U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Role Based Access Control RBAC

RBAC Library

The following references provide historical background and important details about RBAC.  


Role-Based Access Control

Role-Based Access Control, 2nd edition (2007)
by David Ferraiolo, Ramaswamy Chandramouli, and D. Richard Kuhn


Select a heading to expand/collapse the view.

D.F. Ferraiolo and D.R. Kuhn (1992), Role-Based Access Controls15th National Computer Security Conference.
  • The original RBAC paper; introduced a formal model for role based access.
D.F. Ferraiolo, J. Cugini, D.R. Kuhn (1995), Role-Based Access Control (RBAC): Features and MotivationsComputer Security Applications Conference.
  • Extended the 1992 model.
R. S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman (1996), Role-Based Access Control Models, IEEE Computer 29(2): 38-47.
  • Introduced a framework for RBAC models.

Summary of early theoretical results for RBAC models that evolved into the RBAC standard:

1992 Ferraiolo and Kuhn paper defining  RBAC model, with access  permitted only through roles. Formally defined role hierarchies and constraints including separation of duty.
1994 DTOS based RBAC prototype developed by Ferraiolo, Kuhn, Gavrila.
  Nyanchama and Osborn paper defined role graph model.
  IBM files (in Europe) first patent application in RBAC area, cites Ferraiolo, Kuhn work as "closest prior art."
1995 Ferraiolo, Cugini, Kuhn publish extended formal model, defined separation of duty forms.
1996 Sandhu, Coyne, Feinstein, Youman  paper defining family of RBAC models.
  Sandhu method for implementing MLS/MAC model on RBAC system.
1997 Kuhn paper on separation of duty; necessary and sufficient conditions for separation safety.
  Osborn paper on relationship between RBAC and multilevel security mandatory access (MLS/MAC) security policy models; role lemma relating RBAC and multilevel security.
  Ferraiolo and Barkley paper on economic advantages of RBAC.
1998 Kuhn method for implementing hierarchical RBAC model on MLS/MAC system.
1999 Prototype RBAC for web servers developed by Barkley, Ferraiolo, Kuhn, Cincotta and distributed as open source.
2000 Sandhu, Ferraiolo, Kuhn define consolidated RBAC model for proposed industry standard.
2001 Research Triangle Institute study on economic impact of RBAC attributes 44% of RBAC impact to NIST research.
2004 American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS) adopts Sandhu, Ferraiolo, Kuhn RBAC proposal as an industry consensus standard INCITS 359:2004.
D.F. Ferraiolo and D.R. Kuhn (1992), Role-Based Access Controls, 15th National Computer Security Conf. Oct 13-16, 1992, pp. 554-563.
  • The original paper that evolved into the NIST RBAC model.
An Introduction to Role Based Access Control, NIST CSL Bulletin on RBAC (December 1995).
D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli (2007), Role-Based Access Control [book], 2nd edition (2007), Artech House (1st edition, 2003).
D. Ferraiolo, J. Cugini, R. Kuhn (1995), Role-Based Access Control (RBAC): Features and Motivations, Proceedings, Annual Computer Security Applications Conference, IEEE Computer Society Press.
  • Extends the 1992 model.
D.R. Kuhn (1997), Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control SystemsSecond ACM Workshop on Role-Based Access Control.
  • Defines necessary and sufficient conditions for safe separation of duty.
R. Chandramouli, R. Sandhu (1998), Role-Based Access Control Features in Commercial Database Management Systems," 21st National Information Systems Security Conference, October 6-9, 1998, Crystal City, Virginia.
  • Best Paper Award! - survey of RBAC implementations.
S. Gavrila, J. Barkley (1998), Formal Specification for Role Based Access Control User/Role and Role/Role Relationship Management, Third ACM Workshop on Role-Based Access Control.
D.R. Kuhn (1998), Role Based Access Control on MLS Systems Without Kernel ChangesThird ACM Workshop on Role Based Access Control.
  • How to simulate RBAC on MAC systems.
J. Barkley, C. Beznosov, Uppal (1999), Supporting Relationships in Access Control Using Role Based Access Control, Fourth ACM Workshop on Role-Based Access Control.
