Role Based Access Control (RBAC) 
and Role Based Security

One of the most challenging problems in managing large networks is the complexity of security administration. Role based access control (also called role based security), as formalized in 1992 by David Ferraiolo and Rick Kuhn (pdf), has become the predominant model for advanced access control because it reduces this cost. A variety of IT vendors, including IBM, Sybase, Secure Computing, and Siemens began developing products based on this model in 1994.  In 2000, the Ferraiolo-Kuhn model was integrated with the framework of Sandhu et al. (pdf) to create a unified model for RBAC, published as the NIST RBAC model (Sandhu, Ferraiolo, and Kuhn, 2000 - pdf) and adopted as an ANSI/INCITS standard in 2004. Today, most information technology vendors have incorporated RBAC into their product lines, and the technology is finding applications in areas ranging from health care to defense, in addition to the mainstream commerce systems for which it was designed. For more information, please contact us at: rbac-info@nist.gov.

• July 08: new community effort to address RBAC interoperability   
• INCITS RBAC CS1.1 Implementation Standard, ballot resolution meeting held 4/8/08 - next meeting at NIST, Oct. 2, 2008
• Added 17 new case studies, Feb 2008
• Economic Impact: NIST's RBAC research saves industry $295 million Summary (.doc)  Full (.pdf)

New to RBAC?  -  these sections of the site can be helpful:   Primary RBAC References/Background (below),  RBAC FAQ,  RBAC Case Studies.
Implementing  RBAC?  -  you may want to start with:  Role Engineering and RBAC Standards,  RBAC Case Studies.
Researcher or student?  - see Primary RBAC References/Background (below) and other research papers on this page.

Back to Top

Primary RBAC References/Background

RBAC Model

D.F. Ferraiolo and D.R. Kuhn (1992)  "Role Based Access Control" 15th National Computer Security Conference, Oct, 1992 -   introduced formal model for role based access control  HTML     PDF     Postscript.   

R. S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman (1996), "Role-Based Access Control Models", IEEE Computer 29(2): 38-47, IEEE Press, 1996.- proposed a framework for RBAC models  PDF   

RBAC Standard

Original proposal:  R. Sandhu, D.F. Ferraiolo, D, R. Kuhn (2000), "The NIST Model for  Role Based Access Control:  Towards a Unified Standard,"  Postscript   PDF   Proceedings,  5th ACM Workshop on Role Based Access Control, July 26-27, 2000 - first public draft of the NIST RBAC model and proposal for an RBAC standard.

Current  standard:  American National Standard 359-2004 is the information technology industry consensus standard for RBAC.  An explanation of the model used in the standard can be found in the original proposal above.  The official standards document is published by ANSI INCITS.

D.F. Ferraiolo, R. Kuhn, R. Sandhu (2007), "RBAC Standard Rationale:  comments on a Critique of the ANSI Standard on Role Based Access Control', IEEE Security & Privacy,  vol. 5, no. 6 (Nov/Dec 2007), pp. 51-53 - PDF - explains decisions made in developing  RBAC standard.

RBAC for web services standard:  Web applications can use RBAC services defined by the OASIS XACML Technical Committee   (see "XACML RBAC Profile").  The XACML specification describes building blocks from which an RBAC solution is constructed.  A full example illustrates these building blocks.  The specification then discusses how these building blocks may be used to implement the various elements of the RBAC model presented in ANSI INCITS 359-2004.

