Abstract
This project explored the approach of incorporating attributes into role-based access control (RBAC). We can define the same role to replace traditional multiple roles when different roles are distinguished only by attribute values. By introducing attributes into role-based access control, role definitions and application development can be much concise and easy to manage. The project consists of two phases: Implementation of Virtual Privacy Database (VPD) in relational database system and addressing RBAC in XACML policies. The first phase of the project implemented RBAC at database level, in which we used attributes to distinguish users within the same role. We used Oracle's Virtual Private Database (VPD) feature for the implementation in a Software Management case study. This feature provides fine-grained access control at individual row level. Rather than opening up an entire table to any individual user who has any privileges on the table, row-level security restricts access to specific rows in a table. The result is that any individual user sees a completely different set of data—only the data that person is authorized to see. The second phase of the project used XACML to address high level policies that eventually can be implemented using database RBAC.