o(ations)h(systems)g(for)j(some)d(time.)21 b(Although)c(adv)m
(ances)g(ha)o(v)o(e)f(b)q(een)h(great,)g(it)f(is)h(generally)0
1921 y(p)q(erceiv)o(ed)d(that)i(the)g(curren)o(t)f(state)h(of)g(securit)o(y)f
(tec)o(hnology)g(has,)h(to)h(some)d(exten)o(t)h(failed)g(to)h(address)0
1981 y(the)i(needs)h(of)g(all.)28 b([1],)18 b([2])g(This)h(is)f(esp)q
(ecially)g(true)g(of)h(organizations)h(outside)e(the)h(Departmen)o(t)e(of)0
2041 y(Defense)f(\(DoD\).)g([3])150 2102 y(The)f(curren)o(t)f(set)i(of)f
(securit)o(y)f(criteria,)f(criteria)h(in)o(terpretations,)h(and)g(guidelines)
f(has)i(gro)o(wn)0 2162 y(out)22 b(of)g(researc)o(h)f(and)h(dev)o(elopmen)o
(t)d(e\013orts)j(on)g(the)g(part)g(of)g(the)f(DoD)i(o)o(v)o(er)e(a)h(p)q
(erio)q(d)g(of)g(t)o(w)o(en)o(t)o(y)0 2222 y(plus)14 b(y)o(ears.)20
b(T)l(o)q(da)o(y)15 b(the)f(b)q(est)h(kno)o(wn)f(U.S.)f(computer)g(securit)o
(y)f(standard)k(is)e(the)g(T)l(rusted)g(Computer)0 2282 y(System)21
b(Ev)m(aluation)j(Criteria)f(\(TCSEC)h([4])e(\).)42 b(It)23
b(con)o(tains)g(securit)o(y)f(features)h(and)g(assurances,)0
2342 y(exclusiv)o(ely)18 b(deriv)o(ed,)i(engineered)f(and)j(rationalized)e
(based)h(on)h(DoD)f(securit)o(y)f(p)q(olicy)l(,)g(created)h(to)0
2403 y(meet)e(one)j(ma)s(jor)e(securit)o(y)g(ob)s(jectiv)o(e)g(-)h(prev)o(en)
o(ting)f(the)h(unauthorized)h(observ)m(ation)g(of)f(classi\014ed)0
2463 y(information.)f(The)14 b(result)g(is)g(a)g(collection)f(of)i(securit)o
(y)e(pro)q(ducts)i(that)g(do)f(not)h(fully)e(address)i(securit)o(y)0
2523 y(issues)k(as)g(they)f(p)q(ertain)h(to)g(unclassi\014ed)f(sensitiv)o(e)f
(pro)q(cessing)i(en)o(vironmen)o(ts.)26 b(Although)19 b(existing)0
2583 y(securit)o(y)e(mec)o(hanisms)e(ha)o(v)o(e)j(b)q(een)g(partially)g
(successful)g(in)g(promoting)g(securit)o(y)f(solutions)i(outside)0
2643 y(of)e(the)g(DoD)h([2])e(,)h(in)f(man)o(y)g(instances)g(these)h(con)o
(trols)g(are)g(less)f(then)h(p)q(erfect,)f(and)i(are)f(used)g(in)f(lieu)0
2704 y(of)h(a)f(more)f(appropriate)i(set)f(of)h(con)o(trols.)963
2828 y(1)p eop
%%Page: 2 2
bop 150 195 a Fc(The)22 b(TCSEC)i(sp)q(eci\014es)e(t)o(w)o(o)g(t)o(yp)q(es)g
(of)h(access)f(con)o(trols:)33 b(Discretionary)22 b(Access)g(Con)o(trols)0
255 y(\(D)o(A)o(C\))12 b(and)g(Mandatory)i(Access)d(Con)o(trols)i(\(MA)o
(C\).)e(Since)g(the)h(TCSEC's)h(app)q(earance)g(in)f(Decem)o(b)q(er)0
315 y(of)k(1983,)i(D)o(A)o(C)d(requiremen)o(ts)e(ha)o(v)o(e)i(b)q(een)h(p)q
(erceiv)o(ed)e(as)j(b)q(eing)f(tec)o(hnically)e(correct)i(for)g(commerci)o
(al)0 376 y(and)h(civilian)e(go)o(v)o(ernmen)o(t)f(securit)o(y)h(needs,)h(as)
h(w)o(ell)e(as)j(for)f(single-lev)o(el)d(military)g(systems.)21
b(MA)o(C)15 b(is)0 436 y(used)k(for)h(m)o(ulti-lev)n(el)c(secure)i(military)f
(systems,)h(but)h(its)g(use)h(in)e(other)i(applications)f(is)g(rare.)30
b(The)0 496 y(premise)13 b(of)i(this)g(pap)q(er)g(is)g(that)g(there)f(exists)
g(a)i(con)o(trol,)e(referred)g(to)h(as)g(Role-Based)g(Access)f(Con)o(trol)0
556 y(\(RBA)o(C\),)k(that)i(can)g(b)q(e)g(more)e(appropriate)j(and)f(cen)o
(tral)f(to)h(the)f(secure)h(pro)q(cessing)g(needs)g(within)0
616 y(industry)12 b(and)i(civilian)c(go)o(v)o(ernmen)o(t)g(than)k(that)f(of)f
(D)o(A)o(C,)g(although)h(the)g(need)f(for)h(D)o(A)o(C)f(will)f(con)o(tin)o
(ue)0 677 y(to)17 b(exist.)0 843 y Fd(2)83 b(Asp)r(ects)26
b(of)i(Securit)n(y)e(P)n(olicies)0 953 y Fc(Recen)o(tly)l(,)19
b(considerable)g(atten)o(tion)h(has)i(b)q(een)e(paid)g(to)h(researc)o(hing)e
(and)i(addressing)g(the)f(securit)o(y)0 1013 y(needs)e(of)h(commercial)c(and)
20 b(civilian)c(go)o(v)o(ernmen)o(t)h(organizations.)29 b(It)19
b(is)f(apparen)o(t)h(that)g(signi\014can)o(t)0 1073 y(and)i(broad)h(sw)o
(eeping)f(securit)o(y)e(requiremen)o(ts)f(exist)i(outside)h(the)g(Departmen)o
(t)e(of)i(Defense.)35 b([2])20 b(,)0 1133 y([5])g(,)h([6])f(Civilian)f(go)o
(v)o(ernmen)o(t)f(and)j(corp)q(orations)h(also)g(rely)d(hea)o(vily)g(on)i
(information)e(pro)q(cessing)0 1193 y(systems)c(to)i(meet)d(their)h
(individual)g(op)q(erational,)i(\014nancial,)e(and)i(information)e(tec)o
(hnology)h(require-)0 1253 y(men)o(ts.)i(The)13 b(in)o(tegrit)o(y)l(,)e(a)o
(v)m(ailabilit)o(y)l(,)g(and)i(con\014den)o(tialit)o(y)e(of)i(k)o(ey)f(soft)o
(w)o(are)g(systems,)g(databases,)i(and)0 1314 y(data)i(net)o(w)o(orks)e(are)h
(ma)s(jor)f(concerns)h(throughout)h(all)f(sectors.)21 b(The)15
b(corruption,)g(unauthorized)g(dis-)0 1374 y(closure,)h(or)h(theft)g(of)g
(corp)q(orate)h(resources)e(could)h(disrupt)g(an)g(organization's)g(op)q
(erations)h(and)g(ha)o(v)o(e)0 1434 y(immedi)o(ate,)i(serious)j(\014nancial,)
g(legal,)g(h)o(uman)e(safet)o(y)l(,)i(p)q(ersonal)g(priv)m(acy)e(and)i
(public)f(con\014dence)0 1494 y(impact.)150 1554 y(Lik)o(e)f(DoD)h(agencies,)
g(civilian)e(go)o(v)o(ernmen)o(t)f(and)k(commerc)o(ial)18 b(\014rms)j(are)h
(v)o(ery)e(m)o(uc)o(h)g(con-)0 1615 y(cerned)g(with)g(protecting)g(the)h
(con\014den)o(tialit)o(y)d(of)j(information.)33 b(This)21 b(includes)e(the)h
(protection)h(of)0 1675 y(p)q(ersonnel)16 b(data,)h(mark)o(eting)d(plans,)i
(pro)q(duct)h(announcemen)o(ts,)e(form)o(ulas,)f(man)o(ufacturing)h(and)i
(de-)0 1735 y(v)o(elopmen)o(t)g(tec)o(hniques.)30 b(But)20
b(man)o(y)e(of)i(these)g(organizations)h(ha)o(v)o(e)e(ev)o(en)g(greater)h
(concern)f(for)h(in-)0 1795 y(tegrit)o(y)l(.)g([1])150 1855
y(Within)f(industry)h(and)g(civilian)e(go)o(v)o(ernmen)o(t,)g(in)o(tegrit)o
(y)h(deals)g(with)h(broader)h(issues)f(of)g(se-)0 1916 y(curit)o(y)f(than)h
(con\014den)o(tialit)o(y)l(.)30 b(In)o(tegrit)o(y)19 b(is)g(particularly)g
(relev)m(an)o(t)g(to)h(suc)o(h)g(applications)g(as)h(funds)0
1976 y(transfer,)15 b(clinical)f(medicine,)e(en)o(vironmen)o(tal)h(researc)o
(h,)h(air)i(tra\016c)f(con)o(trol,)g(and)h(a)o(vionics.)k(The)c(im-)0
2036 y(p)q(ortance)g(of)g(in)o(tegrit)o(y)e(concerns)i(in)f(defense)g
(systems)g(has)h(also)h(b)q(een)e(studied)h(in)f(recen)o(t)g(y)o(ears.)20
b([7])15 b(,)0 2096 y([8])150 2156 y(A)21 b(wide)h(gam)o(ut)f(of)h(securit)o
(y)e(p)q(olicies)h(and)i(needs)f(exist)f(within)g(civilian)f(go)o(v)o(ernmen)
o(t)f(and)0 2217 y(priv)m(ate)e(organizations.)24 b(An)17 b(organizational)h
(meaning)e(of)h(securit)o(y)f(cannot)h(b)q(e)g(presupp)q(osed.)25
b(Eac)o(h)0 2277 y(organization)d(has)g(unique)f(securit)o(y)f(requiremen)n
(ts,)g(man)o(y)f(of)j(whic)o(h)f(are)g(di\016cult)f(to)h(meet)f(using)0
2337 y(traditional)c(MA)o(C)g(and)g(D)o(A)o(C)g(con)o(trols.)150
2397 y(As)22 b(de\014ned)g(in)g(the)g(TCSEC)h(and)g(commonly)d(implem)o(en)n
(ted,)h(D)o(A)o(C)g(is)h(an)h(access)f(con)o(trol)0 2457 y(mec)o(hanism)e
(that)k(p)q(ermits)f(system)f(users)i(to)g(allo)o(w)f(or)h(disallo)o(w)f
(other)h(users)g(access)f(to)h(ob)s(jects)0 2518 y(under)16
b(their)g(con)o(trol:)122 2632 y(A)f(means)f(of)h(restricting)g(access)g(to)g
(ob)s(jects)g(based)h(on)f(the)g(iden)o(tit)o(y)e(of)j(sub)s(jects)f(and/or)
