IT 862 Spring 2005

Prof. Ravi Sandhu

Take-home Examination 1


Due in class on 2/24/05


This is an examination. You must write the answer yourself without ANY discussion with anyone else. You are free to consult whatever literature you choose to. Your time is likely better spent thinking through the answer rather than trying to find it in the literature.


Provide a signed statement with your submission stating, I have not given help or taken help from anyone on this assignment.


All questions have equal weight. Please answer each question in approximately 1 page, single-spaced. 2 pages is an absolute upper limit. Your answer should be a coherently written essay that flows and reads similar to a technical paper. Your solution should be prepared in soft copy, although diagrams may be hand-drawn. Please submit hard copy on the due date in class. Make sure you retain a copy. If you cannot make it to class on the due date submit via email to or fax to 253 563 3509 before the class.


1.      Discuss the concept of administrative scope as it applies (a) to a rooted tree hierarchy (the root being the senior-most role) and (b) to an inverted rooted tree hierarchy (the root being the junior-most role).


2.      Discuss the notion of a dual concept to administrative scope. Administrative scope is defined in terms of junior roles. The dual concept (call it alpha-scope) will be defined in terms of senior roles. Would it have any relevance to RBAC administration.


3.      Prove or disprove (by giving counter-examples) the following propositions.

a.       If a hierarchy has a single maximal (senior-most) role, the administrative scope of that role includes all other roles.

b.      If a hierarchy has a single minimal (junior-most) role, that role will be in the administrative scope of all other roles.


4.      For the RRA97 model prove or give counterexamples for the following propositions:

a.       An authority range is always a create range?

b.      If x is an immediate child of y then (x,y) is a create range?

c.       If x is an immediate child of y then (x,y) can always be introduced into can-modify as an authority range that is guaranteed to be encapsulated?