Role Based Access Control (RBAC)
and Role Based Security
One
of the most challenging problems in managing large networks is the
complexity of security administration. Role based access control (also
called role based security), as formalized in 1992 by David Ferraiolo
and Rick Kuhn (pdf),
has become the predominant model for advanced access
control because it reduces this cost. A variety of IT vendors,
including IBM,
Sybase, Secure Computing, and Siemens began developing products based
on this model in 1994. In 2000, the Ferraiolo-Kuhn model was
integrated with the framework of Sandhu et al. (pdf)
to create a unified model for RBAC, published as the NIST RBAC model
(Sandhu,
Ferraiolo, and Kuhn, 2000 - pdf)
and adopted as an ANSI/INCITS standard in
2004. Today, most information
technology vendors have incorporated RBAC into their product lines, and
the technology is finding applications in areas ranging from health
care to defense, in addition to the mainstream commerce systems for
which it was designed. As of 2010, the majority of users in enterprises
of 500 or more are now using RBAC, according to the Research Triangle
Institute. For more information, please contact us at: rbac-info@nist.gov.
Economic Benefits of Role Based Access Control Analyzes
economic value of RBAC for the enterprise and for the national economy,
and provides quantitative economic benefits of RBAC per employee
for adopting firms. Of
particular interest to firms considering RBAC, report calculates
savings from reduced employee downtime, more efficient provisioning,
and more efficient access control policy administration, beyond the
added security provided by RBAC. NIST's RBAC research was
estimated to have contributed $1.1 billion in economic value. (pdf - Feb. 2011, Research Triangle Institute)
RBAC vs. ABAC - attribute based access control. ABAC is
a rule-based approach to access control that can be easy to set up but
complex to manage. We are investigating both practical and theoretical
aspects of ABAC and similar approaches. The following papers
discuss ABAC and tradeoffs in design:
D.R. Kuhn, "Vulnerability Hierarchies in Access Control Configurations", 4th Symposium on Configuration Analytics and Automation (SAFECONFIG) 2011, IEEE.Oct. 31 – Nov. 1 Arlington, Virginia. pp. 1-9: shows that
hierarchies of vulnerability detection conditions exist in ABAC rules,
such that tests which detect one class of vulnerability are guaranteed
to detect other classes.
D.R. Kuhn, E.J. Coyne, T.R. Weil, "Adding Attributes to Role Based Access Control", IEEE Computer,
June, 2010, pp. 79-81: discusses revisions to RBAC standard being
developed to combine advantages of RBAC and ABAC approaches.
INCITS
CS1.1 standards update 2012 - discussing proposal for Role Based Access Control
New to RBAC?
- these sections of the site can be helpful:
Primary
RBAC References/Background (below),
RBAC FAQ,
RBAC
Case Studies.
Implementing
RBAC? - you may want to start with:
Role
Engineering and RBAC Standards,
RBAC
Case Studies.
Researcher or student?
- see Primary
RBAC References/Background (below) and other research papers
on this page.
Economic Impact: NIST's RBAC research saves industry $1.1 billion (
pdf - Feb. 2011)
Back to Top
Primary RBAC References/Background
RBAC Model
D.F.
Ferraiolo
and D.R. Kuhn (1992) "Role
Based Access Control" 15th
National Computer Security
Conference, Oct 13-16, 1992, pp. 554-563.
- introduced
formal model for role based access control HTML
PDF
Postscript.
R. S.
Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman (1996), "Role-Based
Access Control Models", IEEE
Computer 29(2): 38-47, IEEE Press, 1996.- proposed a
framework for RBAC models PDF
RBAC Standard
Original proposal: R.
Sandhu, D.F. Ferraiolo,
D, R. Kuhn (2000), "The NIST Model for Role Based Access
Control:
Toward a Unified Standard," Postscript
PDF
Proceedings,
5th ACM Workshop on Role Based Access
Control,
July 26-27, 2000, Berlin, pp.47-63 - first public draft of the NIST
RBAC model and
proposal for an RBAC standard.
Current standard:
American
National
Standard 359-2004
is the information technology industry consensus standard for
RBAC. An explanation of the model used in
the
standard can be found in the original proposal above.
The official
standards document is published by ANSI
INCITS.
D.F.