122 2692 y(groups)21 b(to)g(whic)o(h)e(they)g(b)q(elong.)34
b(The)20 b(con)o(trols)g(are)g(discretionary)f(in)h(the)g(sense)g(that)963
2828 y(2)p eop
%%Page: 3 3
bop 122 195 a Fc(a)17 b(sub)s(ject)g(with)g(a)g(certain)g(access)g(p)q
(ermission)e(is)i(capable)g(of)h(passing)g(that)f(p)q(ermission)122
255 y(\(p)q(erhaps)23 b(indirectly\))d(on)j(to)g(an)o(y)f(other)g(sub)s(ject)
g(\(unless)g(restrained)g(b)o(y)f(mandatory)122 315 y(access)16
b(con)o(trol\).)21 b([4])150 429 y(D)o(A)o(C,)16 b(as)h(the)f(name)g
(implies,)d(p)q(ermits)i(the)i(gran)o(ting)g(and)g(rev)o(oking)f(of)h(access)
g(privileges)e(to)0 490 y(b)q(e)h(left)f(to)i(the)e(discretion)h(of)g(the)g
(individual)f(users.)21 b(A)15 b(D)o(A)o(C)h(mec)o(hanism)d(allo)o(ws)j
(users)g(to)g(gran)o(t)h(or)0 550 y(rev)o(ok)o(e)e(access)i(to)g(an)o(y)g(of)
g(the)f(ob)s(jects)h(under)g(their)f(con)o(trol)g(without)h(the)g(in)o
(tercession)e(of)i(a)g(system)0 610 y(administrator.)150 670
y(In)i(man)o(y)e(organizations,)j(the)f(end)g(users)g(do)g(not)h(\\o)o(wn")g
(the)e(information)g(for)h(whic)o(h)g(they)0 730 y(are)c(allo)o(w)o(ed)g
(access.)20 b(F)l(or)c(these)f(organizations,)h(the)f(corp)q(oration)h(or)g
(agency)f(is)g(the)g(actual)g(\\o)o(wner")0 791 y(of)f(system)e(ob)s(jects)h
(as)h(w)o(ell)e(as)j(the)e(programs)h(that)f(pro)q(cess)i(it.)20
b(Con)o(trol)13 b(is)h(often)f(based)h(on)g(emplo)o(y)o(ee)0
851 y(functions)i(rather)h(than)f(data)i(o)o(wnership.)150
911 y(Access)h(con)o(trol)g(decisions)h(are)f(often)h(determined)d(b)o(y)j
(the)f(roles)h(individual)e(users)i(tak)o(e)g(on)0 971 y(as)i(part)f(of)g(an)
g(organization.)36 b(This)21 b(includes)f(the)h(sp)q(eci\014cation)g(of)g
(duties,)g(resp)q(onsibilities,)f(and)0 1031 y(quali\014cations.)29
b(F)l(or)19 b(example,)e(the)h(roles)h(an)g(individual)f(asso)q(ciated)i
(with)e(a)i(hospital)f(can)g(assume)0 1091 y(include)c(do)q(ctor,)h(n)o
(urse,)g(clinician,)e(and)j(pharmacist.)j(Roles)c(in)f(a)i(bank)f(include)f
(teller,)g(loan)h(o\016cer,)0 1152 y(and)24 b(accoun)o(tan)o(t.)43
b(Roles)23 b(can)g(also)h(apply)f(to)h(military)d(systems;)k(for)f(example,)e
(target)i(analyst,)0 1212 y(situation)d(analyst,)h(and)f(tra\016c)g(analyst)g
(are)g(common)e(roles)h(in)h(tactical)f(systems.)34 b(A)20
b(role)h(based)0 1272 y(access)13 b(con)o(trol)f(\(RBA)o(C\))g(p)q(olicy)g
(bases)h(access)g(con)o(trol)f(decisions)h(on)g(the)g(functions)f(a)i(user)e
(is)h(allo)o(w)o(ed)0 1332 y(to)20 b(p)q(erform)f(within)h(an)g
(organization.)33 b(The)20 b(users)g(cannot)h(pass)f(access)g(p)q(ermissions)
f(on)i(to)f(other)0 1392 y(users)c(at)h(their)f(discretion.)k(This)c(is)g(a)h
(fundamen)o(tal)e(di\013erence)g(b)q(et)o(w)o(een)g(RBA)o(C)h(and)g(D)o(A)o
(C.)150 1453 y(Securit)o(y)g(ob)s(jectiv)o(es)g(often)i(supp)q(ort)h(a)f
(higher)g(lev)o(el)e(organizational)i(p)q(olicy)l(,)f(suc)o(h)h(as)g(main-)0
1513 y(taining)d(and)h(enforcing)f(the)f(ethics)h(asso)q(ciated)h(with)f(a)g
(judge's)g(c)o(ham)o(b)q(ers,)e(or)j(the)f(la)o(ws)g(and)g(resp)q(ect)0
1573 y(for)g(priv)m(acy)g(asso)q(ciated)h(with)f(the)g(diagnosis)h(of)g
(ailmen)o(ts,)c(treatmen)o(t)h(of)j(disease,)f(and)g(the)g(adminis-)0
1633 y(tering)f(of)g(medicine)e(with)i(a)g(hospital.)21 b(T)l(o)15
b(supp)q(ort)g(suc)o(h)f(p)q(olicies,)g(a)g(capabilit)o(y)f(to)i(cen)o
(trally)d(con)o(trol)0 1693 y(and)h(main)o(tain)d(access)i(righ)o(ts)g(is)g
(required.)19 b(The)12 b(securit)o(y)f(administrator)g(is)h(resp)q(onsible)g
(for)g(enforcing)0 1754 y(p)q(olicy)k(and)g(represen)o(ts)g(the)g
(organization.)150 1814 y(The)h(determination)e(of)i(mem)o(b)q(ership)d(and)j
(the)g(allo)q(cation)g(of)h(transactions)g(to)f(a)g(role)g(is)g(not)0
1874 y(so)i(m)o(uc)o(h)d(in)i(accordance)h(with)f(discretionary)g(decisions)g
(on)h(the)f(part)h(of)f(a)h(system)e(administrator,)0 1934
y(but)23 b(rather)g(in)f(compliance)f(with)h(organization-sp)q(eci\014c)h
(protection)g(guidelines.)39 b(These)23 b(p)q(olicies)0 1994
y(are)d(deriv)o(ed)f(from)f(existing)i(la)o(ws,)g(ethics,)g(regulations,)h
(or)f(generally)f(accepted)g(practices.)32 b(These)0 2055 y(p)q(olicies)17
b(are)i(non-discretionary)f(in)g(the)g(sense)h(that)f(they)g(are)g(una)o(v)o
(oidably)g(imp)q(osed)g(on)g(all)g(users.)0 2115 y(F)l(or)e(example,)d(a)j
(do)q(ctor)g(can)g(b)q(e)g(pro)o(vided)e(with)i(the)f(transaction)h(to)g
(prescrib)q(e)f(medicine,)e(but)i(do)q(es)0 2175 y(not)i(p)q(ossess)g(the)f
(authorit)o(y)h(to)f(pass)h(that)g(transaction)g(on)g(to)f(a)h(n)o(urse.)150
2235 y(RBA)o(C)d(is)g(in)g(fact)h(a)g(form)f(of)h(mandatory)f(access)h(con)o
(trol,)f(but)h(it)f(is)g(not)h(based)h(on)f(m)o(ultile)o(v)o(e)o(l)0
2295 y(securit)o(y)g(requiremen)o(ts.)j(As)e(de\014ned)g(in)g(the)g(TCSEC,)h
(MA)o(C)e(is)122 2409 y(A)c(means)f(of)i(restricting)e(access)h(to)h(ob)s
(jects)f(based)h(on)f(the)g(sensitivit)o(y)f(\(as)i(represen)o(ted)e(b)o(y)
122 2469 y(a)15 b(lab)q(el\))f(of)h(the)f(information)g(con)o(tained)g(in)g
(the)g(ob)s(jects)h(and)g(the)f(formal)g(authorization)122
2530 y(\(i.e.)20 b(clearance\))15 b(of)i(sub)s(jects)f(to)g(access)g
(information)g(of)g(suc)o(h)g(sensitivit)o(y)l(.)j([4])150
2643 y(Role)13 b(based)h(access)f(con)o(trol,)h(in)f(man)o(y)f(applications)h
(\(e.g.)20 b([9])13 b(,)h([10])f(,)h([11])f(is)g(concerned)g(more)0
2704 y(with)j(access)g(to)h(functions)f(and)h(information)e(than)i(strictly)e
(with)h(access)g(to)h(information.)963 2828 y(3)p eop
%%Page: 4 4
bop 150 195 a Fc(The)24 b(act)h(of)f(gran)o(ting)h(mem)o(b)q(ership)c(and)k
(sp)q(ecifying)f(transactions)h(for)f(a)h(role)f(is)g(lo)q(osely)0
255 y(analogous)16 b(to)f(the)f(pro)q(cess)h(of)f(clearing)g(users)h(\(gran)o
(ting)f(mem)o(b)q(ership\))d(and)k(the)f(lab)q(eling)g(\(asso)q(ciate)0
315 y(op)q(erational)f(sensitivities\))c(of)j(ob)s(jects)g(within)f(the)g
(DoD.)h(The)g(military)d(p)q(olicy)i(is)h(with)f(resp)q(ect)h(to)g(one)0
376 y(t)o(yp)q(e)i(of)g(capabilit)o(y:)19 b(who)c(can)g(read)f(what)h
(information.)20 b(F)l(or)14 b(these)g(systems)f(the)h(unauthorized)h(\015o)o
(w)0 436 y(of)h(information)f(from)g(a)h(high)g(lev)o(el)e(to)i(a)g(lo)o(w)g
(lev)o(el)d(is)j(the)f(principal)g(concern.)21 b(As)16 b(suc)o(h,)f
(constrain)o(ts)0 496 y(on)24 b(b)q(oth)g(reads)g(and)g(writes)f(are)g(in)h
(supp)q(ort)g(of)g(that)g(rule.)42 b(Within)22 b(a)i(role-based)g(system,)f
(the)0 556 y(principal)15 b(concern)g(is)g(protecting)g(the)h(in)o(tegrit)o
(y)e(of)i(information:)j(\\who)e(can)f(p)q(erform)e(what)j(acts)f(on)0
616 y(what)h(information.")150 677 y(A)g(role)f(can)h(b)q(e)g(though)o(t)h
(of)f(as)h(a)f(set)g(of)g(transactions)h(that)g(a)f(user)g(or)g(set)g(of)g
(users)h(can)f(p)q(er-)0 737 y(form)e(within)h(the)g(con)o(text)g(of)g(an)h
(organization.)23 b(T)l(ransactions)17 b(are)g(allo)q(cated)f(to)h(roles)f(b)
o(y)g(a)g(system)0 797 y(administrator.)26 b(Suc)o(h)18 b(transactions)h
