Role Based Access Control (RBAC)
and Role Based Security
One of the most challenging problems in managing large networks is the complexity of security administration. Role based access control (also called role based security), as formalized in 1992 by David Ferraiolo and Rick Kuhn (pdf), has become the predominant model for advanced access control because it reduces this cost. A variety of IT vendors, including IBM, Sybase, Secure Computing, and Siemens began developing products based on this model in 1994. In 2000, the Ferraiolo-Kuhn model was integrated with the framework of Sandhu et al. (pdf) to create a unified model for RBAC, published as the NIST RBAC model (Sandhu, Ferraiolo, and Kuhn, 2000 - pdf) and adopted as an ANSI/INCITS standard in 2004. Today, most information technology vendors have incorporated RBAC into their product lines, and the technology is finding applications in areas ranging from health care to defense, in addition to the mainstream commerce systems for which it was designed. As of 2010, the majority of users in enterprises of 500 or more are now using RBAC, according to the Research Triangle Institute. For more information, please contact us at: email@example.com.
New to RBAC?
RBAC Workshop, was held July 17, 2013.
Economic Benefits of Role Based Access Control Analyzes economic value of RBAC for the enterprise and for the national economy, and provides quantitative economic benefits of RBAC per employee for adopting firms. Of particular interest to firms considering RBAC, report calculates savings from reduced employee downtime, more efficient provisioning, and more efficient access control policy administration, beyond the added security provided by RBAC. NIST's RBAC research was estimated to have contributed $1.1 billion in economic value. (pdf - Feb. 2011, Research Triangle Institute)
RBAC vs. ABAC - attribute based access control. ABAC is a rule-based approach to access control that can be easy to set up but complex to manage. We are investigating both practical and theoretical aspects of ABAC and similar approaches. The following papers discuss ABAC and tradeoffs in design:
E.J. Coyne, T.R. Weil, ABAC and RBAC: Scalable, Flexible, and Auditable Acces Management, IEEE IT Professional, May/June 2013. - reviews tradeoffs and characteristics of role based and attribute based approaches.
D.R. Kuhn, Vulnerability Hierarchies in Access Control Configurations, 4th Symposium on Configuration Analytics and Automation (SAFECONFIG) 2011, IEEE.Oct. 31 – Nov. 1 Arlington, Virginia. pp. 1-9: shows that hierarchies of vulnerability detection conditions exist in ABAC rules, such that tests which detect one class of vulnerability are guaranteed to detect other classes.
D.R. Kuhn, E.J. Coyne, T.R. Weil, Adding Attributes to Role Based Access Control, IEEE Computer, June, 2010, pp. 79-81: discusses revisions to RBAC standard being developed to combine advantages of RBAC and ABAC approaches.
INCITS CS1.1 standards update 2012 - discussing proposal for Role Based Access Control
- these sections of the site can be helpful: Primary RBAC References/Background (below), RBAC FAQ
, RBAC Case Studies
- you may want to start with: Role Engineering and RBAC Standards
, RBAC Case Studies
Researcher or student?
- see Primary RBAC References/Background (below) and other research papers on this page.
t: NIST's RBAC research saves industry $1.1 billion (pdf
- Feb. 2011)
Primary RBAC References/Background
D.F. Ferraiolo and D.R. Kuhn (1992) "Role Based Access Control
" 15th National Computer Security Conference, Oct 13-16, 1992, pp. 554-563. - introduced formal model for role based access control.
R. S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman (1996), "Role-Based Access Control Models
", IEEE Computer 29(2): 38-47, IEEE Press, 1996.- proposed a framework for RBAC models.
: R. Sandhu, D.F. Ferraiolo, D, R. Kuhn (2000), "The NIST Model for Role Based Access Control: Toward a Unified Standard
," Proceedings, 5th ACM Workshop on Role Based Access Control, July 26-27, 2000, Berlin, pp.47-63 - first public draft of the NIST RBAC model and proposal for an RBAC standard.
