|
ROLE BASED
ACCESS CONTROL One of the most challenging problems in managing large networks is the complexity of security administration. Role based access control (also called role based security), as introduced in 1992 by Ferraiolo and Kuhn, has become the predominant model for advanced access control because it reduces the complexity and cost of security administration in large networked applications. Most information technology vendors have incorporated RBAC into their product line, and the technology is finding applications in areas ranging from health care to defense, in addition to the mainstream commerce systems for which it was designed. For more information, please contact us at: rbac-info@nist.gov.
|
|
Security
administration can be
costly and prone to error because administrators usually specify access
control lists for each user on the system individually. With RBAC,
security is managed at a level that corresponds closely to the
organization's structure. Each user is assigned one or more roles, and
each role is assigned one or more privileges that are permitted to
users in that role. Security administration with RBAC consists of
determining the operations that must be executed
by persons in particular jobs, and assigning employees to the proper
roles. Complexities introduced by mutually exclusive roles or role
hierarchies are handled by the RBAC software, making security
administration
easier. This
web
resource explains RBAC concepts, costs vs.benefits and economic impact
of RBAC, design and implementation issues, the proposed standard, and
advanced research topics. The
NIST model for RBAC was adopted as an American National
Standard by the American National Standards Institute,
International Committee for Information
Technology Standards (ANSI/INCITS) on February 11, 2004. See RBAC
Standards, below, for more information. |
"An Introduction to Role Based Access Control" NIST CSL Bulletin on RBAC (December, 1995) HTML Text D.F.
Ferraiolo
and D.R. Kuhn "Role Based Access Control" 15th National Computer Security Conference (1992) - the original RBAC paper. R. S.
Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman, "Role-Based
Access Control Models", IEEE
Computer 29(2): 38-47, IEEE Press, 1996.- original paper on RBAC framework
PDF D.F.
Ferraiolo, D.R. Kuhn, R. Chandramouli, Role
Based Access Control (book), Artech House, 2003. Slide Presentation from DOE Security Research Workshop III, (Barkley, 1998). PowerPoint Slide Presentation Summarizing RBAC Projects Postscript "A Marketing Survey of Civil Federal Government Organizations to Determine the Need for RBAC Security Product" (SETA Corporation, 1996). Postscript
Slide Presentation from OMG CORBAmed Security Working Group Meeting Corbamed/98-06-08), (Barkley, 1998). PowerPoint "Application
Engineering in Health Care" (Barkley, 1995) Second Annual CHIN Summit
1995 HTML
Postscript
R. Chandramouli, "A Framework for Multiple Authorization Types in a Healthcare Application System" - 17th Annual Computer Security Applications Conference (ACSAC), Dec 10-14, 2001, New Orleans, Louisiana. PDF
R.Chandramouli,
"Application
of XML Tools for Enterprise-Wide RBAC Implementation Tasks" - 5th ACM workshop on Role-based Access
Control, July 26-27, 2000, Berlin, Germany. - PDF
Implementation of Role Based Access Control in Multi-level Secure Systems (Kuhn) U.S. Patent #6,023,765. HTML "Workflow Management Employing Role-Based Access Control" (Barkley). U.S. Patent #6,088,679, HTML A Method for Visualizing and Managing Role-Based Policies on Identity-Based Systems (Ferraiolo & Gavrila) (pending) "Implementation
of Role/Group Permission Association Using Object Access Type"
For information on licensing NIST inventions, click here (Office of Technology Partnerships) NOTE: When clicking the links for each RBAC Patents,
you will be leaving RBAC website and leaving NIST webserver.