R. Sandhu, D. Ferraiolo, R. Kuhn (2000), The NIST Model for Role-Based Access Control: Towards a Unified Standard, Proceedings, 5th ACM Workshop on Role Based Access Control.
  • Initial proposal for the current INCITS 359-2004 RBAC standard.
W.A. Jansen (1998), Inheritance Properties of Role Hierarchies21st National Information Systems Security Conference.
  • Analyzes permission inheritance in RBAC.
R. Chandramouli (2000), Business Process Driven Framework for Defining an Access Control Service Based on Roles and Rules, 23rd National Information Systems Security Conference.
W.A. Jansen (1998), A Revised Model for Role Based Access Control, NIST Internal Report (NISTIR) 6192.
Slide Presentation from DOE Security Research Workshop III, (Barkley, 1998).
Slide Presentation summarizing RBAC Projects
A Marketing Survey of Civil Federal Government Organizations to Determine the Need for RBAC Security Product (SETA Corporation, 1996).
D.F. Ferraiolo, R. Chandramouli, G.J. Ahn, S.I. Gavrila (2003), The Role Control Center: Features and Case Studies, SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies.
D.R. Kuhn (2011), Vulnerability Hierarchies in Access Control Configurations, 4th Symposium on Configuration Analytics and Automation, IEEE, Oct. 31 - Nov. 1, 2011, Arlington, VA.
V. Hu, D.R. Kuhn, T. Xie (2008), Property Verification for Generic Access Control Models,  IEEE/IFIP International Symposium on Trust, Security, and Privacy for Pervasive Applications.
J. Barkley (1995), Implementing Role-Based Access Control Using Object Technology, First ACM Workshop on Role-Based Access Control.
J.F. Barkley, A.V. Cincotta (1998), Managing Role/Permission Relationships Using Object Access Types, Third ACM Workshop on Role Based Access Control.
K. Beznosov, Y. Deng, B. Blakley, C. Burt, J. Barkley (1999), A Resource Access Decision Service for CORBA-based Distributed Systems, 15th Annual Computer Security Applications Conference (ACSAC).
S. Wakid, J.F. Barkley, M.Skall (1999), Object Retrieval and Access Management in Electronic Commerce, IEEE Communications Magazine.
R.Chandramouli (2000), Application of XML Tools for Enterprise-Wide RBAC Implementation Tasks, 5th ACM workshop on Role-based Access Control.
R.Chandramouli (2003), Specification and Validation of Enterprise Access Control Data for Conformance to Model and Policy Constraints, 7th World Multi-conference on Systemics, Cybernetics and Informatics (SCI 2003). Best Paper Award!
The Economic Impact of Role-Based Access Control, Research Triangle Institute, NIST Planning Report 02-01. 2002
D. Ferraiolo and J.F. Barkley (1997), Comparing Administrative Cost for Hierarchical and Non-hierarchical Role Representations, Second ACM Workshop on Role-Based Access Control.
J. Barkley (1997), Comparing Simple Role Based Access Control Models and Access Control Lists, Second ACM Workshop on Role-Based Access Control.
A Marketing Survey of Civil Federal Government Organizations to Determine the Need for RBAC Security Product, (SETA Corporation, 1996).
D.F. Ferraiolo, J. Barkley, D.R. Kuhn (1999), A Role-Based Access Control Model and Reference Implementation Within a Corporate Intranet, ACM Transactions on Information Systems Security, vol. 1, no. 2 (February 1999).
D.F. Ferraiolo, J. Barkley (1997), Specifying and Managing Role-Based Access Control Within a Corporate Intranet, Second ACM Workshop on Role-Based Access Control.
J. Barkley, A.V. Cincotta, D.F. Ferraiolo, S. Gavrila,D.R. Kuhn (1997), Role Based Access Control for the World Wide Web, 20th National Computer Security Conference.
Role Based Access Control for the World Wide Web (1997) [Slide Presentation].
J. Barkley, D.R. Kuhn, L. Rosenthal, M. Skall, A.V. Cincotta (1998), Role-Based Access Control for the Web, CALS Expo International & 21st Century Commerce 1998: Global Business Solutions for the New Millennium.


RBAC Inquiries

David Ferraiolo

Rick Kuhn
(301) 975-3337

Ramaswamy "Mouli" Chandramouli


Security and Privacy: access control

Created November 21, 2016, Updated June 22, 2020