Ferraiolo, R. Kuhn, R. Sandhu (2007), "RBAC Standard Rationale:
comments on a Critique of the ANSI
Standard on Role Based Access Control', IEEE Security
& Privacy, vol. 5, no. 6 (Nov/Dec 2007),
pp. 51-53 - PDF
- explains decisions made in developing RBAC standard.
NEW: D.R. Kuhn, E.J. Coyne, T.R. Weil, "Adding Attributes to Role Based Access Control", IEEE Computer, vol. 43, no. 6 (June, 2010), pp. 79-81.
RBAC for web services standard: Web
applications can use RBAC services defined by the OASIS XACML
Technical
Committee
(see "XACML RBAC
Profile"). The
XACML specification describes building blocks from which an RBAC
solution is constructed. A full
example illustrates these building blocks. The
specification then discusses how these building blocks
may be used
to implement the various elements of the RBAC model presented in ANSI
INCITS 359-2004.
RBAC Topics
RBAC Design & Implementation
- D.F.
Ferraiolo
and D.R. Kuhn (1992) "Role Based Access Control"
15th National Computer Security
Conf. Oct 13-16, 1992, pp. 554-563. HTML
PDF
- the original paper that evolved into the NIST RBAC model.
- "An Introduction to Role Based
Access Control" NIST CSL Bulletin on RBAC
(December, 1995) HTML Text
- D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli, Role
Based Access Control (book), Artech House, 2003, 2nd
Edition, 2007.
- D. Ferraiolo, J. Cugini, R. Kuhn, "Role Based Access Control: Features and
Motivations," (HTML) Proceedings, Annual Computer
Security Applications Conference, IEEE
Computer Society Press, 1995. - extends 1992 model.
- D.R. Kuhn, "Mutual Exclusion of Roles as a Means
of Implementing Separation of Duty in Role-Based Access Control Systems"
Second ACM Workshop on Role-Based Access Control. 1997 PDF - defines
necessary and sufficient conditions for safe separation of duty.
- R. Chandramouli, R. Sandhu, "Role Based Access
Control Features in Commercial Database Management Systems",
21st National Information Systems Security Conference, October 6-9,
1998, Crystal City, Virginia. Best Paper Award! PDF - survey of RBAC
implementations.
- S. Gavrila, J. Barkley, "Formal Specification
for Role Based Access Control User/Role and Role/Role Relationship
Management" (1998), Third ACM Workshop on Role-Based Access
Control. PDF Postscript
- D.R. Kuhn. "Role Based Access Control on MLS
Systems Without Kernel Changes" Third ACM Workshop on Role
Based Access Control,October 22-23,1998. PDF Postscript - how to
simulate RBAC on MAC systems.
- J. Barkley, C. Beznosov, Uppal, "Supporting
Relationships in Access Control using Role Based Access Control",
Fourth ACM Workshop on Role-Based Access Control (1999). Postscript
- R. Sandhu, D. Ferraiolo, R. Kuhn, "The NIST
Model for Role Based Access Control: Towards a Unified Standard,"
Proceedings, 5th ACM Workshop on Role Based Access Control, July 26-27,
2000, Berlin,pp.47-63. - initial proposal for the current INCITS
359-2004 RBAC standard.
- W.A. Jansen, "Inheritance Properties of Role
Hierarchies," 21st National Information Systems Security
Conference, October 6-9, 1998, Crystal City, Virginia. Postscript PDF - analyzes permission
inheritance in RBAC.
- R. Chandramouli,"Business Process Driven
Framework for defining an Access Control Service based on Roles and
Rules", 23rd National Information Systems Security
Conference, 2000. PDF
- W.A. Jansen, "A Revised Model for Role Based
Access Control", NIST-IR 6192, July 9, 1998 Postscript PDF
- Slide Presentation from DOE Security Research Workshop III,
(Barkley, 1998). PowerPoint
- Slide Presentation Summarizing RBAC Projects Postscript
- "A Marketing Survey of Civil Federal Government
Organizations to Determine the Need for RBAC Security Product"
(SETA Corporation, 1996). Postscript
- D. F. Ferraiolo, .Chandramouli, G.J. Ahn, S.I. Gavrila, The role control center: features and case studies, SACMAT '03: Proceedings of the eighth ACM symposium on Access control models
and technologies, Como, Italy, 2003, pp. 12-20.