(include)e(the)h(abilit)o(y)f(for)i(a)f(do)q(ctor)h(to)g(en)o(ter)e(a)i
(diagnosis,)g(pre-)0 857 y(scrib)q(e)14 b(medication,)f(and)i(add)g(a)g(en)o
(try)f(to)h(\(not)g(simply)e(mo)q(dify\))g(a)i(record)f(of)h(treatmen)o(ts)e
(p)q(erformed)0 917 y(on)20 b(a)g(patien)o(t.)30 b(The)19 b(role)g(of)h(a)f
(pharmacist)g(includes)f(the)h(transactions)i(to)e(disp)q(ense)h(but)f(not)h
(pre-)0 978 y(scrib)q(e)g(prescription)g(drugs.)34 b(Mem)o(b)q(ership)19
b(in)h(a)h(role)f(is)g(also)h(gran)o(ted)g(and)g(rev)o(ok)o(ed)e(b)o(y)h(a)g
(system)0 1038 y(administrator.)150 1098 y(Roles)g(are)h(group)h(orien)o
(ted.)33 b(F)l(or)21 b(eac)o(h)f(role,)h(a)g(set)f(of)h(transactions)h(allo)q
(cated)f(the)f(role)g(is)0 1158 y(main)o(tained.)h(A)c(transaction)h(can)f(b)
q(e)g(though)o(t)g(of)h(as)f(a)h(transformation)e(pro)q(cedure)h([1])g(\(a)g
(program)0 1218 y(or)h(p)q(ortion)h(of)f(a)g(program\))g(plus)g(a)g(set)f(of)
i(asso)q(ciated)f(data)h(items.)24 b(In)17 b(addition,)h(eac)o(h)g(role)f
(has)i(an)0 1279 y(asso)q(ciated)g(set)e(of)h(individual)e(mem)o(b)q(ers.)23
b(As)17 b(a)h(result,)f(RBA)o(Cs)g(pro)o(vide)g(a)h(means)f(of)h(naming)e
(and)0 1339 y(describing)f(man)o(y-to-man)o(y)e(relationships)j(b)q(et)o(w)o
(een)f(individuals)f(and)i(righ)o(ts.)21 b(Figure)15 b(1)h(depicts)f(the)0
1399 y(relationships)f(b)q(et)o(w)o(een)g(individual)f(users,)i
(roles/groups,)g(transformation)g(pro)q(cedures,)f(and)h(system)0
1459 y(ob)s(jects.)150 1519 y(The)j(term)e(transaction)i(is)g(used)g(in)f
(this)h(pap)q(er)g(as)g(a)g(con)o(v)o(enience)e(to)i(refer)f(to)h(a)g
(binding)g(of)0 1579 y(transformation)f(pro)q(cedure)g(and)g(data)h(storage)g
(access.)23 b(This)17 b(is)g(not)g(unlik)o(e)f(con)o(v)o(en)o(tional)f(usage)
j(of)0 1640 y(the)f(term)e(in)h(commercial)d(systems.)22 b(F)l(or)17
b(example,)e(a)i(sa)o(vings)g(dep)q(osit)g(transaction)h(is)f(a)g(pro)q
(cedure)0 1700 y(that)12 b(up)q(dates)g(a)g(sa)o(vings)f(database)i(and)f
(transaction)g(\014le.)19 b(A)11 b(transaction)h(ma)o(y)e(also)i(b)q(e)f
(quite)g(general,)0 1760 y(e.g.)30 b(\\read)20 b(sa)o(vings)f(\014le".)30
b(Note)19 b(ho)o(w)o(ev)o(er,)f(that)i(\\read")g(is)f(not)h(a)g(transaction)g
(in)f(the)g(sense)g(used)0 1820 y(here,)c(b)q(ecause)i(the)f(read)g(is)g(not)
h(b)q(ound)g(to)g(a)f(particular)g(data)h(item,)d(as)j(\\read)g(sa)o(vings)f
(\014le")g(is.)150 1880 y(The)21 b(imp)q(ortance)f(of)i(con)o(trol)f(o)o(v)o
(er)f(transactions,)j(as)f(opp)q(osed)g(to)g(simple)d(read)i(and)h(write)0
1941 y(access,)j(can)f(b)q(e)g(seen)g(b)o(y)f(considering)h(t)o(ypical)e
(banking)i(transactions.)45 b(T)l(ellers)23 b(ma)o(y)f(execute)h(a)0
2001 y(sa)o(vings)14 b(dep)q(osit)g(transaction,)g(requiring)f(read)g(and)h
(write)f(access)h(to)g(sp)q(eci\014c)f(\014elds)g(within)g(a)h(sa)o(vings)0
2061 y(\014le)j(and)i(a)f(transaction)g(log)h(\014le.)25 b(An)17
b(accoun)o(ting)h(sup)q(ervisor)g(ma)o(y)f(b)q(e)h(able)f(to)h(execute)f
(correction)0 2121 y(transactions,)f(requiring)e(exactly)f(the)i(same)f(read)
h(and)g(write)f(access)h(to)g(the)g(same)f(\014les)g(as)h(the)g(teller.)0
2181 y(The)h(di\013erence)f(is)h(the)g(pro)q(cess)h(executed)e(and)i(the)f(v)
m(alues)g(written)g(to)h(the)f(transaction)h(log)f(\014le.)150
2242 y(The)k(applicabilit)o(y)d(of)j(RBA)o(C)f(to)h(commerc)o(ial)c(systems)j
(is)g(apparen)o(t)h(from)f(its)g(widespread)0 2302 y(use.)i(Baldwin)14
b([9])g(describ)q(es)g(a)h(database)h(system)d(using)i(roles)f(to)h(con)o
(trol)f(access.)21 b(Nash)15 b(and)g(P)o(oland)0 2362 y([10])i(discuss)f(the)
h(application)f(of)h(role)g(based)g(access)g(con)o(trol)f(to)h(cryptographic)
g(authen)o(tication)f(de-)0 2422 y(vices)g(commonly)e(used)j(in)g(the)g
(banking)g(industry)l(.)23 b(W)l(orking)18 b(with)f(industry)f(groups,)i(the)
f(National)0 2482 y(Institute)j(of)g(Standards)i(and)f(T)l(ec)o(hnology)f
(has)i(dev)o(elop)q(ed)d(a)i(prop)q(osed)h(standard,)g(\\Securit)o(y)d(Re-)0
2543 y(quiremen)o(ts)e(for)i(Cryptographic)h(Mo)q(dules,")g(\(F)l(ederal)e
(Information)h(Pro)q(cessing)h(Standard)g(140-1\))0 2603 y([11])d(that)h
(will)e(require)g(supp)q(ort)i(for)g(access)f(con)o(trol)g(and)h
(administration)e(through)i(roles.)24 b(T)l(o)18 b(date,)0
2663 y(these)h(role)f(based)i(systems)e(ha)o(v)o(e)g(b)q(een)h(dev)o(elop)q
(ed)f(b)o(y)h(a)h(v)m(ariet)o(y)e(of)h(organizations,)h(with)f(no)h(com-)963
2828 y(4)p eop
%%Page: 5 5
bop 273 154 a
 22168453 13156352 0 0 22168453 13156352 startTexFig
273 154 a
%%BeginDocument: fig1.eps
/$F2psDict 200 dict def
$F2psDict begin
$F2psDict /mtrx matrix put
/col-1 {} def
/col0 {0.000 0.000 0.000 srgb} bind def
/col1 {0.000 0.000 1.000 srgb} bind def
/col2 {0.000 1.000 0.000 srgb} bind def
/col3 {0.000 1.000 1.000 srgb} bind def
/col4 {1.000 0.000 0.000 srgb} bind def
/col5 {1.000 0.000 1.000 srgb} bind def
/col6 {1.000 1.000 0.000 srgb} bind def
/col7 {1.000 1.000 1.000 srgb} bind def
/col8 {0.000 0.000 0.560 srgb} bind def
/col9 {0.000 0.000 0.690 srgb} bind def
/col10 {0.000 0.000 0.820 srgb} bind def
/col11 {0.530 0.810 1.000 srgb} bind def
/col12 {0.000 0.560 0.000 srgb} bind def
/col13 {0.000 0.690 0.000 srgb} bind def
/col14 {0.000 0.820 0.000 srgb} bind def
/col15 {0.000 0.560 0.560 srgb} bind def
/col16 {0.000 0.690 0.690 srgb} bind def
/col17 {0.000 0.820 0.820 srgb} bind def
/col18 {0.560 0.000 0.000 srgb} bind def
/col19 {0.690 0.000 0.000 srgb} bind def
/col20 {0.820 0.000 0.000 srgb} bind def
/col21 {0.560 0.000 0.560 srgb} bind def
/col22 {0.690 0.000 0.690 srgb} bind def
/col23 {0.820 0.000 0.820 srgb} bind def
/col24 {0.500 0.190 0.000 srgb} bind def
/col25 {0.630 0.250 0.000 srgb} bind def
/col26 {0.750 0.380 0.000 srgb} bind def
/col27 {1.000 0.500 0.500 srgb} bind def
/col28 {1.000 0.630 0.630 srgb} bind def
/col29 {1.000 0.750 0.750 srgb} bind def
/col30 {1.000 0.880 0.880 srgb} bind def
/col31 {1.000 0.840 0.000 srgb} bind def

end
save
-35.0 235.0 translate
1 -1 scale

/clp {closepath} bind def
/ef {eofill} bind def
/gr {grestore} bind def
/gs {gsave} bind def
/l {lineto} bind def
/m {moveto} bind def
/n {newpath} bind def
/s {stroke} bind def
/slc {setlinecap} bind def
/slj {setlinejoin} bind def
/slw {setlinewidth} bind def
/srgb {setrgbcolor} bind def
/rot {rotate} bind def
/sc {scale} bind def
/tr {translate} bind def
/tnt {dup dup currentrgbcolor
  4 -2 roll dup 1 exch sub 3 -1 roll mul add
  4 -2 roll dup 1 exch sub 3 -1 roll mul add
  4 -2 roll dup 1 exch sub 3 -1 roll mul add srgb}
  bind def
/shd {dup dup currentrgbcolor 4 -2 roll mul 4 -2 roll mul
  4 -2 roll mul srgb} bind def
/$F2psBegin {$F2psDict begin /$F2psEnteredState save def} def
/$F2psEnd {$F2psEnteredState restore end} def

$F2psBegin
10 setmiterlimit
 0.06000 0.06000 sc
7.500 slw
n 600 600 m 1800 600 l  1800 1500 l  600 1500 l  clp  gs col-1 s gr 
