This is a potential security issue, you are being redirected to https://csrc.nist.gov
The following references provide historical background and important details about RBAC.
Role-Based Access Control, 2nd edition (2007)
by David Ferraiolo, Ramaswamy Chandramouli, and D. Richard Kuhn
Select a heading to expand/collapse the view.
|D.F. Ferraiolo and D.R. Kuhn (1992), Role-Based Access Controls, 15th National Computer Security Conference.
|D.F. Ferraiolo, J. Cugini, D.R. Kuhn (1995), Role-Based Access Control (RBAC): Features and Motivations, Computer Security Applications Conference.
|R. S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman (1996), Role-Based Access Control Models, IEEE Computer 29(2): 38-47.
Summary of early theoretical results for RBAC models that evolved into the RBAC standard:
|1992||Ferraiolo and Kuhn paper defining RBAC model, with access permitted only through roles. Formally defined role hierarchies and constraints including separation of duty.|
|1994||DTOS based RBAC prototype developed by Ferraiolo, Kuhn, Gavrila.|
|Nyanchama and Osborn paper defined role graph model.|
|IBM files (in Europe) first patent application in RBAC area, cites Ferraiolo, Kuhn work as "closest prior art."|
|1995||Ferraiolo, Cugini, Kuhn publish extended formal model, defined separation of duty forms.|
|1996||Sandhu, Coyne, Feinstein, Youman paper defining family of RBAC models.|
|Sandhu method for implementing MLS/MAC model on RBAC system.|
|1997||Kuhn paper on separation of duty; necessary and sufficient conditions for separation safety.|
|Osborn paper on relationship between RBAC and multilevel security mandatory access (MLS/MAC) security policy models; role lemma relating RBAC and multilevel security.|
|Ferraiolo and Barkley paper on economic advantages of RBAC.|
|1998||Kuhn method for implementing hierarchical RBAC model on MLS/MAC system.|
|1999||Prototype RBAC for web servers developed by Barkley, Ferraiolo, Kuhn, Cincotta and distributed as open source.|
|2000||Sandhu, Ferraiolo, Kuhn define consolidated RBAC model for proposed industry standard.|
|2001||Research Triangle Institute study on economic impact of RBAC attributes 44% of RBAC impact to NIST research.|
|2004||American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS) adopts Sandhu, Ferraiolo, Kuhn RBAC proposal as an industry consensus standard INCITS 359:2004.|
|D.F. Ferraiolo and D.R. Kuhn (1992), Role-Based Access Controls, 15th National Computer Security Conf. Oct 13-16, 1992, pp. 554-563.
|An Introduction to Role Based Access Control, NIST CSL Bulletin on RBAC (December 1995).|
|D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli (2007), Role-Based Access Control [book], 2nd edition (2007), Artech House (1st edition, 2003).|
|D. Ferraiolo, J. Cugini, R. Kuhn (1995), Role-Based Access Control (RBAC): Features and Motivations, Proceedings, Annual Computer Security Applications Conference, IEEE Computer Society Press.
|D.R. Kuhn (1997), Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control Systems, Second ACM Workshop on Role-Based Access Control.
|R. Chandramouli, R. Sandhu (1998), Role-Based Access Control Features in Commercial Database Management Systems," 21st National Information Systems Security Conference, October 6-9, 1998, Crystal City, Virginia.
|S. Gavrila, J. Barkley (1998), Formal Specification for Role Based Access Control User/Role and Role/Role Relationship Management, Third ACM Workshop on Role-Based Access Control.|
|D.R. Kuhn (1998), Role Based Access Control on MLS Systems Without Kernel Changes, Third ACM Workshop on Role Based Access Control.
|J. Barkley, C. Beznosov, Uppal (1999), Supporting Relationships in Access Control Using Role Based Access Control, Fourth ACM Workshop on Role-Based Access Control.|
|R. Sandhu, D. Ferraiolo, R. Kuhn (2000), The NIST Model for Role-Based Access Control: Towards a Unified Standard, Proceedings, 5th ACM Workshop on Role Based Access Control.
