NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

role engineering and rbac standards

Many organizations are moving to role based access control.  The process of developing an RBAC structure for an organization has become known as "role engineering".   Role engineering can be a complex undertaking,   For example, in   implementating RBAC for a large European bank with over 50,000 employees and 1,400 branches serving more than 6 million customers, approximately 1,300 roles were discovered.  In view of the complexities, RBAC is best implemented by applying a structured framework that breaks down each task into its component parts.  The resources on this page can help developers and managers with this process.

Because standards are normally a vital part of integrating RBAC into an organization,  a number of organizations have developed, or are currently developing, RBAC standards for specialized domains, in addition to general-purpose RBAC standards. Please note that only standards activities are covered here; applications of RBAC, research, and case studies are addressed elsewhere on this site. This page consolidates information on RBAC-related standards, summarizes how they fit together, and will be updated as new standards activities are initiated.    (Please note that some authors and organizations below are not affiliated with NIST or any other agency of the US Government, unless otherwise noted, and NIST cannot endorse or comment on these publications.)

For more information on RBAC standards, contact Rick Kuhn at rbac-info@nist.gov. (last update 11 Feb 08)

Back to Top

role engineering

Resources below are good starting points in planning a migration to RBAC:  
  • PROCEDURES MANUAL  used by the Deparment of Veterans Affairs to implement a large RBAC system for VA hospitals  (pdf)  
  • BOOK on the process, entitled Role Engineering, E. Coyne and M. Davis, Artech House, 2007.
  • CASE STUDY   Andreas Schaad, Jonathan Moffett, Jeremy Jacob. The Role-Based Access Control System of a European Bank: A case Study and Discussion,  (pdf)   6th ACM Symposium on Access Control Models and Technologies, 2001.  (large European bank with over 50,000 employees and 1,400 branches serving more than 6 million customers)
  • EXPERIENCE REPORT  A. Kern, Advanced Features for Enterprise-Wide Role Based Access Control  (pdf)   
  • SCENARIO DRIVEN ROLE ENGINEERING  G. Neumann and M. Strembeck. A Scenario-driven Role Engineering Process for Functional RBAC Roles, 7th ACM Symposium on Access Control Models and Technologies,  2002.  (pdf)   
  • GOAL DRIVEN ROLE ENGINEERING   Q He. A Structured Role Engineering Process for Privacy-Aware RBAC Systems  (pdf)   and Q. He and A. Anton, A Framework for Modeling Privacy Requirements in Role Engineering   (pdf)  
Back to Top

General Purpose RBAC Standards

American National Standard 359-2004 is the fundamental Information Technology industry consensus standard for RBAC. In 2000, NIST proposed a unified model for RBAC, based on the Ferraiolo-Kuhn (1992) model, in the framework developed by Sandhu et al (1996).  The model was further refined within the RBAC community and has been adopted by the American National Standards Institute,  International Committee for Information Technology Standards (ANSI/INCITS) as ANSI INCITS 359-2004.

Back to Top

Web Applications

XML-based Web applications for E-CommerceFrom OASIS, the e-business consortium. XACML Technical Committee. The XACML specification describes building blocks that "may be used to implement the various elements of the RBAC model presented in [ANSI/INCITS 359]." Thus, the XACML profile may be considered complementary to ANSI/INCITS 359.

Back to Top

Health Care

RBAC has a natural fit with many health care applications. Standards are being developed under the HL7 Standards Development Organization. The Department of Veterans Affairs is leading a number of these activities.  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates use of RBAC to protect patient information. The HL7 RBAC activities are oriented toward application level systems that are built using the services defined in the general purpose RBAC standards.

Back to Top

Military

DISA is integrating RBAC into net-centric services. 

  • NESI - Net-Centric Enterprise Services (pdf)  specifies role based authorization. NESI is a cross-service effort that provides actionable guidance meeting DoD Network-Centric Warfare goals.
  • A Security Architecture for Net-centric Enterprise Services   pdf
  • DISA Net Centric Enterprise Services , IA Security
  • Navy Enterprise Services (overview article)   pdf
Other DoD  standards specifying RBAC.
  • DoD 8570.01-M  pdf  - specifies role based access for each DoD IS
  • COMSCINST 5239.3A, Military Sealift Command   pdf  
  • CJCSM 6510.01  DEFENSE-IN-DEPTH: INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)  [US Govt only]
The US Navy COMPACFLT has a project that builds on  ANSI/INCITS 359: Enterprise Dynamic Access Control (EDAC). 
  • Enterprise Dynamic Access Control (EDAC) Overview  pdf
  • EDAC Presentation  ppt
  • EDAC Compliance with the NIST RBAC Standard ANSI/INCITS 359  pdf
  • Enterprise Dynamic Access Control (EDAC) Case Study  pdf

Back to Top

Industrial Control Systems

RBAC is being used to secure the networks and applications that control power plants, manufaturing facilities, and other process control systems.  These activities were initiated in 2004 and are still developing.


Back to Top

Biometrics

INCITS working group M1 is developing a set of biometric standards that reference and use RBAC, including ANSI/INCITS 359.


Back to Top