n 2505 1800 m 2400 1800 2400 2595 105 arcto 4 {pop} repeat 2400 2700 3495 2700 105 arcto 4 {pop} repeat 3600 2700 3600 1905 105 arcto 4 {pop} repeat 3600 1800 2505 1800 105 arcto 4 {pop} repeat clp  gs col-1 s gr 
n 600 3000 m 1800 3000 l  1800 3900 l  600 3900 l  clp  gs col-1 s gr 
n 1800 1200 m 2400 1800 l  gs col-1 s gr 
n 1863.64 1306.07 m 1800.00 1200.00 l 1906.07 1263.64 l  1885.35 1285.35 l 1863.64 1306.07 l clp gs 0.00 setgray ef gr gs col-1 s gr
n 1800 3300 m 2400 2700 l  gs col-1 s gr 
n 1906.07 3236.36 m 1800.00 3300.00 l 1863.64 3193.93 l  1885.35 3215.65 l 1906.07 3236.36 l clp gs 0.00 setgray ef gr gs col-1 s gr
n 3615 2100 m 5700 900 l  gs col-1 s gr 
n 3733.97 2066.14 m 3615.00 2100.00 l 3704.04 2014.14 l  3719.50 2040.64 l 3733.97 2066.14 l clp gs 0.00 setgray ef gr gs col-1 s gr
n 3615 2385 m 5700 3585 l  gs col-1 s gr 
n 3704.04 2470.86 m 3615.00 2385.00 l 3733.97 2418.86 l  3719.50 2445.36 l 3704.04 2470.86 l clp gs 0.00 setgray ef gr gs col-1 s gr
n 3615 2280 m 5685 2280 l  gs col-1 s gr 
n 3735.00 2310.00 m 3615.00 2280.00 l 3735.00 2250.00 l  3735.50 2280.50 l 3735.00 2310.00 l clp gs 0.00 setgray ef gr gs col-1 s gr
/Times-Roman findfont 180.00 scalefont setfont
900 1200 m
gs 1 -1 sc (Object 1) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
900 3600 m
gs 1 -1 sc (Object 2) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
5700 900 m
gs 1 -1 sc (User 4) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
5700 2400 m
gs 1 -1 sc (User 5) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
5700 3600 m
gs 1 -1 sc (User 6) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
4500 2100 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
4800 3000 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
4500 1200 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
2100 1500 m
gs 1 -1 sc (trans_a) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
2100 3300 m
gs 1 -1 sc (trans_b) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
2700 2400 m
gs 1 -1 sc (Role 1) col-1 show gr
$F2psEnd
restore
%%EndDocument
 273 154 a
 endTexFig
661 1089 a Fc(Figure)16 b(1:)22 b(Role)16 b(Relationships)0
1219 y(monly)d(agreed)j(up)q(on)g(de\014nition)e(or)i(recognition)e(in)h
(formal)f(standards.)22 b(Role)15 b(based)g(access)g(con)o(trols)0
1280 y(describ)q(ed)i(in)g(this)g(pap)q(er)h(address)g(securit)o(y)e
(primarily)f(for)i(application-lev)o(el)f(systems,)g(as)i(opp)q(osed)0
1340 y(to)f(general)f(purp)q(ose)h(op)q(erating)g(systems.)0
1505 y Fd(3)83 b(F)-7 b(ormal)25 b(Description)i(of)h(RBA)n(C)0
1615 y Fc(T)l(o)15 b(clarify)f(the)g(notions)i(presen)o(ted)e(in)g(the)h
(previous)f(section,)h(w)o(e)f(giv)o(e)g(a)h(simple)e(formal)g(description,)0
1675 y(in)19 b(terms)g(of)h(sets)f(and)i(relations,)f(of)g(role)f(based)h
(access)g(con)o(trol.)31 b(No)20 b(particular)f(implem)o(en)o(tation)0
1735 y(mec)o(hanism)13 b(is)j(implied.)0 1842 y(F)l(or)g(eac)o(h)g(sub)s
(ject,)f(the)h(activ)o(e)f(role)h(is)g(the)g(one)h(that)f(the)g(sub)s(ject)g
(is)g(curren)o(tly)f(using:)150 1902 y Fb(AR)p Fc(\()p Fb(s)f
Fc(:)f Fb(subj)s(ect)p Fc(\))i(=)h Fa(f)h Fc(the)f(activ)o(e)e(role)i(for)h
(sub)s(ject)e Fb(s)i Fa(g)0 1962 y Fc(Eac)o(h)f(sub)s(ject)g(ma)o(y)f(b)q(e)h
(authorized)g(to)h(p)q(erform)e(one)h(or)h(more)e(roles:)150
2022 y Fb(RA)p Fc(\()p Fb(s)f Fc(:)f Fb(subj)s(ect)p Fc(\))i(=)h
Fa(f)p Fc(authorized)g(fo)q(els)h(for)f(sub)s(ject)g Fb(s)g
Fa(g)0 2082 y Fc(Eac)o(h)g(role)g(ma)o(y)f(b)q(e)h(authorized)g(to)h(p)q
(erform)e(one)i(or)f(more)f(transactions:)150 2143 y Fb(T)7
b(A)p Fc(\()p Fa(f)p Fb(r)14 b Fc(:)f Fb(r)q(ol)q(e)p Fa(g)p
Fc(\))k(=)f Fa(f)p Fc(transactions)h(authorized)f(for)h(role)e
Fb(r)j Fa(g)0 2203 y Fc(Sub)s(jects)f(ma)o(y)f(execute)g(transactions.)27
b(The)18 b(predicate)e(exec\(s,t\))h(is)g(true)g(if)h(sub)s(ject)f(s)h(can)f
(execute)0 2263 y(transaction)g(t)f(at)h(the)f(curren)o(t)f(time,)f
(otherwise)i(it)g(is)g(false:)150 2323 y Fb(exec)p Fc(\()p
Fb(s)d Fc(:)g Fb(subj)s(ect;)8 b(t)k Fc(:)h Fb(tr)q(an)p Fc(\))j(=)h(true)e
(i\013)i(sub)s(ject)e Fb(s)i Fc(can)f(execute)f(transaction)i
Fb(t)p Fc(.)0 2430 y(Three)f(basic)g(rules)g(are)g(required:)0
2536 y(1.)23 b(Role)16 b(assignmen)o(t:)21 b(A)c(sub)s(ject)f(can)h(execute)e
(a)i(transaction)h(only)e(if)g(the)h(sub)s(ject)f(has)h(selected)f(or)0
2596 y(b)q(een)g(assigned)h(a)g(role:)150 2704 y Fa(8)p Fb(s)12
b Fc(:)i Fb(subj)s(ect;)8 b(t)k Fc(:)h Fb(tr)q(an)p Fc(\()p
Fb(exec)p Fc(\()p Fb(s;)8 b(t)p Fc(\))k Fa(\))i Fb(AR)p Fc(\()p
Fb(s)p Fc(\))f Fa(6)p Fc(=)h Fa(;)p Fc(\))779 b(\(1\))963 2828
y(5)p eop
%%Page: 6 6
bop 0 195 a Fc(The)20 b(iden)o(ti\014cation)f(and)h(authen)o(tication)g(pro)q
(cess)g(\(e.g.)32 b(login\))20 b(is)g(not)g(considered)f(a)i(transaction.)0
255 y(All)16 b(other)h(user)g(activities)e(on)i(the)g(system)f(are)h
(conducted)f(through)i(transactions.)25 b(Th)o(us)17 b(all)f(activ)o(e)0
315 y(users)g(are)h(required)e(to)h(ha)o(v)o(e)g(some)f(activ)o(e)g(role.)0
425 y(2.)22 b(Role)15 b(authorization:)22 b(A)16 b(sub)s(ject's)f(activ)o(e)g
(role)h(m)o(ust)f(b)q(e)h(authorized)h(for)f(the)g(sub)s(ject:)150
540 y Fa(8)p Fb(s)c Fc(:)i Fb(subj)s(ect)p Fc(\()p Fb(AR)p
Fc(\()p Fb(s)p Fc(\))e Fa(\022)i Fb(RA)p Fc(\()p Fb(s)p Fc(\)\))1116
b(\(2\))0 654 y(With)24 b(\(1\))g(ab)q(o)o(v)o(e,)i(this)e(rule)g(ensures)g
(that)g(users)h(can)f(tak)o(e)g(on)g(only)g(roles)g(for)h(whic)o(h)e(they)h
(are)0 714 y(authorized.)0 824 y(3.)e(T)l(ransaction)17 b(authorization:)k(A)
16 b(sub)s(ject)f(can)h(execute)f(a)h(transaction)h(only)f(if)g(the)f
(transaction)i(is)0 884 y(authorized)f(for)h(the)f(sub)s(ject's)f(activ)o(e)g
(role:)150 998 y Fa(8)p Fb(s)d Fc(:)i Fb(subj)s(ect;)8 b(t)k
Fc(:)h Fb(tr)q(an)p Fc(\()p Fb(exec)p Fc(\()p Fb(s;)8 b(t)p
Fc(\))k Fa(\))i Fb(t)f Fa(2)h Fb(T)7 b(A)p Fc(\()p Fb(RA)p
Fc(\()p Fb(s)p Fc(\)\)\))680 b(\(3\))0 1112 y(With)17 b(\(1\))g(and)h(\(2\),)
f(this)g(rule)g(ensures)g(that)g(users)h(can)f(execute)f(only)h(transactions)
h(for)f(whic)o(h)g(they)0 1173 y(are)12 b(authorized.)20 b(Note)12
b(that,)i(b)q(ecause)e(the)g(conditional)h(is)f(\\only)g(if)s(",)h(this)g
(rule)e(allo)o(ws)i(the)f(p)q(ossibilit)o(y)0 1233 y(that)18
b(additional)f(restrictions)g(ma)o(y)f(b)q(e)i(placed)e(on)i(transaction)h
(execution.)k(That)18 b(is,)f(the)h(rule)e(do)q(es)0 1293 y(not)21
b(guaran)o(tee)h(a)f(transaction)h(to)f(b)q(e)g(executable)f(just)h(b)q
(ecause)g(it)g(is)g(in)f Fb(T)7 b(A)p Fc(\()p Fb(AR)p Fc(\()p
Fb(s)p Fc(\)\),)21 b(the)g(set)g(of)0 1353 y(transactions)16
b(p)q(oten)o(tially)e(executable)g(b)o(y)h(the)g(sub)s(ject's)f(activ)o(e)g
(role.)21 b(F)l(or)15 b(example,)e(a)j(trainee)e(for)i(a)0
1413 y(sup)q(ervisory)i(role)g(ma)o(y)e(b)q(e)j(assigned)f(the)g(role)g(of)g
(\\Sup)q(ervisor",)h(but)f(ha)o(v)o(e)g(restrictions)f(applied)h(to)0
1474 y(his)g(or)g(her)f(user)h(role)f(that)h(limit)d(accessible)h
