Many organizations are in the process of moving to role based access control. The process of developing an RBAC structure for an organization has become known as "role engineering.". Role engineering can be a complex undertaking, For example, in implementing RBAC for a large European bank with over 50,000 employees and 1400 branches serving more than 6 million customers, approximately 1300 roles were discovered. In view of the complexities, RBAC is best implemented by applying a structured framework that breaks down each task into its component parts. The resources on this page can help developers and managers with this process.
Because standards are normally a vital part of integrating RBAC into an organization, a number of organizations have developed, or are currently developing, RBAC standards for specialized domains, in addition to general-purpose RBAC standards. Please note that only standards activities are covered here; applications of RBAC, research, and case studies are addressed elsewhere on this site. This page consolidates information on RBAC-related standards, summarizes how they fit together, and will be updated as new standards activities are initiated. (Please note that some authors and organizations below are not affiliated with NIST or any other agency of the US Government, unless otherwise noted, and NIST cannot endorse or comment on these publications.)
See the Project Contacts for more information on RBAC standards.
Resources below can be helpful in planning a migration to RBAC.
American National Standard 359-2004 is the fundamental Information Technology industry consensus standard for RBAC. In 2000, NIST proposed a unified model for RBAC, based on the Ferraiolo-Kuhn (1992) model, in the framework developed by Sandhu et al (1996). The model was further refined within the RBAC community and has been adopted by the American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS) as ANSI INCITS 359-2004.
RBAC has a natural fit with many health care applications. Standards are being developed under the HL7 Standards Development Organization. The Department of Veterans Affairs is leading a number of these activities. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates use of RBAC to protect patient information. The HL7 RBAC activities are oriented toward application level systems that are built using the services defined in the general purpose RBAC standards.
RBAC is being used to secure the networks and applications that control power plants, manufaturing facilities, and other process control systems. These activities were initiated in 2004 and are still developing.
The US Navy COMPACFLT has a project that builds on ANSI/INCITS 359: Enterprise Dynamic Access Control (EDAC).
INCITS working group M1 is developing a set of biometric standards that reference and use RBAC, including ANSI/INCITS 359.
XML-based Web applications for E-CommerceFrom OASIS, the e-business consortium. XACML Technical Committee. The XACML specification describes building blocks that "may be used to implement the various elements of the RBAC model presented in [ANSI/INCITS 359]." Thus, the XACML profile may be considered complementary to ANSI/INCITS 359.