Patents referencing NIST RBAC patents: IBM: US Patent #6,381,579, "System and method to provide secure navigation to resources on the internet" (Gervais, et al., 2002). IBM: US Patent #6,438,549, "Method for storing sparse hierarchical data in a relational database" (Aldred, et al., 2002). Microsoft: US Patent #6,412,070, "Extensible security system and method for controlling access to objects in a computing environment" (Van Dyke, et al., 2002). Microsoft: US Patent #6,466,932, "System and method for implementing group policy" (Dennis, et al., 2002). Unisys: US Patent #6,401,100, "Method for associating classes contained in the same or different models" (Gladieux, 2002). Electronic Data Systems: US Patent #6,430,549, "System and method for selectivety defining access to application features" (Gershfield, et al., 2002). Entrust, Inc.: US Patent #6,453,353, "Role-based navigation of information resources" (Win, et al., 2002). Secure Computing Corp.: US Patent #6,357,010, "System and method for controlling access to documents stored on an internal network" (Viets, et al., 2002). Argus: US Patent #6,289,462, "Trusted compartmentalized computer operating system" (McNabb, et al., 2001). Epicentric, Inc.: US Patent #6,327,628, "Portal server that provides a customizable user Interface for access to computer networks" (Anuff, et al., 2001). Accenture LLP: US Patent #6,442,748, "System, method and article of manufacture for a persistent state and persistent object separator in an information services patterns environment" (Bowman-Amuah, 2002). US Patent #6,445,968, "Task manager" (Jalla, 2002). American Management Systems: US Patent #6,606,740, Development framework for case and workflow systems (Lynn, et al., 2003) E-Talk: US Patent #6,615,182 System and method for defining the organizational structure of an enterprise in a performance evaluation system , (Powers et al., 2003) |
D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli, Role Based Access Control (book), Artech House, 2003. D.F. Ferraiolo, J. Cugini, D.R. Kuhn "Role Based Access Control: Features and Motivations" , Computer Security Applications Conference (1995). PDF Postscript D.R.
Kuhn, "Mutual
Exclusion of Roles as a Means of Implementing Separation of Duty in
Role-Based Access Control Systems" (Kuhn, 1997), Second ACM Workshop on Role-Based Access
Control. S.
Gavrila, J. Barkley, "Formal Specification for Role Based Access
Control User/Role and Role/Role Relationship Management" (1998), Third ACM Workshop on Role-Based Access
Control. D.R.
Kuhn.
"Role Based Access Control on MLS Systems Without Kernel Changes" (Kuhn)
Third
ACM Workshop on
Role Based Access Control, October 22-23,1998. R. Sandhu, D. Ferraiolo, R. Kuhn, "The NIST Model for Role Based Access Control: Towards a Unified Standard," Proceedings, 5th ACM Workshop on Role Based Access Control, July 26-27, 2000. W.A.
Jansen, "Inheritance Properties of Role Hierarchies," 21st National Information Systems Security
Conference, October 6-9, 1998, Crystal City, Virginia. Postscript
PDF W.A. Jansen, "A Revised Model for Role Based Access Control, NIST-IR 6192, July 9, 1998 Postscript PDF
Object
Oriented Design "A Resource Access Decision Service for CORBA-based Distributed Systems" (Beznosov, Deng, Blakley, Burt, Barkley, 1999), ACSAC (Annual Computer Security Applications Conference). Postscript S. Wakid, J.F. Barkley, M.Skall, "Object Retrieval and Access Management in Electronic Commerce", IEEE Communications Magazine, September 1999. HTML
The Economic Impact of Role Based Access
Control.
Research Triangle Institute. NIST Planning Report 02-01.
2002 PDF
D. Ferraiolo and J.F. Barkley, "Comparing Administrative Cost for Hierarchical and Non-hierarchical Role Representations," Second ACM Workshop on Role-Based Access Control, Nov 6-7, 1997. J.