(transactions)j(to)f(a)g(subset)g(of)g(those)g(normally)e(allo)o(w)o(ed)0
1534 y(for)h(the)f(Sup)q(ervisor)g(role.)150 1594 y(In)h(the)f(preceding)g
(discussion,)h(a)h(transaction)f(has)h(b)q(een)f(de\014ned)g(as)g(a)g
(transformation)g(pro-)0 1654 y(cedure,)d(plus)h(a)g(set)g(of)g(data)h(items)
d(accessed)h(b)o(y)h(the)f(transformation)h(pro)q(cedure.)21
b(Access)14 b(con)o(trol)g(in)0 1714 y(the)h(rules)f(ab)q(o)o(v)o(e)h(do)q
(es)g(not)g(require)f(an)o(y)h(c)o(hec)o(ks)e(on)i(the)g(user's)f(righ)o(t)h
(to)g(access)f(a)i(data)f(ob)s(ject,)f(or)i(on)0 1775 y(the)g(transformation)
g(pro)q(cedure's)f(righ)o(t)h(to)g(access)g(a)g(data)h(item,)c(since)j(the)f
(data)i(accesses)f(are)g(built)0 1835 y(in)o(to)j(the)h(transaction.)32
b(Securit)o(y)19 b(issues)g(are)h(addressed)g(b)o(y)g(binding)f(op)q
(erations)i(and)g(data)f(in)o(to)g(a)0 1895 y(transaction)c(at)g(design)g
(time,)d(suc)o(h)j(as)g(when)g(priv)m(acy)f(issues)h(are)g(addressed)g(in)f
(an)h(insurance)g(query)0 1955 y(transaction.)150 2015 y(It)f(is)g(also)h(p)q
(ossible)f(to)h(rede\014ne)f(the)g(meaning)f(of)h(\\transaction")i(in)e(the)g
(ab)q(o)o(v)o(e)g(rules)g(to)h(refer)0 2076 y(only)i(to)i(the)e
(transformation)h(pro)q(cedure,)f(without)h(including)f(a)h(binding)g(to)g
(ob)s(jects.)28 b(This)19 b(w)o(ould)0 2136 y(require)g(a)j(fourth)f(rule)f
(to)h(enforce)f(con)o(trol)h(o)o(v)o(er)f(the)g(mo)q(des)g(in)h(whic)o(h)f
(users)h(can)g(access)f(ob)s(jects)0 2196 y(through)d(transaction)g
(programs.)22 b(F)l(or)16 b(example,)e(a)i(fourth)h(rule)e(suc)o(h)h(as)150
2310 y Fa(8)p Fb(s)c Fc(:)i Fb(subj)s(ect;)8 b(t)k Fc(:)h Fb(tr)q(an;)8
b(o)14 b Fc(:)f Fb(obj)s(ect)p Fc(\()p Fb(exec)p Fc(\()p Fb(s;)8
b(t)p Fc(\))k Fa(\))i Fb(access)p Fc(\()p Fb(AR)p Fc(\()p Fb(s)p
Fc(\))p Fb(;)8 b(t;)g(o;)g(x)p Fc(\)\))344 b(\(4\))0 2424 y(could)13
b(b)q(e)g(de\014ned)g(using)h(a)f(transaction)h(\(rede\014ned)e(to)i
(transformation)f(pro)q(cedure\))g(to)h(ob)s(ject)e(access)0
2484 y(function)17 b Fb(access)p Fc(\()p Fb(r)o(;)8 b(i;)g(o;)g(x)p
Fc(\))15 b(whic)o(h)i(indicates)g(if)f(it)h(is)g(p)q(ermissible)e(for)j(a)g
(sub)s(ject)e(in)h(role)g(r)g(to)h(access)0 2545 y(ob)s(ject)12
b(o)i(in)f(mo)q(de)f(x)h(using)g(transaction)h(t,)f(where)g(x)g(is)f(tak)o
(en)h(from)f(some)g(set)h(of)g(mo)q(des)g(suc)o(h)g(as)g(read,)0
2605 y(write,)19 b(app)q(end.)30 b(Note)19 b(that)g(the)g(Clark-Wilson)g
(access)g(con)o(trol)g(triple)f(could)h(b)q(e)g(implem)o(en)o(te)o(d)e(b)o(y)
0 2665 y(letting)e(the)h(mo)q(des)f(x)h(b)q(e)g(the)g(access)g(mo)q(des)f
(required)g(b)o(y)h(transaction)g(t,)g(and)g(ha)o(ving)g(a)h(one-to-one)963
2828 y(6)p eop
%%Page: 7 7
bop 0 195 a Fc(relationship)19 b(b)q(et)o(w)o(een)g(sub)s(jects)g(and)i
(roles.)31 b(RBA)o(C,)18 b(as)j(presen)o(ted)e(in)g(this)h(pap)q(er,)g(th)o
(us)g(includes)0 255 y(Clark)c(and)h(Wilson)f(access)g(con)o(trol)g(as)h(a)g
(sp)q(ecial)f(case.)150 315 y(Use)j(of)g(this)h(fourth)f(rule)g(migh)o(t)f(b)
q(e)h(appropriate,)i(for)e(example,)f(in)h(a)g(hospital)h(setting.)30
b(A)0 376 y(do)q(ctor)22 b(could)f(b)q(e)g(pro)o(vided)f(with)h(read/write)g
(access)g(to)g(a)h(prescription)e(\014le,)h(while)f(the)h(hospital)0
436 y(pharmacist)i(migh)o(t)f(ha)o(v)o(e)h(only)g(read)h(access.)43
b(\(Recall)23 b(that)h(use)f(of)h(the)g(\014rst)g(three)f(rules)g(alone)0
496 y(requires)d(binding)i(the)f(transaction)h(program)g(t)f(and)h(data)h(ob)
s(jects)e(that)h(t)f(can)h(access,)g(and)g(only)0 556 y(con)o(trols)c(access)
f(to)i(the)e(transactions.\))27 b(This)18 b(alternativ)o(e)e(approac)o(h)j
(using)f(the)f(fourth)i(rule)e(migh)o(t)0 616 y(b)q(e)f(helpful)g(in)g
(enforcing)g(con\014den)o(tialit)o(y)e(requiremen)o(ts.)150
677 y(Another)i(use)g(of)g(RBA)o(C)f(is)h(to)h(supp)q(ort)g(in)o(tegrit)o(y)l
(.)j(In)o(tegrit)o(y)14 b(has)j(b)q(een)f(de\014ned)g(in)g(a)g(v)m(ariet)o(y)
0 737 y(of)f(w)o(a)o(ys,)g(but)g(one)h(asp)q(ect)f([8])g(of)g(in)o(tegrit)o
(y)e(is)i(a)g(requiremen)o(t)d(that)k(data)g(and)f(pro)q(cesses)h(b)q(e)f(mo)
q(di\014ed)0 797 y(only)d(in)g(authorized)g(w)o(a)o(ys)h(b)o(y)f(authorized)g
(users.)20 b(This)12 b(seems)f(to)i(b)q(e)f(a)h(reasonable)g(securit)o(y)e
(ob)s(jectiv)o(e)0 857 y(for)17 b(man)o(y)d(real)i(systems,)f(and)i(RBA)o(C)e
(should)h(b)q(e)h(applicable)e(to)i(suc)o(h)f(systems.)150
917 y(In)23 b(general,)h(the)f(problem)f(of)h(determining)e(whether)i(data)h
(ha)o(v)o(e)e(b)q(een)h(mo)q(di\014ed)f(only)h(in)0 978 y(authorized)c(w)o(a)
o(ys)g(can)g(b)q(e)h(as)f(complex)e(as)j(the)f(transaction)h(that)f(did)g
(the)g(mo)q(di\014cation.)29 b(F)l(or)19 b(this)0 1038 y(reason,)d(the)f
(practical)g(approac)o(h)h(is)f(for)h(transactions)g(to)g(b)q(e)g
(certi\014ed)e(and)i(trusted.)21 b(If)15 b(transactions)0 1098
y(m)o(ust)23 b(b)q(e)h(trusted)g(then)g(access)g(con)o(trol)g(can)h(b)q(e)f
(incorp)q(orated)h(directly)d(in)o(to)i(eac)o(h)g(transaction.)0
1158 y(Requiring)13 b(the)g(system)f(to)i(con)o(trol)f(access)g(of)h
(transaction)h(programs)e(to)h(ob)s(jects)f(through)i(the)e(access)0
1218 y(function)20 b(used)f(in)h(rule)f(\(4\))h(migh)o(t)e(then)i(b)q(e)f(a)i
(useful)e(form)g(of)h(redundancy)l(,)g(but)f(it)h(could)f(in)o(v)o(olv)o(e)0
1279 y(signi\014can)o(t)k(o)o(v)o(erhead)f(for)h(a)h(limited)c(b)q(ene\014t)j
(in)f(enforcing)h(in)o(tegrit)o(y)e(requiremen)o(ts.)39 b(Therefore,)0
1339 y(inclusion)22 b(of)g(a)h(transaction)g(to)g(ob)s(ject)f(access)g(con)o
(trol)g(function)g(in)g(RBA)o(C)g(w)o(ould)g(b)q(e)g(useful)g(in)0
1399 y(some,)15 b(but)h(not)h(all)f(applications.)0 1565 y
Fd(4)83 b(Cen)n(trally)26 b(Administerin)o(g)f(Securit)n(y)h(Using)h(RBA)n(C)
0 1675 y Fc(RBA)o(C)15 b(is)h(\015exible)e(in)i(that)g(it)g(can)g(tak)o(e)f
(on)i(organizational)g(c)o(haracteristics)e(in)g(terms)g(of)h(p)q(olicy)f
(and)0 1735 y(structure.)21 b(One)16 b(of)g(RBA)o(C's)f(greatest)i(virtues)e
(is)h(the)g(administrativ)o(e)e(capabilities)h(it)h(supp)q(orts.)150
1795 y(Once)i(the)g(transactions)i(of)e(a)h(Role)f(are)h(established)f
(within)g(a)h(system,)e(these)h(transactions)0 1855 y(tend)23
b(to)g(remain)e(relativ)o(ely)g(constan)o(t)i(or)h(c)o(hange)f(slo)o(wly)f(o)
o(v)o(er)g(time.)39 b(The)23 b(administrativ)o(e)e(task)0 1916
y(consists)i(of)f(gran)o(ting)h(and)f(rev)o(oking)g(mem)n(b)q(ership)e(to)i
(the)g(set)g(of)h(sp)q(eci\014ed)e(named)h(roles)g(within)0
1976 y(the)d(system.)30 b(When)20 b(a)g(new)g(p)q(erson)g(en)o(ters)f(the)h
(organization,)h(the)e(administrator)g(simply)e(gran)o(ts)0
2036 y(mem)o(b)q(ership)c(to)j(an)h(existing)e(role.)21 b(When)16
b(a)h(p)q(erson's)g(function)f(c)o(hanges)g(within)g(the)g(organization,)0
2096 y(the)c(user)g(mem)o(b)q(ership)d(to)j(his)g(existing)g(roles)g(can)g(b)
q(e)g(easily)f(deleted)g(and)i(new)f(ones)h(gran)o(ted.)20
b(Finally)l(,)0 2156 y(when)h(a)h(p)q(erson)g(lea)o(v)o(es)e(the)h
(organization,)i(all)e(mem)o(b)q(erships)e(to)i(all)g(Roles)g(are)h(deleted.)
