Activity Theory Guided Role Engineering

Abstract

Roles are convenient and powerful concept for facilitating access to distributed systems and enforcing access management polices. RBAC is one the most widely used role engineering models in enterprises. Several threats arise due to insecure and inefficient design of roles when social and interaction dynamics in an organizational setting are ignored. Activity theory is one of the most applied and researched theories in context of understanding human actions, interactions with environments and dynamics against different social entities. The paper, first, presents overview of role-engineering and activity theory. Then the paper presents different methods in which activity theory can be applied for efficient and secure role-engineering processes. A case study, carried out at a US-based midsize financial institution, is also presented to demonstrate 1) how traditional role-engineering processes give way to threats and 2) how using activity theory models (2 used in this paper) can mitigate risks in role-engineering process