Back to Top
Access Control System Testing
- D.R. Kuhn, "Vulnerability Hierarchies in Access Control Configurations", 4th Symposium on Configuration Analytics and Automation, IEEE, Oct. 31 - Nov. 1, 2011, Arlington, VA.
- V. Hu, D.R. Kuhn, T. Xie,
"Property Verification for
Generic Access Control Models", IEEE/IFIP
International
Symposium
on Trust, Security, and Privacy for Pervasive Applications, Shanghai,
China, Dec. 17-20, 2008.
-
Object Oriented Design
- J. Barkley, "Implementing Role Based Access
Control Using Object Technology", First ACM Workshop on
Role-Based Access Control (1995). HTML Postscript
- J.F. Barkley, A.V. Cincotta, "Managing
Role/Permission Relationships Using Object Access Types",
Third ACM Workshop on Role Based Access Control (1998). HTML
- "A Resource Access Decision Service for
CORBA-based Distributed Systems" (Beznosov, Deng, Blakley,
Burt, Barkley, 1999), ACSAC (Annual Computer Security Applications
Conference). Postscript
- S. Wakid, J.F. Barkley, M.Skall, "Object
Retrieval and Access Management in Electronic Commerce",
IEEE Communications Magazine, September 1999. HTML
Back to Top
XML RBAC Administration
- R.Chandramouli, "Application of XML Tools for
Enterprise-Wide RBAC Implementation Tasks" - 5th ACM
workshop on Role-based Access Control, July 26-27, 2000, Berlin,
Germany. - PDF
- R.Chandramouli, Specification and Validation of
Enterprise Access Control Data for Conformance to Model and Policy
Constraints, 7th World Multi-conference on Systemics,
Cybernetics and Informatics (SCI 2003). Best Paper Award! PDF
Back to Top
Cost/Benefits Analysis
- The Economic Impact of Role Based Access Control.
Research Triangle Institute. NIST Planning Report 02-01. 2002 PDF
- D. Ferraiolo and J.F. Barkley, "Comparing
Administrative Cost for Hierarchical and Non-hierarchical Role
Representations," Second ACM Workshop on Role-Based Access
Control, Nov 6-7, 1997.
- J. Barkley, "Comparing Simple Role Based Access
Control Models and Access Control Lists" (1997), Second ACM
Workshop on Role-Based Access Control. Postscript
- "A Marketing Survey of Civil Federal Government
Organizations to Determine the Need for RBAC Security Product"
(SETA Corporation, 1996). Postscript
Back to Top
RBAC Web Servers
- D.F. Ferraiolo, J. Barkley, D.R. Kuhn, "A Role
Based Access Control Model and Reference Implementation within a
Corporate Intranet", ACM Transactions on Information Systems
Security, Volume 1, Number 2, February 1999. PDF Postscript
- D.F. Ferraiolo, J. Barkley,"Specifying and
Managing Role-Based Access Control within a Corporate Intranet"
(1997), Second ACM Workshop on Role-Based Access Control. PDF Postscript
- J. Barkley, A.V. Cincotta, D.F. Ferraiolo, S. Gavrila, ,
D.R. Kuhn, "Role Based Access Control for the World Wide Web",
20th National Computer Security Conference (1997). PDF Postscript
- "Role Based Access Control for the World Wide Web"
Slide Presentation Postscript
- J. Barkley, D.R. Kuhn, L. Rosenthal, M. Skall, A.V.
Cincotta, "Role-Based Access Control for the Web",
CALS Expo International & 21st Century Commerce 1998: Global
Business Solutions for the New Millennium (1998). HTML
Back to Top
Detailed Overview
Security
administration can be costly and prone to error because administrators
usually specify access control lists for each user on the system
individually. With RBAC, security is managed at a level that
corresponds closely to the organization's structure. Each user is
assigned one or more roles, and each role is assigned one or more
privileges that are permitted to users in that role. Security
administration with RBAC consists of determining the operations that
must be executed by persons in particular jobs, and assigning employees
to the proper roles. Complexities introduced by mutually exclusive
roles or role hierarchies are handled by the RBAC software, making
security administration easier.
This web site explains
RBAC concepts, costs vs.benefits and economic impact of RBAC, design
and implementation issues, the proposed standard, and advanced research
topics. The NIST model for RBAC was adopted as an American National
Standard by the American National Standards Institute, International
Committee for Information Technology Standards (ANSI/INCITS) on
February 11, 2004. See the RBAC
Standards Section for more information.