35 b(F)l(or)22 b(an)0 2217 y(organization)e(that)f(exp)q(eriences)f(a)h
(large)g(turno)o(v)o(er)g(of)g(p)q(ersonnel,)g(a)h(role-based)f(securit)o(y)f
(p)q(olicy)g(is)0 2277 y(the)e(only)g(logical)g(c)o(hoice.)150
2337 y(In)g(addition,)g(roles)h(can)g(b)q(e)f(comp)q(osed)g(of)h(roles.)22
b(F)l(or)17 b(example,)d(a)i(Healer)g(within)g(a)h(hospital)0
2397 y(can)j(b)q(e)f(comp)q(osed)g(of)h(the)f(roles)g(Healer,)g(In)o(tern,)g
(and)h(Do)q(ctor.)31 b(Figure)19 b(2)h(depicts)f(an)h(example)d(of)0
2457 y(suc)o(h)f(a)h(relationship.)150 2518 y(By)22 b(gran)o(ting)h(mem)o(b)q
(ership)d(to)j(the)f(Role)h(Do)q(ctor,)i(it)d(implies)e(access)j(to)g(all)f
(transactions)0 2578 y(de\014ned)16 b(b)o(y)h(In)o(tern)e(and)j(Healer,)d(as)
i(w)o(ell)e(as)j(those)f(of)g(a)g(Do)q(ctor.)23 b(On)17 b(the)g(other)f
(hand,)h(b)o(y)g(gran)o(ting)0 2638 y(mem)o(b)q(ership)g(to)j(the)g(In)o
(tern)f(role,)h(this)g(implies)e(transactions)j(of)f(the)g(In)o(tern)f(and)i
(Healer)e(not)h(the)963 2828 y(7)p eop
%%Page: 8 8
bop 423 544 a
 17432166 26181140 0 0 17432166 26181140 startTexFig
423 544 a
%%BeginDocument: fig2.eps
/$F2psDict 200 dict def
$F2psDict begin
$F2psDict /mtrx matrix put
/col-1 {} def
/col0 {0.000 0.000 0.000 srgb} bind def
/col1 {0.000 0.000 1.000 srgb} bind def
/col2 {0.000 1.000 0.000 srgb} bind def
/col3 {0.000 1.000 1.000 srgb} bind def
/col4 {1.000 0.000 0.000 srgb} bind def
/col5 {1.000 0.000 1.000 srgb} bind def
/col6 {1.000 1.000 0.000 srgb} bind def
/col7 {1.000 1.000 1.000 srgb} bind def
/col8 {0.000 0.000 0.560 srgb} bind def
/col9 {0.000 0.000 0.690 srgb} bind def
/col10 {0.000 0.000 0.820 srgb} bind def
/col11 {0.530 0.810 1.000 srgb} bind def
/col12 {0.000 0.560 0.000 srgb} bind def
/col13 {0.000 0.690 0.000 srgb} bind def
/col14 {0.000 0.820 0.000 srgb} bind def
/col15 {0.000 0.560 0.560 srgb} bind def
/col16 {0.000 0.690 0.690 srgb} bind def
/col17 {0.000 0.820 0.820 srgb} bind def
/col18 {0.560 0.000 0.000 srgb} bind def
/col19 {0.690 0.000 0.000 srgb} bind def
/col20 {0.820 0.000 0.000 srgb} bind def
/col21 {0.560 0.000 0.560 srgb} bind def
/col22 {0.690 0.000 0.690 srgb} bind def
/col23 {0.820 0.000 0.820 srgb} bind def
/col24 {0.500 0.190 0.000 srgb} bind def
/col25 {0.630 0.250 0.000 srgb} bind def
/col26 {0.750 0.380 0.000 srgb} bind def
/col27 {1.000 0.500 0.500 srgb} bind def
/col28 {1.000 0.630 0.630 srgb} bind def
/col29 {1.000 0.750 0.750 srgb} bind def
/col30 {1.000 0.880 0.880 srgb} bind def
/col31 {1.000 0.840 0.000 srgb} bind def

end
save
-35.0 433.0 translate
1 -1 scale

/clp {closepath} bind def
/ef {eofill} bind def
/gr {grestore} bind def
/gs {gsave} bind def
/l {lineto} bind def
/m {moveto} bind def
/n {newpath} bind def
/s {stroke} bind def
/slc {setlinecap} bind def
/slj {setlinejoin} bind def
/slw {setlinewidth} bind def
/srgb {setrgbcolor} bind def
/rot {rotate} bind def
/sc {scale} bind def
/tr {translate} bind def
/tnt {dup dup currentrgbcolor
  4 -2 roll dup 1 exch sub 3 -1 roll mul add
  4 -2 roll dup 1 exch sub 3 -1 roll mul add
  4 -2 roll dup 1 exch sub 3 -1 roll mul add srgb}
  bind def
/shd {dup dup currentrgbcolor 4 -2 roll mul 4 -2 roll mul
  4 -2 roll mul srgb} bind def
/$F2psBegin {$F2psDict begin /$F2psEnteredState save def} def
/$F2psEnd {$F2psEnteredState restore end} def

$F2psBegin
10 setmiterlimit
 0.06000 0.06000 sc
7.500 slw
n 600 600 m 1500 600 l  1500 1200 l  600 1200 l  clp  gs col-1 s gr 
n 600 1800 m 1500 1800 l  1500 2400 l  600 2400 l  clp  gs col-1 s gr 
n 600 3000 m 1500 3000 l  1500 3600 l  600 3600 l  clp  gs col-1 s gr 
n 600 4200 m 1500 4200 l  1500 4800 l  600 4800 l  clp  gs col-1 s gr 
n 600 5400 m 1500 5400 l  1500 6000 l  600 6000 l  clp  gs col-1 s gr 
n 600 6600 m 1500 6600 l  1500 7200 l  600 7200 l  clp  gs col-1 s gr 
n 2505 1200 m 2400 1200 2400 1695 105 arcto 4 {pop} repeat 2400 1800 3195 1800 105 arcto 4 {pop} repeat 3300 1800 3300 1305 105 arcto 4 {pop} repeat 3300 1200 2505 1200 105 arcto 4 {pop} repeat clp  gs col-1 s gr 
n 2505 3600 m 2400 3600 2400 4095 105 arcto 4 {pop} repeat 2400 4200 3195 4200 105 arcto 4 {pop} repeat 3300 4200 3300 3705 105 arcto 4 {pop} repeat 3300 3600 2505 3600 105 arcto 4 {pop} repeat clp  gs col-1 s gr 
n 2505 6000 m 2400 6000 2400 6495 105 arcto 4 {pop} repeat 2400 6600 3195 6600 105 arcto 4 {pop} repeat 3300 6600 3300 6105 105 arcto 4 {pop} repeat 3300 6000 2505 6000 105 arcto 4 {pop} repeat clp  gs col-1 s gr 
n 1500 900 m 2400 1200 l  gs col-1 s gr 
n 1604.36 966.41 m 1500.00 900.00 l 1623.33 909.49 l gs col-1 s gr
n 1500 2100 m 2400 1800 l  gs col-1 s gr 
n 1623.33 2090.51 m 1500.00 2100.00 l 1604.36 2033.59 l gs col-1 s gr
n 1500 3300 m 2400 3600 l  gs col-1 s gr 
n 1604.36 3366.41 m 1500.00 3300.00 l 1623.33 3309.49 l gs col-1 s gr
n 1500 4500 m 2400 4200 l  gs col-1 s gr 
n 1623.33 4490.51 m 1500.00 4500.00 l 1604.36 4433.59 l gs col-1 s gr
n 1500 5700 m 2400 6000 l  gs col-1 s gr 
n 1604.36 5766.41 m 1500.00 5700.00 l 1623.33 5709.49 l gs col-1 s gr
n 1500 6900 m 2400 6600 l  gs col-1 s gr 
n 1623.33 6890.51 m 1500.00 6900.00 l 1604.36 6833.59 l gs col-1 s gr
n 3300 1200 m 4500 900 l  gs col-1 s gr 
n 3423.69 1200.00 m 3300.00 1200.00 l 3409.14 1141.79 l gs col-1 s gr
n 3300 1500 m 4500 1500 l  gs col-1 s gr 
n 3420.00 1530.00 m 3300.00 1500.00 l 3420.00 1470.00 l gs col-1 s gr
n 3300 1800 m 4500 2100 l  gs col-1 s gr 
n 3409.14 1858.21 m 3300.00 1800.00 l 3423.69 1800.00 l gs col-1 s gr
n 3300 3600 m 4500 3300 l  gs col-1 s gr 
n 3423.69 3600.00 m 3300.00 3600.00 l 3409.14 3541.79 l gs col-1 s gr
n 3300 3900 m 4500 3900 l  gs col-1 s gr 
n 3420.00 3930.00 m 3300.00 3900.00 l 3420.00 3870.00 l gs col-1 s gr
n 3300 4200 m 4500 4500 l  gs col-1 s gr 
n 3409.14 4258.21 m 3300.00 4200.00 l 3423.69 4200.00 l gs col-1 s gr
n 3300 6000 m 4500 5700 l  gs col-1 s gr 
n 3423.69 6000.00 m 3300.00 6000.00 l 3409.14 5941.79 l gs col-1 s gr
n 3300 6300 m 4500 6300 l  gs col-1 s gr 
n 3420.00 6330.00 m 3300.00 6300.00 l 3420.00 6270.00 l gs col-1 s gr
n 3300 6600 m 4500 6900 l  gs col-1 s gr 
n 3409.14 6658.21 m 3300.00 6600.00 l 3423.69 6600.00 l gs col-1 s gr
n 2835 4215 m 2835 6000 l  gs col-1 s gr 
n 2805.00 4335.00 m 2835.00 4215.00 l 2865.00 4335.00 l gs col-1 s gr
n 2835 1800 m 2835 3615 l  gs col-1 s gr 
n 2805.00 1920.00 m 2835.00 1800.00 l 2865.00 1920.00 l gs col-1 s gr
/Times-Roman findfont 180.00 scalefont setfont
750 900 m
gs 1 -1 sc (Object 1) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
750 2100 m
gs 1 -1 sc (Object 2) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
750 3300 m
gs 1 -1 sc (Object 3) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
750 4500 m
gs 1 -1 sc (Object 4) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
750 5700 m
gs 1 -1 sc (Object 5) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
750 6900 m
gs 1 -1 sc (Object 6) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
2550 1500 m
gs 1 -1 sc (Healer) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
2550 3900 m
gs 1 -1 sc (Intern) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
2550 6300 m
gs 1 -1 sc (Doctor) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
4500 900 m
gs 1 -1 sc (User 1) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
