ABSTRACT Adequate security of information and information systems is a fundamental management responsibility.

Nearly all applications that deal with financial, privacy, safety, or defense include some form of access control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. In some systems, complete access is granted after successful authentication of the user, but most systems require more sophisticated and complex control. My major motivation for carrying on with this, was the ability of develop a system with the functionality of granting access rights to user base on their specific needs. Our development methodology is Rapid Application Development (RAD) model in which a prototype of the system was firstly develop for criticism by other. The result we had lead to the design of a Responsibility Base Access Control system using PHP and MySQL which are both running on the xampp platform. This research explains some of the commonly used access control services available in information technology systems with special emphasis on Role Based Access Control Model.

CHAPTER ONE 1.0 INTRODUCTION

Today, Internet has become the forum for intra- and interorganizational systems practical via interactions. Internet is Most vital distributed has applications are developed in the Internet environment. Securing access to such and become increasingly challenging. Therefore, security plays a vital role in the design and deployment of the distributed applications, and all companies have to repeatedly spend considerable time, capital and effort on the implementation of the security mechanism for their applications (Chapman, 2006). The rapid growth in information technology systems has greatly increased the need for privacy protection. Privacy becomes a major concern for users both consumers and enterprises, much research have been focused on developing the privacy protecting technology. Access control has been considered as a major issue in information security community since the beginning of the information security discipline. A number of privacy protecting access control models have been proposed in recent years. Through access control, the system can restrict unauthorized users access to the resources in the system and guarantees the confidentiality and integrity of the resources. The most widely used mechanism for preventing unauthorized access to systems is Identification and Authentication. Identification is the process where a user gives a valid and recognized identity to the system and authentication is the process whereby the system verifies the supplied identity. Access control, which is the concept of authorization, is concerned with determining the allowed activities

of legitimate users (Chapman, 2006). The major aim of access control systems is to protect system resources against inappropriate and undesired user access. To reduce the security risks on computer systems as much as possible, there is a need to define who is allowed to access the stored information, which system resources the user is allowed to access, and what type of actions he/she is allowed to perform on those resources. Access control is one of the most important security mechanisms in the network environment and web services. Access control consists of policy, model and mechanism. The policy is the statement of what is, and what is not allowed, while the model is the formal representation of the security policies enforced by the system and is useful for proving the theoretical limitations of a system. The mechanism is a method, tool, or procedure for enforcing the Access Control Policy (NISTIR, 2006). Access control systems are generally classified as Discretionary Access Control (DAC) and Non-Discretionary Access Control (NDAC). In DAC, the object owner or anyone else who is authorized to control the objects access specifies who have access to the object or specifies the policies. All access control policies other than DAC are categorized as NDAC. In NDAC, policies are rules that are not specified at the discretion of the user. Some examples of NDAC are:I.

Mandatory Access Control (MAC):- This technique specifies that access control policy decisions are made by a central authority and not by the individual owner of the object. For example, the individual owner of an object can not specify whether an object is Top Secret and so on.

II.

Role-based Access Control (RBAC):- This describes the technique in which categories and duties of users are considered before permissions are granted to invoke an operation. The different categories are predefined, and have varying amount of privileges. The users will be placed in these categories. A user may be assigned many roles, but may not execute all his roles at the same time (NISTIR, 2006).

III.

Purpose-based Access Control (PBAC):- In this case, access is granted based on the intentions of the subjects. Each user is required to state his or her access purpose when trying to access an object. For example, in a school environment, data is collected for registration, checking of results, and so on. The system validates the stated access purpose by the user to make sure that the user is indeed allowed for the access purpose.

IV.

Rule-based Access Control (RuBAC):- This describes the technique that allows subjects or users to access objects based on pre-determined and configured rules. RuBAC is a general term for access control system that allows some form of organization defined rules.

