Published: November 7, 1997
Author(s)
John Barkley (NIST)
Conference
Name: Second ACM Workshop on Role-Based Access Control (RBAC '97)
Dates: 11/06/1997 - 11/07/1997
Location: Fairfax, Virginia, United States
Citation: Proceedings of the Second ACM Workshop on Role-Based Access Control (RBAC '97), pp. 127-132
The RBAC metaphor is powerful in its ability to express access control policy in terms of the way in which administrators view organizations. The functionality of simple Role Based Access Control (RBAC) models are compared to access control lists (ACL). A very simple RBAC model is shown to be no different from a group ACL mechanism from the point of view of its ability to express access control policy. RBAC is often distinguished from ACLs by the inclusion of a feature which allows a session to be associated with a proper subset of the roles (i.e., groups in ACL terms) authorized for a user. Two possible semantics for this feature are described: one which requires a similar amount of processing as that required by ACLs, and another which requires significantly more processing than that required by ACLs. In addition, the capability to define role hierarchies is compared to an equivalent feature in ACLs.
The RBAC metaphor is powerful in its ability to express access control policy in terms of the way in which administrators view organizations. The functionality of simple Role Based Access Control (RBAC) models are compared to access control lists (ACL). A very simple RBAC model is shown to be no...
See full abstract
The RBAC metaphor is powerful in its ability to express access control policy in terms of the way in which administrators view organizations. The functionality of simple Role Based Access Control (RBAC) models are compared to access control lists (ACL). A very simple RBAC model is shown to be no different from a group ACL mechanism from the point of view of its ability to express access control policy. RBAC is often distinguished from ACLs by the inclusion of a feature which allows a session to be associated with a proper subset of the roles (i.e., groups in ACL terms) authorized for a user. Two possible semantics for this feature are described: one which requires a similar amount of processing as that required by ACLs, and another which requires significantly more processing than that required by ACLs. In addition, the capability to define role hierarchies is compared to an equivalent feature in ACLs.
Hide full abstract
Keywords
access control lists; ACL; RBAC; Role-Based Access Control
Control Families
None selected