4500 1500 m
gs 1 -1 sc (User 2) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
4500 2100 m
gs 1 -1 sc (User 3) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
4500 3300 m
gs 1 -1 sc (User 4) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
4500 3900 m
gs 1 -1 sc (User 5) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
4500 4500 m
gs 1 -1 sc (User 6) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
4500 5700 m
gs 1 -1 sc (User 7) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
4500 6300 m
gs 1 -1 sc (User 8) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
4500 6900 m
gs 1 -1 sc (User 9) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
1800 975 m
gs 1 -1 sc (trans_a) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
1800 2100 m
gs 1 -1 sc (trnas_b) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
1800 3375 m
gs 1 -1 sc (trans_c) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
1800 4500 m
gs 1 -1 sc (trans_d) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
1800 5775 m
gs 1 -1 sc (trans_e) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
1800 6900 m
gs 1 -1 sc (trans_f) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
2550 5100 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
2550 2700 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
3600 1050 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
3600 1500 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
3600 1875 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
3600 3450 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
3600 3900 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
3600 4275 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
3600 5850 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
3600 6300 m
gs 1 -1 sc (member_of) col-1 show gr
/Times-Roman findfont 180.00 scalefont setfont
3600 6675 m
gs 1 -1 sc (member_of) col-1 show gr
$F2psEnd
restore
%%EndDocument
 423 544 a
 endTexFig
609 2304 a Fc(Figure)16 b(2:)22 b(Mult-Role)15 b(Relationships)963
2828 y(8)p eop
%%Page: 9 9
bop 0 195 a Fc(Do)q(ctor.)21 b(Ho)o(w)o(ev)o(er,)11 b(b)o(y)h(gran)o(ting)i
(mem)n(b)q(ership)c(to)j(the)g(Healer)e(role,)i(this)g(only)f(allo)o(ws)h
(access)g(to)g(those)0 255 y(resources)j(allo)o(w)o(ed)g(under)g(the)g(role)g
(Healer.)0 422 y Fd(5)83 b(Principle)26 b(of)i(Least)f(Privilege)0
531 y Fc(The)20 b(principle)f(of)h(least)g(privilege)f(has)i(b)q(een)f
(describ)q(ed)g(as)h(imp)q(ortan)o(t)e(for)i(meeting)d(in)o(tegrit)o(y)g(ob-)
0 591 y(jectiv)o(es.)24 b([8])18 b(The)f(principle)g(of)h(least)g(privilege)e
(requires)g(that)j(a)f(user)g(b)q(e)g(giv)o(en)f(no)h(more)f(privilege)0
652 y(than)d(necessary)f(to)h(p)q(erform)e(a)i(job.)21 b(Ensuring)14
b(least)f(privilege)f(requires)g(iden)o(tifying)g(what)i(the)f(user's)0
712 y(job)i(is,)g(determining)e(the)i(minim)n(um)c(set)k(of)g(privileges)f
(required)g(to)h(p)q(erform)f(that)i(job,)f(and)h(restrict-)0
772 y(ing)j(the)g(user)g(to)h(a)f(domain)f(with)h(those)h(privileges)d(and)j
(nothing)g(more.)28 b(By)19 b(den)o(ying)f(to)h(sub)s(jects)0
832 y(transactions)g(that)f(are)g(not)g(necessary)g(for)g(the)g(p)q
(erformance)f(of)h(their)f(duties,)g(those)i(denied)e(privi-)0
892 y(leges)d(cannot)i(b)q(e)f(used)g(to)g(circum)o(v)n(en)o(t)c(the)k
(organizational)h(securit)o(y)d(p)q(olicy)l(.)20 b(Although)15
b(the)f(concept)0 953 y(of)21 b(least)g(privilege)e(curren)o(tly)g(exists)h
(within)g(the)h(con)o(text)e(of)j(the)e(TCSEC,)h(requiremen)o(ts)d(restrict)0
1013 y(those)e(privileges)d(of)j(the)f(system)f(administrator.)20
b(Through)d(the)e(use)g(of)h(RBA)o(C,)d(enforced)i(minim)n(um)0
1073 y(privileges)g(for)h(general)g(system)f(users)h(can)h(b)q(e)f(easily)g
(ac)o(hiev)o(ed.)0 1239 y Fd(6)83 b(Separation)27 b(of)h(Duties)0
1349 y Fc(RBA)o(C)12 b(mec)o(hanism)o(s)e(can)k(b)q(e)f(used)f(b)o(y)h(a)g
(system)e(administrator)i(in)f(enforcing)h(a)g(p)q(olicy)f(of)h(separation)0
1409 y(of)23 b(duties.)39 b(Separation)24 b(of)e(duties)h(is)f(considered)g
(v)m(aluable)g(in)g(deterring)g(fraud)h(since)f(fraud)h(can)0
1469 y(o)q(ccur)h(if)f(an)h(opp)q(ortunit)o(y)g(exists)f(for)h(collab)q
(oration)g(b)q(et)o(w)o(een)f(v)m(arious)h(job)g(related)f(capabilities.)0
1529 y(Separation)c(of)g(dut)o(y)e(requires)h(that)g(for)h(particular)f(sets)
g(of)h(transactions,)g(no)g(single)f(individual)f(b)q(e)0 1590
y(allo)o(w)o(ed)g(to)i(execute)e(all)g(transactions)i(within)f(the)g(set.)27
b(The)18 b(most)f(commonly)f(used)i(examples)e(are)0 1650 y(the)21
b(separate)h(transactions)h(needed)e(to)h(initiate)e(a)i(pa)o(ymen)o(t)e(and)
i(to)g(authorize)g(a)g(pa)o(ymen)o(t.)35 b(No)0 1710 y(single)20
b(individual)f(should)i(b)q(e)g(capable)f(of)h(executing)f(b)q(oth)h
(transactions.)35 b(Separation)21 b(of)g(dut)o(y)f(is)0 1770
y(an)k(imp)q(ortan)o(t)f(consideration)g(in)h(real)f(systems.)42
b([1])23 b(,)i([12])f(,)h([13])e(,)i([14])f(The)f(sets)h(in)f(question)0
1830 y(will)c(v)m(ary)i(dep)q(ending)f(on)h(the)f(application.)34
b(In)20 b(real)g(situations,)h(only)f(certain)g(transactions)h(need)0
1891 y(to)g(b)q(e)g(restricted)f(under)g(separation)i(of)f(dut)o(y)f
(requiremen)o(ts.)32 b(F)l(or)21 b(example,)e(w)o(e)i(w)o(ould)g(exp)q(ect)f
(a)0 1951 y(transaction)e(for)f(\\authorize)h(pa)o(ymen)o(t")d(to)i(b)q(e)h
(restricted,)d(but)j(a)f(transaction)h(\\submit)e(suggestion)0
2011 y(to)h(administrator")e(w)o(ould)i(not)f(b)q(e.)150 2071
y(Separation)j(of)f(dut)o(y)f(can)h(b)q(e)g(either)f(static)h(or)g(dynamic.)
24 b(Compliance)17 b(with)g(static)h(separa-)0 2131 y(tion)h(requiremen)o(ts)
d(can)j(b)q(e)g(determined)d(simply)h(b)o(y)h(the)h(assignmen)o(t)f(of)h
(individuals)f(to)h(roles)f(and)0 2192 y(allo)q(cation)j(of)g(transactions)g
(to)g(roles.)34 b(The)21 b(more)e(di\016cult)g(case)i(is)f(dynamic)f
(separation)j(of)e(dut)o(y)0 2252 y(where)c(compliance)e(with)i(requiremen)o
(ts)d(can)k(only)f(b)q(e)h(determined)c(during)k(system)e(op)q(eration.)22
b(The)0 2312 y(ob)s(jectiv)o(e)14 b(b)q(ehind)h(dynamic)f(separation)i(of)g
(dut)o(y)f(is)h(to)f(allo)o(w)h(more)e(\015exibilit)o(y)f(in)i(op)q
(erations.)22 b(Con-)0 2372 y(sider)16 b(the)h(case)g(of)g(initiating)f(and)h
(authorizing)g(pa)o(ymen)o(ts.)k(A)16 b(static)h(p)q(olicy)f(could)h(require)
e(that)j(no)0 2432 y(individual)d(who)i(can)g(serv)o(e)e(as)i(pa)o(ymen)o(t)d
(initiator)i(could)g(also)h(serv)o(e)e(as)i(pa)o(ymen)o(t)e(authorizer.)21
b(This)0 2492 y(could)15 b(b)q(e)g(implem)o(en)o(te)o(d)d(b)o(y)j(ensuring)g
(that)h(no)f(one)h(who)f(can)h(p)q(erform)e(the)g(initiator)h(role)g(could)f
(also)0 2553 y(p)q(erform)h(the)g(authorizer)h(role.)k(Suc)o(h)c(a)g(p)q
(olicy)f(ma)o(y)f(b)q(e)i(to)q(o)g(rigid)g(for)g(commerc)o(ial)c(use,)k
(making)e(the)0 2613 y(cost)21 b(of)g(securit)o(y)e(greater)i(than)g(the)f
(loss)h(that)g(migh)o(t)e(b)q(e)i(exp)q(ected)e(without)i(the)g(securit)o(y)l
(.)32 b(More)0 2673 y(\015exibilit)o(y)14 b(could)j(b)q(e)h(allo)o(w)o(ed)e
(b)o(y)g(a)i(dynamic)d(p)q(olicy)i(that)g(allo)o(ws)h(the)e(same)h
(individual)e(to)j(tak)o(e)f(on)963 2828 y(9)p eop
%%Page: 10 10
bop 0 195 a Fc(b)q(oth)15 b(initiator)e(and)h(authorizer)g(roles,)f(with)h
(the)f(exception)g(that)h(no)g(one)g(could)f(authorize)h(pa)o(ymen)o(ts)0