: American National Standard 359-2004 is the information technology industry consensus standard for RBAC. An explanation of the model used in the standard can be found in the original proposal above
. The official standards document is published by ANSI INCITS
D.F. Ferraiolo, R. Kuhn, R. Sandhu (2007), "RBAC Standard Rationale: comments on a Critique of the ANSI Standard on Role Based Access Control
", IEEE Security & Privacy, vol. 5, no. 6 (Nov/Dec 2007), pp. 51-53 - explains decisions made in developing RBAC standard.
D.R. Kuhn, E.J. Coyne, T.R. Weil, "Adding Attributes to Role Based Access Control
", IEEE Computer, vol. 43, no. 6 (June, 2010), pp. 79-81.
RBAC for web services standard
: Web applications can use RBAC services defined by the OASIS XACML Technical Committee
(see "XACML RBAC Profile"). The XACML specification describes building blocks from which an RBAC solution is constructed. A full example illustrates these building blocks. The specification then discusses how these building blocks may be used to implement the various elements of the RBAC model presented in ANSI INCITS 359-2004.
RBAC Design & Implementation
- D.F. Ferraiolo and D.R. Kuhn (1992) "Role Based Access Control" 15th National Computer Security Conf. Oct 13-16, 1992, pp. 554-563 the original paper that evolved into the NIST RBAC model.
- "An Introduction to Role Based Access Control" NIST CSL Bulletin on RBAC (December, 1995)
- D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli, Role Based Access Control (book), Artech House, 2003, 2nd Edition, 2007.
- D. Ferraiolo, J. Cugini, R. Kuhn, "Role Based Access Control: Features and Motivations," Proceedings, Annual Computer Security Applications Conference, IEEE Computer Society Press, 1995. - extends 1992 model.
- D.R. Kuhn, "Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control Systems" Second ACM Workshop on Role-Based Access Control. 1997 - defines necessary and sufficient conditions for safe separation of duty.
- R. Chandramouli, R. Sandhu, "Role Based Access Control Features in Commercial Database Management Systems," 21st National Information Systems Security Conference, October 6-9, 1998, Crystal City, Virginia. Best Paper Award! - survey of RBAC implementations.
- S. Gavrila, J. Barkley, "Formal Specification for Role Based Access Control User/Role and Role/Role Relationship Management" (1998), Third ACM Workshop on Role-Based Access Control.
- D.R. Kuhn. "Role Based Access Control on MLS Systems Without Kernel Changes" Third ACM Workshop on Role Based Access Control,October 22-23,1998 - how to simulate RBAC on MAC systems.
- J. Barkley, C. Beznosov, Uppal, "Supporting Relationships in Access Control using Role Based Access Control", Fourth ACM Workshop on Role-Based Access Control (1999).
- R. Sandhu, D. Ferraiolo, R. Kuhn, "The NIST Model for Role Based Access Control: Towards a Unified Standard," Proceedings, 5th ACM Workshop on Role Based Access Control, July 26-27, 2000, Berlin,pp.47-63. - initial proposal for the current INCITS 359-2004 RBAC standard.
- W.A. Jansen, "Inheritance Properties of Role Hierarchies," 21st National Information Systems Security Conference, October 6-9, 1998, Crystal City, Virginia - analyzes permission inheritance in RBAC.
- R. Chandramouli,"Business Process Driven Framework for defining an Access Control Service based on Roles and Rules", 23rd National Information Systems Security Conference, 2000. PDF
- W.A. Jansen, "A Revised Model for Role Based Access Control", NIST-IR 6192, July 9, 1998
- Slide Presentation from DOE Security Research Workshop III, (Barkley, 1998).
- Slide Presentation Summarizing RBAC Projects
- "A Marketing Survey of Civil Federal Government Organizations to Determine the Need for RBAC Security Product" (SETA Corporation, 1996).
- D. F. Ferraiolo, .Chandramouli, G.J. Ahn, S.I. Gavrila, The role control center: features and case studies, SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies, Como, Italy, 2003, pp. 12-20.