RBAC Topics

RBAC Design & Implementation

• "An Introduction to Role Based Access Control" NIST CSL Bulletin on RBAC (December, 1995) HTML  Text
• D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli, Role Based Access Control (book), Artech House, 2003, 2nd Edition, 2007.
• D.F. Ferraiolo and D.R. Kuhn (1992)  "Role Based Access Control" 15th National Computer Security Conference, Oct 13-16, 1992, pp. 554-563.  HTML    PDF    Postscript.   
• D. Ferraiolo, J. Cugini, R. Kuhn, "Role Based Access Control: Features and Motivations," (HTML) Proceedings, Annual Computer Security Applications Conference, IEEE Computer Society Press, 1995.
• D.R. Kuhn, "Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control Systems" Second ACM Workshop on Role-Based Access Control. 1997 PDF  Postscript
• R. Chandramouli, R. Sandhu, "Role Based Access Control Features in Commercial Database Management Systems", 21st National Information Systems Security Conference, October 6-9, 1998, Crystal City, Virginia. Best Paper Award! PDF
• S. Gavrila, J. Barkley, "Formal Specification for Role Based Access Control User/Role and Role/Role Relationship Management" (1998), Third ACM Workshop on Role-Based Access Control. PDF  Postscript
• D.R. Kuhn. "Role Based Access Control on MLS Systems Without Kernel Changes" Third ACM Workshop on Role Based Access Control,October 22-23,1998. PDF  Postscript
• J. Barkley, C. Beznosov, Uppal, "Supporting Relationships in Access Control using Role Based Access Control", Fourth ACM Workshop on Role-Based Access Control (1999). Postscript
• R. Sandhu, D. Ferraiolo, R. Kuhn, "The NIST Model for Role Based Access Control: Towards a Unified Standard," Proceedings, 5th ACM Workshop on Role Based Access Control, July 26-27, 2000.
• W.A. Jansen, "Inheritance Properties of Role Hierarchies," 21st National Information Systems Security Conference, October 6-9, 1998, Crystal City, Virginia. Postscript  PDF
• R. Chandramouli,"Business Process Driven Framework for defining an Access Control Service based on Roles and Rules", 23rd National Information Systems Security Conference, 2000. PDF
• W.A. Jansen, "A Revised Model for Role Based Access Control", NIST-IR 6192, July 9, 1998 Postscript  PDF
• Slide Presentation from DOE Security Research Workshop III, (Barkley, 1998). PowerPoint
• Slide Presentation Summarizing RBAC Projects Postscript
• "A Marketing Survey of Civil Federal Government Organizations to Determine the Need for RBAC Security Product" (SETA Corporation, 1996). Postscript

Back to Top

Object Oriented Design

• J. Barkley, "Implementing Role Based Access Control Using Object Technology", First ACM Workshop on Role-Based Access Control (1995). HTML  Postscript
• J.F. Barkley, A.V. Cincotta, "Managing Role/Permission Relationships Using Object Access Types", Third ACM Workshop on Role Based Access Control (1998). HTML
• "A Resource Access Decision Service for CORBA-based Distributed Systems" (Beznosov, Deng, Blakley, Burt, Barkley, 1999), ACSAC (Annual Computer Security Applications Conference). Postscript
• S. Wakid, J.F. Barkley, M.Skall, "Object Retrieval and Access Management in Electronic Commerce", IEEE Communications Magazine, September 1999. HTML

Back to Top

XML RBAC Administration

• R.Chandramouli, "Application of XML Tools for Enterprise-Wide RBAC Implementation Tasks" - 5th ACM workshop on Role-based Access Control, July 26-27, 2000, Berlin, Germany. - PDF
• R.Chandramouli, Specification and Validation of Enterprise Access Control Data for Conformance to Model and Policy Constraints, 7th World Multi-conference on Systemics, Cybernetics and Informatics (SCI 2003). Best Paper Award! PDF
  

Back to Top

Cost/Benefits Analysis

• The Economic Impact of Role Based Access Control. Research Triangle Institute. NIST Planning Report 02-01. 2002 PDF
• D. Ferraiolo and J.F. Barkley, "Comparing Administrative Cost for Hierarchical and Non-hierarchical Role Representations," Second ACM Workshop on Role-Based Access Control, Nov 6-7, 1997.
• J. Barkley, "Comparing Simple Role Based Access Control Models and Access Control Lists" (1997), Second ACM Workshop on Role-Based Access Control. Postscript
• "A Marketing Survey of Civil Federal Government Organizations to Determine the Need for RBAC Security Product" (SETA Corporation, 1996). Postscript

Back to Top

RBAC Web Servers

• D.F. Ferraiolo, J. Barkley, D.R. Kuhn, "A Role Based Access Control Model and Reference Implementation within a Corporate Intranet", ACM Transactions on Information Systems Security, Volume 1, Number 2, February 1999. PDF  Postscript
• D.F. Ferraiolo, J. Barkley,"Specifying and Managing Role-Based Access Control within a Corporate Intranet" (1997), Second ACM Workshop on Role-Based Access Control. PDF  Postscript
• J. Barkley, A.V. Cincotta, D.F. Ferraiolo, S. Gavrila, , D.R. Kuhn, "Role Based Access Control for the World Wide Web", 20th National Computer Security Conference (1997). PDF  Postscript
• "Role Based Access Control for the World Wide Web" Slide Presentation Postscript
• J. Barkley, D.R. Kuhn, L. Rosenthal, M. Skall, A.V. Cincotta, "Role-Based Access Control for the Web", CALS Expo International & 21st Century Commerce 1998: Global Business Solutions for the New Millennium (1998). HTML

Back to Top

Detailed Overview

Security administration can be costly and prone to error because administrators usually specify access control lists for each user on the system individually. With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier.

This web site explains RBAC concepts, costs vs.benefits and economic impact of RBAC, design and implementation issues, the proposed standard, and advanced research topics. The NIST model for RBAC was adopted as an American National Standard by the American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS) on February 11, 2004. See the RBAC Standards Section for more information.