255 y(that)i(he)g(or)g(she)g(had)h(initiated.)j(The)c(static)g(p)q(olicy)f
(could)h(b)q(e)g(implem)o(e)o(n)o(ted)d(b)o(y)i(c)o(hec)o(king)f(only)i
(roles)0 315 y(of)f(users;)g(for)g(the)g(dynamic)e(case,)h(the)h(system)e(m)o
(ust)g(use)i(b)q(oth)h(role)e(and)h(user)g(ID)g(in)f(c)o(hec)o(king)f(access)
0 376 y(to)k(transactions.)150 436 y(Separation)g(of)h(dut)o(y)e(is)h
(necessarily)e(determined)g(b)o(y)h(conditions)h(external)f(to)h(the)f
(computer)0 496 y(system.)j(The)13 b(Clark-Wilson)h([1])f(sc)o(heme)f
(includes)g(the)h(requiremen)o(t)e(that)j(the)f(system)f(main)o(tain)g(the)0
556 y(separation)21 b(of)f(dut)o(y)g(requiremen)n(t)d(expressed)j(in)f(the)h
(access)g(con)o(trol)f(triples.)32 b(Enforcemen)o(t)18 b(is)i(on)0
616 y(a)e(p)q(er-user)g(basis,)g(using)g(the)f(user)g(ID)h(from)e(the)h
(access)h(con)o(trol)f(triple.)24 b(As)17 b(discussed)h(ab)q(o)o(v)o(e,)f
(user)0 677 y(functions)12 b(can)g(b)q(e)g(con)o(v)o(enien)o(tly)e(separated)
i(b)o(y)g(role,)g(since)f(man)o(y)g(users)h(in)g(an)g(organization)h(t)o
(ypically)0 737 y(p)q(erform)19 b(the)g(same)g(function)h(and)g(ha)o(v)o(e)f
(the)h(same)f(access)h(righ)o(ts)f(on)i(TPs)f(and)h(data.)33
b(Allo)q(cating)0 797 y(access)14 b(righ)o(ts)g(according)h(to)f(role)g(is)g
(also)h(helpful)e(in)h(de\014ning)g(separation)h(of)f(dut)o(y)g(in)g(a)g(w)o
(a)o(y)g(that)h(can)0 857 y(b)q(e)h(enforced)g(b)o(y)g(the)g(system.)0
1024 y Fd(7)83 b(Summ)n(ary)24 b(and)j(Conclusions)0 1133 y
Fc(In)22 b(man)o(y)f(organizations)i(in)f(industry)g(and)h(civilian)d(go)o(v)
o(ernmen)o(t,)h(the)h(end)g(users)g(do)h(not)g(\\o)o(wn")0
1193 y(the)16 b(information)g(for)h(whic)o(h)f(they)g(are)h(allo)o(w)o(ed)f
(access.)23 b(F)l(or)16 b(these)h(organizations,)g(the)g(corp)q(oration)0
1253 y(or)22 b(agency)g(is)g(the)g(actual)g(\\o)o(wner")h(of)g(system)d(ob)s
(jects,)j(and)f(discretionary)g(access)g(con)o(trol)g(ma)o(y)0
1314 y(not)15 b(b)q(e)f(appropriate.)21 b(Role-Based)14 b(Access)g(Con)o
(trol)g(\(RBA)o(C\))f(is)h(a)h(nondiscretionary)f(access)g(con)o(trol)0
1374 y(mec)o(hanism)8 b(whic)o(h)i(allo)o(ws)h(and)g(promotes)f(the)h(cen)o
(tral)f(administration)f(of)j(an)f(organizational)h(sp)q(eci\014c)0
1434 y(securit)o(y)j(p)q(olicy)l(.)150 1494 y(Access)g(con)o(trol)h
(decisions)f(are)h(often)g(based)h(on)f(the)g(roles)f(individual)g(users)h
(tak)o(e)g(on)g(as)h(part)0 1554 y(of)22 b(an)h(organization.)39
b(A)22 b(role)f(sp)q(eci\014es)h(a)g(set)g(of)g(transactions)h(that)g(a)f
(user)g(or)g(set)g(of)h(users)f(can)0 1615 y(p)q(erform)g(within)h(the)g(con)
o(text)g(of)h(an)g(organization.)43 b(RBA)o(C)22 b(pro)o(vide)h(a)h(means)e
(of)i(naming)e(and)0 1675 y(describing)16 b(relationships)h(b)q(et)o(w)o(een)
g(individuals)f(and)h(righ)o(ts,)g(pro)o(viding)g(a)g(metho)q(d)g(of)g
(meeting)e(the)0 1735 y(secure)h(pro)q(cessing)h(needs)f(of)g(man)o(y)f
(commerci)o(al)e(and)k(civilian)e(go)o(v)o(ernmen)o(t)e(organizations.)150
1795 y(V)l(arious)j(forms)g(of)h(role)f(based)g(access)h(con)o(trol)f(ha)o(v)
o(e)f(b)q(een)h(describ)q(ed)g(and)h(some)f(are)g(used)g(in)0
1855 y(commerci)o(al)10 b(systems)i(to)q(da)o(y)l(,)i(but)f(there)g(is)g(no)h
(commonly)c(accepted)i(de\014nition)h(or)h(formal)e(standards)0
1916 y(encompassing)17 b(RBA)o(C.)e(As)i(suc)o(h,)f(ev)m(aluation)i(and)f
(testing)g(programs)g(for)h(these)e(systems)g(ha)o(v)o(e)h(not)0
1976 y(b)q(een)22 b(established)f(as)h(they)g(ha)o(v)o(e)f(for)h(systems)e
(conforming)h(to)h(the)g(T)l(rusted)g(Computer)f(Securit)o(y)0
2036 y(Ev)m(aluation)13 b(Criteria.)19 b(This)13 b(pap)q(er)g(prop)q(osed)h
(a)f(de\014nition)f(of)h(The)f(requiremen)o(ts)e(and)j(access)f(con)o(trol)0
2096 y(rules)17 b(for)h(RBA)o(C)f(prop)q(osed)i(in)e(this)h(pap)q(er)g(could)
f(b)q(e)h(used)g(as)g(the)g(basis)g(for)g(a)g(common)d(de\014nition)0
2156 y(of)i(access)f(con)o(trols)g(based)h(on)f(user)h(roles.)0
2323 y Fd(8)83 b(References)0 2432 y Fc(1)25 b(D.D.)f(Clark)g(and)h(D.R.)f
(Wilson.)45 b(A)24 b(Comparison)g(of)h(Commercial)c(and)k(Military)e
(Computer)0 2492 y(Securit)o(y)15 b(P)o(olicies.)k(In)d(IEEE)h(Symp)q(osium)d
(on)j(Computer)e(Securit)o(y)g(and)h(Priv)m(acy)l(,)g(April)f(1987.)150
2553 y(2)i(Computers)e(at)i(Risk.)j(National)d(Researc)o(h)e(Council,)h
(National)g(Academ)o(y)d(Press,)j(1991.)150 2613 y(3)j(Minim)o(um)14
b(Securit)o(y)j(F)l(unctionalit)o(y)f(Requiremen)o(ts)f(for)k(Multi-User)e
(Op)q(erating)h(Systems)0 2673 y(\(draft\).)j(Computer)16 b(Systems)f(Lab)q
(oratory)l(,)j(NIST,)d(Jan)o(uary)h(27)i(1992.)951 2828 y(10)p
eop
%%Page: 11 11
bop 150 195 a Fc(4)20 b(T)l(rusted)g(Computer)f(Securit)o(y)f(Ev)m(aluation)i
(Criteria,)g(DOD)g(5200.28-STD.)i(Departmen)o(t)0 255 y(of)17
b(Defense,)e(1985.)150 315 y(5)20 b(Z.G.)e(Ruth)o(b)q(erg)h(and)h(W.T.)f(P)o
(olk,)g(Editors.)30 b(Rep)q(ort)20 b(of)f(the)g(In)o(vitational)f(W)l
(orkshop)j(on)0 376 y(Data)c(In)o(tegrit)o(y)l(.)j(SP)c(500-168.)24
b(Natl.)d(Inst.)g(of)16 b(Stds.)22 b(and)17 b(T)l(ec)o(hnology)l(,)e(1989.)
150 436 y(6)h(S.W.)g(Katzk)o(e)f(and)h(Z.G.)f(Ruth)o(b)q(erg,)h(Editors.)21
b(Rep)q(ort)c(of)f(the)g(In)o(vitational)f(W)l(orkshop)i(on)0
496 y(In)o(tegrit)o(y)g(P)o(olicy)h(in)g(Computer)g(Information)g(Systems.)27
b(SP)19 b(500-160.)32 b(Natl.)c(Inst.)h(of)19 b(Stds.)29 b(and)0
556 y(T)l(ec)o(hnology)l(,)16 b(1987.)150 616 y(7)j(J.E.)f(Rosk)o(os,)i(S.R.)
e(W)l(elk)o(e,)f(J.M.)h(Bo)q(one,)i(and)f(T.)g(Ma)o(y\014eld.)28
b(In)o(tegrit)o(y)17 b(in)h(T)l(actical)g(and)0 677 y(Em)o(b)q(edded)d
(Systems.)20 b(Institute)15 b(for)i(Defense)e(Analyses,)h(HQ)f(89-034883)q
(/1)q(,)j(Octob)q(er)f(1989.)150 737 y(8)e(In)o(tegrit)o(y)e(in)h(Automated)f
(Information)g(Systems.)20 b(National)14 b(Computer)f(Securit)o(y)l(,)g(Cen)o
(ter,)0 797 y(Septem)o(b)q(er)h(1991.)150 857 y(9)h(R.W.)f(Baldwin.)21
b(Naming)13 b(and)j(Grouping)f(Privileges)f(to)h(Simplify)d(Securit)o(y)h
(Managemen)o(t)0 917 y(in)j(Large)h(Databases.)23 b(In)16 b(IEEE)g(Symp)q
(osium)e(on)j(Computer)e(Securit)o(y)g(and)i(Priv)m(acy)l(,)e(1990.)150
978 y(10)20 b(K.R.)d(P)o(oland)i(M.J.)f(Nash.)29 b(Some)18
b(Con)o(undrums)g(Concerning)h(Separation)h(of)f(Dut)o(y)l(.)28
b(In)0 1038 y(IEEE)16 b(Symp)q(osium)f(on)h(Computer)g(Securit)o(y)e(and)j
(Priv)m(acy)l(,)e(1990.)150 1098 y(11)d(Securit)o(y)d(Requiremen)o(ts)f(for)j
(Cryptographic)h(Mo)q(dules.)19 b(F)l(ederal)10 b(Information)g(Pro)q
(cessing)0 1158 y(Standard)17 b(140-1,)h(National)e(Institute)g(of)g
(Standards)i(and)f(T)l(ec)o(hnology)l(,)e(1992.)150 1218 y(12)20
b(W.R.)f(Sho)q(c)o(kley)l(.)30 b(Impleme)o(n)o(ti)o(ng)18 b(the)h
(Clark/Wilson)h(In)o(tegrit)o(y)e(P)o(olicy)g(Using)h(Curren)o(t)0
1279 y(T)l(ec)o(hnology)l(.)i(In)16 b(Pro)q(ceedings)g(of)g(11th)h(National)f
(Computer)f(Securit)o(y)g(Conference,)g(Octob)q(er)h(1988.)150
1339 y(13)i(R.)e(Sandh)o(u.)25 b(T)l(ransaction)18 b(Con)o(trol)f
(Expressions)h(for)f(Separation)h(of)f(Duties.)24 b(In)17 b(F)l(ourth)0
1399 y(Aerospace)f(Computer)f(Securit)o(y)g(Applications)g(Conference,)h
(Decem)o(b)q(er)d(1988.)150 1459 y(14)20 b(S.)f(Wiseman)g(P)l(.)g(T)l(erry)l
(.)30 b(A)19 b('New')f(Securit)o(y)g(P)o(olicy)h(Mo)q(del.)30
b(In)19 b(IEEE)h(Symp)q(osium)e(on)0 1519 y(Computer)d(Securit)o(y)g(and)i
(Priv)m(acy)l(,)e(Ma)o(y)h(1989.)951 2828 y(11)p eop
%%Trailer
end
userdict /end-hook known{end-hook}if
%%EOF