Role Based Access Control | CSRC | CSRC (original) (raw)

Roles with different privileges and responsibilities have long been recognized in business organizations, and commercial computer applications dating back to at least the 1970s implemented limited forms of access constraints based on the user’s role within an organization. These role-based systems were relatively simple and application-specific. That is, there was no general-purpose model defining how access control could be based on roles, and little formal analysis of the security of these systems. The systems were developed by a variety of organizations, with no commonly agreed upon definition or recognition in formal standards.

A general-purpose role based access control model was proposed in 1992 by Ferraiolo and Kuhn, integrating features of existing application-specific approaches into a generalized role based access control model. This paper presented RBAC as an alternative to traditional Mandatory Access Control (MAC) and Discretionary Access Control (DAC), and gave a formal description, in terms of sets, relations and mappings, to define roles and role hierarchies, subject role activation, subject-object mediation, as well as constraints on user/role membership and role set activation. Three basic rules were required:

  1. Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role. The identification and authentication process (e.g. login) is not considered a transaction. All other user activities on the system are conducted through transactions. Thus all active users are required to have some active role.
  2. Role authorization: A subject's active role must be authorized for the subject. With (1) above, this rule ensures that users can take on only roles for which they are authorized.
  3. Transaction authorization: A subject can execute a transaction only if the transaction is authorized through the subject's role memberships, and subject to any constraints that may be applied across users, roles, and permissions. With (1) and (2), this rule ensures that users can execute only transactions for which they are authorized.

A key feature of this model is that all access is through roles. A role is essentially a collection of permissions, and all users receive permissions only through the roles to which they are assigned, or through roles they inherit through the role hierarchy. Within an organization, roles are relatively stable, while users and permissions are both numerous and may change rapidly. Controlling all access through roles therefore simplifies the management and review of access controls. The 1992 Ferraiolo and Kuhn model was extended in 1995 by Ferraiolo, Cugini, and Kuhn.

In 1996, Sandhu, Coyne, Feinstein, and Youman introduced a framework for RBAC models that incorporated the RBAC features described above in a modular arrangement. RBAC0 was defined as the base model, defined through users, roles, and permissions. RBAC1 includes RBAC0 but incorporates hierarchies as a partial order relationship between roles. RBAC2 also incorporates RBAC0, but adds constraints. RBAC1 and RBAC2 are independent of each other, in that a system may implement one without the other. RBAC3 is a fully-featured RBAC model, incorporating RBAC0, RBAC1, and RBAC2. RBAC3 is essentially equivalent to the 1992 Ferraiolo and Kuhn model with the exception that RBAC3 allows a partial order hierarchy while the Ferraiolo-Kuhn model defines the hierarchy as a rooted tree. In object-oriented terms, the 1996 SCFY model can be thought of as incorporating multiple inheritance while Ferraiolo-Kuhn uses single inheritance.