1.1

BACKGROUND OF THE STUDY to Ryan, (2007) authorization is based on the

According

considerations and restrictions that are defined in each system for resource usages. In non-distributed systems it is natural to consider that point to be the central resource providers. So each user who wants to access a resource queries that central point. Based on the

considered restrictions, the central resource provider would decide whether to grant access or not. In distributed networks the resources are not all located on central points, but rather they may belong to different distributed nodes. There is no central point in the nature of the network structure. Though it is possible to consider such a point for controlling the resource assignments, and some models do it, it may not always be desired. The reason could simply be that the distributed resource providers may also want to play a role in managing access to their resources (Pierre et al., 2002). They may have their own local restrictions to be considered that the central administration might not be aware of. Moreover the resource providers can reduce the burden of handling the policy management from the central administration. On the other hand, leaving the whole responsibility to the resource providers, is not always desired either. There are some cases where the central administration may want to contribute in access management. Or if they do not contribute, they may need to have an overall view about permissions and resource assignments in the system. But if the resource principals manage access to their resources by their own, without any contact with the systems administration, it would be impossible for the administration to have a true view about the resource assignments in the network (Menzel et al., 2007). The question is how to let the resource providers contribute in managing access to their resources. This thesis provides a model that considers the providers restrictions about accessing their resources, but it does not leave the whole management to them.

The central administration, too, can have its own restrictions. This results in a combination of distributed and central management. As a second goal it investigates how to change the model that it prioritizes the local providers decision over that of the administrator. The proposed model uses PHP standard as an access control framework.

1.2

STATEMENT OF THE PROBLEM

Access control administration is required frequently (due to new accounts, changes to permissions, etc). On the other hand, application changes are infrequent and a given version of an application may last many months. As a rule, the lifespan of a permission tends to be much shorter than the lifespan of the application. If permissions are mixed in with the application code, end users need to wait for a new version of the application to benefit from new permissions. Defining or granting permissions should not rely on new versions of the application. You should be able to add or grant a permission without changing the application code (which requires a full development cycle: coding, testing, debugging, deployment). If new permissions are taken into account dynamically (not hardcoded in the application), you will be able to define/grant them while the application is still in production. If so, they would be effective immediately! 1.3 MOTIVATION OF THE STUDY

I was motivated to carry out this project because of the following;

1. The opportunity to understudy the workability of the subject

under review.

2. The opportunity presented by access control which allows for

the development and customization of specific roles and privileges.

1.4

OBJECTIVES OF THE STUDY

In this section we discuss what we believe to be important objectives when developing integrated access control model and the design decisions that have led to the satisfaction of those criteria. Ensure our distributed system environments and any

associated security systems need to be highly scalable in order to provide fast and efficient services to its users. To preserve and protect the confidentiality, integrity and availability of information system and resources. To ensure that only the right people have access to data and that accessed data is the right data.

1.5 SIGNIFICANCE OF THE STUDY

This research project is aimed at having a web-based system for University of Port Harcourt Teaching Hospital, Alakahia. Obviously there have been some inherent limitations in the manual system of doing things in this regard, but with the computerization, these problems will be solved. This research work will help to remove unnecessary errors arising from human factor and the inevitable slow processing speed attributed to manual system of doing things. It will lead to a better provision of services and management within the hospital thereby ensuring a good atmosphere for both the patients and the staffs.

1.6

SCOPE OF THE STUDY

This research work is centered on the deployment of an access control model using Open source Development Tools PHP & MySQL. When deployed, the system will aid in the delegation of privileges to users and effectively authenticate users also. The system once developed, can be deployed and run on any computer running the Windows Operating System (OS), either locally (standalone) or over a network (intranet). 1.7 LIMITATIONS OF THE STUDY

Although the concept under review of an interesting one, however I encountered several problems which are not limited to the below listed: 1. One major set back I faced was the over population of related materials on the internet which is my primary source of data collection. As it was very difficult to adopt concepts of other researchers. I was only able to overcome this with the help and advice from my supervisor who advice that I focus on more recent concepts alone. 2. Erratic power supply is yet another impediment to the effectiveness of the system. Computers being electronic devices, depend on power for their operation. Therefore constant power needs to be maintained for optimal use of the software solution.