|W.A. Jansen (1998), Inheritance Properties of Role Hierarchies, 21st National Information Systems Security Conference.
|R. Chandramouli (2000), Business Process Driven Framework for Defining an Access Control Service Based on Roles and Rules, 23rd National Information Systems Security Conference.|
|W.A. Jansen (1998), A Revised Model for Role Based Access Control, NIST Internal Report (NISTIR) 6192.|
|Slide Presentation from DOE Security Research Workshop III, (Barkley, 1998).|
|D.F. Ferraiolo, R. Chandramouli, G.J. Ahn, S.I. Gavrila (2003), The Role Control Center: Features and Case Studies, SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies.|
|D.R. Kuhn (2011), Vulnerability Hierarchies in Access Control Configurations, 4th Symposium on Configuration Analytics and Automation, IEEE, Oct. 31 - Nov. 1, 2011, Arlington, VA.|
|V. Hu, D.R. Kuhn, T. Xie (2008), Property Verification for Generic Access Control Models, IEEE/IFIP International Symposium on Trust, Security, and Privacy for Pervasive Applications.|
|J. Barkley (1995), Implementing Role-Based Access Control Using Object Technology, First ACM Workshop on Role-Based Access Control.|
|J.F. Barkley, A.V. Cincotta (1998), Managing Role/Permission Relationships Using Object Access Types, Third ACM Workshop on Role Based Access Control.|
|K. Beznosov, Y. Deng, B. Blakley, C. Burt, J. Barkley (1999), A Resource Access Decision Service for CORBA-based Distributed Systems, 15th Annual Computer Security Applications Conference (ACSAC).|
|S. Wakid, J.F. Barkley, M.Skall (1999), Object Retrieval and Access Management in Electronic Commerce, IEEE Communications Magazine.|
|R.Chandramouli (2000), Application of XML Tools for Enterprise-Wide RBAC Implementation Tasks, 5th ACM workshop on Role-based Access Control.|
|R.Chandramouli (2003), Specification and Validation of Enterprise Access Control Data for Conformance to Model and Policy Constraints, 7th World Multi-conference on Systemics, Cybernetics and Informatics (SCI 2003). Best Paper Award!|
|The Economic Impact of Role-Based Access Control, Research Triangle Institute, NIST Planning Report 02-01. 2002|
|D. Ferraiolo and J.F. Barkley (1997), Comparing Administrative Cost for Hierarchical and Non-hierarchical Role Representations, Second ACM Workshop on Role-Based Access Control.|
|J. Barkley (1997), Comparing Simple Role Based Access Control Models and Access Control Lists, Second ACM Workshop on Role-Based Access Control.|
|A Marketing Survey of Civil Federal Government Organizations to Determine the Need for RBAC Security Product, (SETA Corporation, 1996).|
|D.F. Ferraiolo, J. Barkley, D.R. Kuhn (1999), A Role-Based Access Control Model and Reference Implementation Within a Corporate Intranet, ACM Transactions on Information Systems Security, vol. 1, no. 2 (February 1999).|
|D.F. Ferraiolo, J. Barkley (1997), Specifying and Managing Role-Based Access Control Within a Corporate Intranet, Second ACM Workshop on Role-Based Access Control.|
|J. Barkley, A.V. Cincotta, D.F. Ferraiolo, S. Gavrila,D.R. Kuhn (1997), Role Based Access Control for the World Wide Web, 20th National Computer Security Conference.|
|Role Based Access Control for the World Wide Web (1997) [Slide Presentation].|
|J. Barkley, D.R. Kuhn, L. Rosenthal, M. Skall, A.V. Cincotta (1998), Role-Based Access Control for the Web, CALS Expo International & 21st Century Commerce 1998: Global Business Solutions for the New Millennium.|