Role Based Access Control | CSRC | CSRC (original) (raw)

One of the most challenging problems in managing large networks is the complexity of security administration. Role based access control (RBAC) (also called "role based security"), as formalized in 1992 by David Ferraiolo and Rick Kuhn, has become the predominant model for advanced access control because it reduces this cost.

This project site explains RBAC concepts, costs and benefits, the economic impact of RBAC, design and implementation issues, the RBAC standard, and advanced research topics. The NIST model for RBAC was adopted as American National Standard 359-2004 by the American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS) on February 11, 2004. It was revised as INCITS 359-2012 in 2012. See the RBAC standard section for more information.

Background

Security administration can be costly and prone to error because administrators usually specify access control lists for each user on the system individually. With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier.

Book cover for Role-Based Access Control, second edition

A variety of IT vendors, including IBM, Sybase, Secure Computing, and Siemens began developing products based on this model in 1994. In 2000, the Ferraiolo-Kuhn model was integrated with the framework of Sandhu et al. to create a unified model for RBAC, published as the NIST RBAC model (Sandhu, Ferraiolo, and Kuhn, 2000) and adopted as an ANSI/INCITS standard in 2004. Today, most information technology vendors have incorporated RBAC into their product lines, and the technology is finding applications in areas ranging from health care to defense, in addition to the mainstream commerce systems for which it was designed. As of 2010, the majority of users in enterprises of 500 or more were using RBAC, according to analysis from RTI International.


Economic Impact

NIST's RBAC research was estimated to have saved industry $1.1 billion over multiple years, according to Economic Analysis of Role-Based Access Control: Final Report, a December 2010 report from RTI International. The report analyzes economic value of RBAC for the enterprise and for the national economy, and provides quantitative economic benefits of RBAC per employee for adopting firms. Of particular interest to firms considering RBAC, report calculates savings from reduced employee downtime, more efficient provisioning, and more efficient access control policy administration, beyond the added security provided by RBAC.


RBAC vs. ABAC (Attribute Based Access Control)

ABAC is a rule-based approach to access control that can be easy to set up but complex to manage. We are investigating both practical and theoretical aspects of ABAC and similar approaches, and we held an Attribute Based Access Control Workshop in 2013.

The following papers discuss ABAC and tradeoffs in design:

E.J. Coyne, T.R. Weil (2013), ABAC and RBAC: Scalable, Flexible, and Auditable Access Management, IEEE IT Professional (May/June 2013). Reviews tradeoffs and characteristics of role based and attribute based approaches.
D.R. Kuhn (2011), Vulnerability Hierarchies in Access Control Configurations, 4th Symposium on Configuration Analytics and Automation (SAFECONFIG) 2011. Shows that hierarchies of vulnerability detection conditions exist in ABAC rules, such that tests which detect one class of vulnerability are guaranteed to detect other classes.
D.R. Kuhn, E.J. Coyne, T.R. Weil (2010), Adding Attributes to Role-Based Access Control, IEEE Computer (June 2010). Discusses revisions to RBAC standard being developed to combine advantages of RBAC and ABAC approaches.

Primary References and Background

D.F. Ferraiolo and D.R. Kuhn (1992) Role-Based Access Controls, 15th National Computer Security Conference. Introduced formal model for role based access control.
R.S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman (1996), Role-Based Access Control Models, IEEE Computer 29(2), (February 1996). [DOI; Preprint] Proposed a framework for RBAC models.
Current standard (2012)

INCITS 359-2012, Information Technology -- Role-Based Access Control(May 29, 2012)

"This standard [an update of INCITS 359-2004] consists of two main parts the RBAC Reference Model and the RBAC System and Administrative Functional Specification. The RBAC Reference Model defines sets of basic RBAC elements (i.e., users, roles,permissions, operations and objects) and relations as types and functions that are included in this standard. The RBAC System and Administrative Functional Specification specifies the features that are required of an RBAC system."

Updating the standard (2007-2012)

The original 2004 standard was updated by the INCITS CS1.1 RBAC task group. Relevant resources include:

Original standard (2004)

ANSI/INCITS 359-2004, American National Standard for Information Technology - Role Based Access Control.

Original proposal (2000)

R. Sandhu, D.F. Ferraiolo, D.R. Kuhn (2000), The NIST Model for Role-Based Access Control: Towards a Unified Standard, Proceedings, 5th ACM Workshop on Role Based Access Control


RBAC for Web Services Standard

Web applications can use RBAC services defined by the OASIS XACML Technical Committee (see "XACML RBAC Profile"). The XACML specification describes building blocks from which an RBAC solution is constructed. A full example illustrates these building blocks. The specification then discusses how these building blocks may be used to implement the various elements of the RBAC model presented in ANSI INCITS 359-2004.