Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
composite role-based monitoring for task-structured activities (20070620)
In the 2004 paper "Composite Role-Based Monitoring (CRBM) for Countering Insider Threats" by Joon S. Park and Shuyuan Mary Ho of Syracuse University, the authors propose extending the roles of role-based access control (which typically has organizational-structured roles) with roles defined by applications and by operating systems, and then comparing the use of each of these roles by a user performing a task, with the typical behavior for that task.
"The user activates the sessions (the organizational session is usually activated first, which triggers the activation of other sessions manually or automatically). Based on her current task in the domains, she is allowed to use the corresponding privileges in the domains...In CRBM, the user's behavior in three different sessions (organization, application, and OS) are monitored. Finally, the monitored behavior is compared with the expected or unexpected behavior, which is defined based on the user's current task, to find out if the user misused her privileges."