Barkley, "Comparing
Simple Role Based Access Control Models and Access Control Lists"
(1997), Second ACM Workshop on
Role-Based Access Control. Postscript "A
Marketing Survey of Civil Federal Government Organizations to Determine
the Need for RBAC Security Product" (SETA Corporation, 1996). Postscript Patents referencing NIST RBAC patents (cont.) Microsoft: US Patent #6,466,932, System and method for implementing group policy (Dennis, et al., 2003) Xerox: US Patent # 6,535,884, System, method and article of manufacture for providing an attribute system with primitive support of dynamic and evolvable roles in support of fluid and integrative application development Electronic Data Systems: US Patent # 6,578,029, System and method for selectively defining access to application features, (Gershfield et al., 2003) IBM: US Patent # 6,594,661, Method and system for controlling access to a source application (Tagg, 2003) Secure Computing Corp: US Patent # 6,640,307 , System and method for controlling access to documents stored on an internal network , ( Viets, et al., 2003) Patents referencing NIST RBAC research: Microsoft:
US Patent #6,014,666, "Declarative and Programmatic Access Control
of Component-Based Server Applications Using Roles" (Helland, et
al., 2000). Microsoft: US Patent #6,487,665, "Object Security
Boundaries" (Andrews et al., 2002) Microsoft: US Patent #6,574,736, "Composable Roles", (Andrews, 2003) Microsoft: US Patent #6,604,198 " Automatic
object caller chain with declarative impersonation and transitive
trust"
, (Beckman, et al., 2003) Microsoft: US Patent #6,606,711, "Object Security Boundaries" (Andrews et al., 2003) Microsoft: US Patent # 6,678,696 "Transaction
processing of distributed objects with declarative transactional
attributes",
(Helland, et al., 2004) Microsoft: US Patent # 6,714,962 " Multi-user server application architecture with single-user object tier ", (Helland, et al., 2004) |
In 2001, NIST proposed a consensus model for RBAC, based on the Ferraiolo-Kuhn model, in the framework developed by Sandhu (see Introduction and Overview, left). The model was further refined within the RBAC community and has been adopted by the American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS) as ANSI INCITS 359-2004. Within OASIS, the XACML technical committee is developing an RBAC profile for expression of authorization policies in XML, making it easier to build RBAC into web applications. American National Standard 359-2004 is the Information Technology industry consensus standard for RBAC. A tutorial-style explanation of the model used in the standard can be found here. The official standards document is published by ANSI INCITS. . Web applications can use RBAC services defined by the OASIS XACML Technical Committee (see "XACML RBAC Profile"). The XACML specification describes building blocks from which an RBAC solution is constructed. A full example illustrates these building blocks. The specification then discusses how these building blocks may be used to implement the various elements of the RBAC model presented in ANSI INCITS 359-2004. Building on the RBAC standard. The US Navy has initiated an activity for Enterprise Dynamic Access Control. (PPT Briefing, Documentation, courtesy Richard Fernandez) Presentation on RBAC standard (courtesy Wilfredo Alvarez) (ppt) D. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, R. Chandramouli, "A Proposed Standard for Role Based Access Control (PDF)," ACM Transactions on Information and System Security , vol. 4, no. 3 (August, 2001) - draft of a consensus standard for RBAC. Slide Presentation on Proposed RBAC Standard PPT R. Sandhu, D.F. Ferraiolo, D, R. Kuhn, "The NIST Model for Role Based Access Control: Towards a Unified Standard," Postscript PDF Proceedings, 5th ACM Workshop on Role Based Access Control, July 26-27, 2000 - first public draft of proposal for an RBAC standard.
D.F.
Ferraiolo, J. Barkley, D.R. Kuhn, "A Role
Based Access Control Model and Reference Implementation within a
Corporate Intranet", ACM
Transactions on Information Systems Security, Volume 1, Number
2, February 1999. PDF
Postscript D.F. Ferraiolo, J. Barkley,"Specifying and Managing Role-Based Access Control within a Corporate Intranet" (Ferraiolo, Barkley, 1997), Second ACM Workshop on Role-Based Access Control. PDF Postscript J.
Barkley, A.V. Cincotta, D.F.
Ferraiolo, S. Gavrila, , D.R. Kuhn, "Role Based
Access Control for the World Wide Web" , 20th National Computer Security Conference
(1997). PDF
Postscript
J. Barkley, D.R. Kuhn, L. Rosenthal, M. Skall, A.V. Cincotta, "Role-Based Access Control for the Web" , CALS Expo International & 21st Century Commerce 1998: Global Business Solutions for the New Millennium (1998). HTML
NIST provides a reference implementation of an RBAC web server for both UNIX and Windows NT systems. The UNIX version has two implementation options: as a CGI script or as a load module that can be linked into the server binary. RBAC for UNIX/POSIX/Linux and RBAC for Windows NT (UNIX tar file) RBAC
for UNIX/POSIX/Linux and RBAC for Windows NT (compressed UNIX tar file)
RBAC Conference - Much of the research on RBAC appears first in proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), previously ACM Workshop on Role-Based Access Control (RBAC), 1995-2000
|