The modeling of role hierarchies using role graphs provides a formal way of studying and analyzing RBAC. The fact that directional edges of role graphs correspond to privilege hierarchies translates immediately into the paths of an RBAC information flow. Osborn used the role-graph modeling process as a tool to analyze the flow of information across objects of an RBAC system [OSBO02].

Given a role graph, the Osborn analysis constructs a flow graph representing all potential information flows across objects. This analysis is based on the ability of copying the content of one object into another object. The copy operation usually takes place using a combination of read r and write w privileges. As such, the Osborn RBAC flow analysis is based on the following elements:

• q If the privileges (0 ₁, r) and (0 ₂, w) are in the same role R, then a user assigned to R has the ability to cause the flow of information from object o ₁ to object 0 ₂ by way of a copy operation.

• q Regardless of the roles to which the privileges ( o, r) and ( o, w) are assigned information will always be considered to flow from any object o to itself.

The first element corresponds to a directed edge from node ( o ₁, r, R) to node ( o ₂, w, R) in the flow graph,...