Skip to main content
  • SI: Cloud Computing
  • Open access
  • Published:

Toward role-based provisioning and access control for infrastructure as a service (IaaS)


Cloud computing has drawn much attention in recent years. One of its service models, called infrastructure as a service (IaaS), provides users with infrastructure services such as computation and data storage, heavily dependent upon virtualization techniques. Most of the current IaaS providers take the user-resource direct mapping approach for their business, where individual users are the only type of service consumer who can request and use virtualized resources as long as they pay for the usage. Therefore, in this approach, the users and virtual resources are centrally managed at the IaaS providers. However, this also results in the lack of support for scalable authorization management of users and resources, organization-level policy support, and flexible pricing for business users. Considering the increasing popularity and growing user base of cloud computing, there is a strong need for a more flexible IaaS model with a finer grained access control mechanism than the aforementioned all-or-nothing approach. In this paper we propose a domain-based, decentralized framework for provisioning and managing users and virtualized resources in IaaS. Specifically, an additional layer called domain is introduced to the user-resource direct mapping scheme, whereby de-centralization of user and resource management is facilitated. Our framework also allows the IaaS service provider to delegate its administrative routines to domains so that each domain is able to manage its users and virtualized resources allocated by the IaaS provider. Our domain-based approach offers benefits such as scalable user/resource management, domain-based security and governance policy support, and flexible pricing.


  1. Ahn G-J, Sandhu R (1999) The RSL99 language for role-based separation of duty constraints. In: Proceedings of 4th ACM workshop on role-based access control, pp 43–54, Fairfax, VA, 28–29 October 1999. ACM, New York

    Chapter  Google Scholar 

  2. Amazon Elastic Compute Cloud and Simple Storage Service.

  3. Barka ES, Sandhu RS (2000) Framework for role-based delegation models. In: Proceedings of 16th annual computer security application conference, New Orleans, LA, December 2000

    Google Scholar 

  4. Crampton J (2003) On permissions, inheritance and role hierarchies. In: Proceedings of 10th ACM conference on computer and communication security, Washington, DC, October 2003

    Google Scholar 

  5. Dimmock N, Belokosztolszki A, Eyers D, Bacon J, Moody K (2004) Using trust and risk in role-based access control policies. In: Proceedings of 9th ACM symposium on access control models and technologies, Yorktown, NY, June 2004

    Google Scholar 

  6. Ellison C, Frantz B, Lampson B, Rivest R, Thomas B, Ylonen T (1999) SPKI certificate theory. RFC 2693, September 1999

  7. Eucalyptus Open Source.

  8. Farrell S, Housley R (2001) An Internet attribute certificate profile for authorization. Technical report, PKIX Working Group, June 2001

  9. Ferraiolo DF, Sandhu R, Gavrila S, Kuhn DR, Chandramouli R (2001) Proposed NIST standard for role-based access control. ACM Trans Inf Syst Secur 4(3)

  10. Google Apps.

  11. Google Doc.

  12. Harrison MH, Ruzzo WL, Ullman JD (1976) Protection in operating systems. Commun ACM 19(8):461–471

    Article  MATH  MathSciNet  Google Scholar 

  13. ITU (2000) ITU-T recommendation X.509. Information technology: open systems interconnection—the directory: public-key and attribute certificate frameworks. ISO/IEC 9594-8

  14. McLean J (1985) A comment on the ‘Basic security theorem’ of Bell and LaPadula. Inf Process Lett 20(2):67–70

    Article  MathSciNet  Google Scholar 

  15. NEBULA: NASA’s Cloud Computing Platform.

  16. NIST. (2009) Nist working definition of cloud computing. Technical report.

  17. Open Software Foundation (1992) OSF DCE 1.0 application development guide. Cambridge, MA

  18. Open Software Foundation (1992) OSF DCE 1.0 introduction to DCE. Cambridge, MA

  19. Osborn S, Sandhu R, Munawer Q (2000) Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans Inf Syst Secur 3

  20. RBAC support for Nebula.

  21. Rivest RL, Lampson B (1996) SDSI—a simple distributed security infrastructure. Technical report, September 1996

  22. Salesforce’s the Sales Cloud.

  23. Sandhu R, Munawer Q (1998) The RRA97 model for role-based administration of role hierarchies. In: Proceedings of 14th annual computer security application conference, pp 39–49, Scotsdale, AZ, 7–11 December 1998

    Google Scholar 

  24. Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1996) Role-based access control models. IEEE Comput. 29(2):38–47

    Article  Google Scholar 

  25. Shin D, Ahn G-J, Cho S (2002) Role-based EAM using x.509 attribute certificate. In: Proceedings of sixteenth annual IFIP WG 11.3 working conference on data and application security, Cambridge, UK, 29–31 July 2002

    Google Scholar 

  26. Shin D, Ahn G-J, Cho S, Jin S (2003) On modeling system-centric information for role engineering. In: Proceedings of 8th ACM symposium on access control models and technologies, Como, Italy, 2–3 June 2003

    Google Scholar 

  27. Thompson M, Johnston W, Mudumbai S, Hoo G, Jackson K, Essiari A (1999) Certificate-based access control for widely distributed resources. In: Proceedings of 8th USENIX security symposium, Washington, DC, 23–26 August 1999

    Google Scholar 

  28. VO Services Project by US CMS and US ATLAS.

  29. Windows Azure.

  30. Zhang L, Ahn G-J, Chu B (2001) A rule-based framework for role-based delegation. In: Proceedings of 6th ACM symposium on access control models and technologies, pp 153–162, Chantilly, VA, 3–4 May 2001

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Dongwan Shin.

Additional information

This article is an expanded version of the paper “Domain-based Virtualized Resource Management in Cloud Computing” which appeared in the Proceedings of 5th International Workshop on Trusted Collaboration (TrustCol 2010).

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License ( ), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Reprints and permissions

About this article

Cite this article

Shin, D., Akkan, H., Claycomb, W. et al. Toward role-based provisioning and access control for infrastructure as a service (IaaS). J Internet Serv Appl 2, 243–255 (2011).

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: