article

Proposed NIST standard for role-based access control

Authors:

David F. Ferraiolo,

Serban Gavrila,

D. Richard Kuhn,

Ramaswamy ChandramouliAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 4, Issue 3

Pages 224 - 274

https://doi.org/10.1145/501978.501980

Published: 01 August 2001 Publication History

Abstract

In this article we propose a standard for role-based access control (RBAC). Although RBAC models have received broad support as a generalized approach to access control, and are well recognized for their many advantages in performing large-scale authorization management, no single authoritative definition of RBAC exists today. This lack of a widely accepted model results in uncertainty and confusion about RBAC's utility and meaning. The standard proposed here seeks to resolve this situation by unifying ideas from a base of frequently referenced RBAC models, commercial products, and research prototypes. It is intended to serve as a foundation for product development, evaluation, and procurement specification. Although RBAC continues to evolve as users, researchers, and vendors gain experience with its application, we feel the features and components proposed in this standard represent a fundamental and stable set of mechanisms that may be enhanced by developers in further meeting the needs of their customers. As such, this document does not attempt to standardize RBAC features beyond those that have achieved acceptance in the commercial marketplace and research community, but instead focuses on defining a fundamental and stable set of RBAC components. This standard is organized into the RBAC Reference Model and the RBAC System and Administrative Functional Specification. The reference model defines the scope of features that comprise the standard and provides a consistent vocabulary in support of the specification. The RBAC System and Administrative Functional Specification defines functional requirements for administrative operations and queries for the creation, maintenance, and review of RBAC sets and relations, as well as for specifying system level functionality in support of session attribute management and an access control decision process.

References

[1]

AHN,G.AND SANDHU, R. 2000. Role-based authorization constraints specification. ACMTrans. Inf. Syst. Sec. 3, 4 (Nov.).

Digital Library

[2]

BALDWIN, R. W. 1990. Naming and grouping privileges to simplify security management in large databases. In Proceedings of the Symposium on Security and Privacy, IEEE Press, Los Alamitos, Calif., 116-132.

[3]

BELL,D.AND LAPADULA. 1976. Secure computer systems: Unified exposition and MULTICS. Tech. Rep. ESD-TR-75-306, The MITRE Corporation, Bedford, Mass., March.

[4]

BERTINO, E., BONATTI,P.,AND FERRARI, E. 2000. TRBAC: A temporal role-based access control model. In Proceedings of the Fifth ACM Workshop on Role Based Access Control, 21-30.

Digital Library

[5]

BREWER,D.AND NASH, M. 1989. The Chinese wall security policy. In Proceedings of the Symposium on Security and Privacy, IEEE Press, Los Alamitos, Calif., 215-228.

[6]

CHANDRAMOULI,R.AND SANDHU, R. 1998. Role-based access control features in commercial database management systems. In Proceedings of the NIST-NSA National (USA) Computer Security Conference, 503-511.

[7]

CLARK,D.AND WILSON, D. 1987. A comparison of commercial and military computer security policies. In proceedings of the Symposium on Security and Privacy, IEEE Press, Los Alamitos, Calif., 184-194.

[8]

FADEN, G. 1999. Rbac in Unix administration. In Proceedings of the Fourth ACM Workshop on Role Based Access Control, 95-101.

Digital Library

[9]

FEINSTEIN, H. 1996. Final report: NIST small business innovative research (SBIR) grant: Role based access control: phase 2. SETA Corp., October.

[10]

FERRAIOLO,D.AND KUHN, R. 1992. Role-based access control. In Proceedings of the NIST-NSA National (USA) Computer Security Conference, 554-563.

[11]

FERRAIOLO, D., BARKLEY,J.,AND KUHN, R. 1999. A role-based access control model and reference implementation within a corporate internet. ACM Trans. Inf. Syst. Sec. 2,1.

Digital Library

[12]

FERRAIOLO, D., CUGINI,J.,AND KUHN, R. 1995. Role-based access control: Features and motivations. In Proceedings of the Annual Computer Security Applications Conference, IEEE Press, Los Alamitos, Calif.

[13]

FERRAIOLO, D., GILBERT,D.,AND LYNCH, N. 1993. An examination of federal and commercial access control policy needs. In Proceedings of the NIST-NSA National (USA) Computer Security Conference, 107-116.

[14]

GAVRILA,S.AND BARKLEY, J. 1998. Formal specification for RBAC user/role and role relationship management. In Proceedings of the Third ACM Workshop on Role Based Access Control, 81-90.

Digital Library

[15]

GIURI,L.AND IGLIO, P. 1996. A formal model for role based access control with constraints. In Proceedings of the Computer Security Foundations Workshop, IEEE Press, Los Alamitos, Calif., 136-145.

Digital Library

[16]

GLIGOR, V. D., GAVRILA,S.I.,AND FERRAIOLO, D. F. 1998. On the formal definition of separation-ofduty policies and their composition. In Proceedings of the Symposium on Security and Privacy, IEEE Press, Los Alamitos, Calif.

[17]

HUANG,W.AND ATLURI, V. 1999. A secure web-based workflow management system. In Proceedings of the Fourth ACM Workshop on Role Based Access Control, 83-84.

Digital Library

[18]

JAEQER, T. 1999. On the increased importance of constraints. In Proceedings of the Fourth ACM Workshop on Role-Based Access Control (Oct.), 33-42.

Digital Library

[19]

JAEGER,T.AND TIDSWELL, J. 2000. Rebuttal to the NIST RBAC model proposal. In proceedings of the Fifth ACM Workshop on Role-Based Access Control (Berlin, July), 65-66.

Digital Library

[20]

JOSHI,J.B.D.,AREF,W.G.,GHAFOOR, A., AND SPAFFORD, E.H. 2001a. Security models for web-based applications. Commun. ACM, 44, 2, Feb. 38-44.

Digital Library

[21]

JOSHI, J., GHAFOOR, A., AREF,W.G.,AND SPAFFORD, E. H. 2001b. Digital government security infrastructure design challenges. IEEE Comput. 33, 2, Feb. 66-72.

Digital Library

[22]

KUHN, D. R. 1998. Role based access control on MLS systems without kernel changes. In Proceedings of the ACM Workshop on Role Based Access Control (Oct. 22-23), 25-32.

Digital Library

[23]

KUHN, R. 1997. Mutual exclusion as a means of implementing separation of duty requirements in role based access control systems. In Proceedings of the Second ACM Workshop on Role Based Access Control, 23-30.

Digital Library

[24]

LAMPSON, B. 1974. Protection. ACM Oper. Syst. Rev. 8, 1, 18-24.

Digital Library

[25]

MCCOLLUM, C., MESSING,J.,AND NOTARGIACOMO, L. 1990. Beyond the pale of MAC and DAC- Defining new forms of access control. In Proceedings of the Symposium on Security and Privacy, IEEE Press, Los Alamitos, Calif., 190-900.

[26]

MOFFETT., J. D. 1998. Control principles and role hierarchies. In Proceedings of the Third ACM Workshop on Role-Based Access Control (Fairfax, V., Oct. 22-23), 63-69.

Digital Library

[27]

NYANCHAMA,M.AND OSBORN, S. 1994. Access rights administration in role-based security systems. In Database Security, VIII: Status and Prospects, J. Biskup, M. Morgenstern, and C. E. Landwehr, Eds., North-Holland, 37-56.

Digital Library

[28]

NYANCHAMA,M.AND OSBORN, S. 1999. The graph model and conflicts of interest. ACM Trans. Inf. Syst. Sec. 2,1.

Digital Library

[29]

OSBORN, S., SANDHU, R., AND MUNAWER, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Sec. 3,2.

Digital Library

[30]

SANDHU,R.AND BHAMIDIPATI, V. 1997. Role-based administration of user-role assignment: The URA97 model and its oracle implementation. J. Compu. Sec. 7.

Digital Library

[31]

SANDHU, R. 1998a. Role activation hierarchies. In Proceedings of the Third ACM Workshop on Role-Based Access Control (Fairfax, V., Oct. 22-23), 33-40.

Digital Library

[32]

SANDHU, R. 1998b. Role-based access control. In Advances in Computers, vol. 46, M. Zelkowitz Eds. Academic, 237-286.

[33]

SANDHU, R. 1988. Transaction control expressions for separation of duties. In Proceedings of the Fourth Aerospace Computer Security Applications Conference (Orlando, Fla.). IEEE Computer Society Press, Dec. Los Alamitos, Calif., 282-286.

[34]

SANDHU, R., BHAMIDIPATI,V.,AND MUNAWER, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Sys. Sec. 2, 1, (Feb.), 105-135.

Digital Library

[35]

SANDHU, R., COYNE, E., FEINSTEIN, H., AND YOUMAN, C. 1996. Role-based access control models. IEEE Comput., 29, (2), (Feb).

Digital Library

[36]

SANDHU, R., FERRAIOLO,D.,AND KUHN, R. 2000. The NIST model for role-based access control: Towards a unified standard. In Proceedings of the Fifth ACM Workshop on Role-Based Access Control (Berlin, July), 47-63.

Digital Library

[37]

SIMON,R.AND ZURKO, R. 1997. Separation of duty in role based access control environments. In Proceedings of New Security Paradigms Workshop, (Sept.).

[38]

SMITH, C., COYNE, E., YOUMAN,C.,AND GANTA, S. 1996. Market analysis report: NIST small business innovative research (SBIR) grant: Role based access control: Phase 2. A marketing survey of civil federal government organizations to determine the need for role-based access control security product, SETA Corp., July.

[39]

THOMSEN, D. J. 1991. Role-based application design and enforcement. In Database Security, IV: Status and Prospects, S. Jajodia and C. E. Landwehr, Eds., North-Holland, 151-168.

[40]

TING,T.C.,DEMURJIAN,S.A.,AND HU, M. Y. 1992. Requirements capabilities and functionalities of user-role based security for an object-oriented design model. In Database Security, IV: Status and Prospects, S. Jajodia and C. E. Landwehr, Eds., North-Holland, 275-296.

Digital Library

Cited By

Lund BLee TWang ZWang TMannuru N(2024)Zero Trust Cybersecurity: Procedures and Considerations in ContextEncyclopedia10.3390/encyclopedia40400994:4(1520-1533)Online publication date: 11-Oct-2024
https://doi.org/10.3390/encyclopedia4040099
Ou HPan CTseng YLin I(2024)Decentralized Identity Authentication Mechanism: Integrating FIDO and Blockchain for Enhanced SecurityApplied Sciences10.3390/app1409355114:9(3551)Online publication date: 23-Apr-2024
https://doi.org/10.3390/app14093551
Crampton JEiben EGutin GKarapetyan DMajumdar D(2024)Bi-objective Optimization in Role MiningACM Transactions on Privacy and Security10.1145/369783328:1(1-22)Online publication date: 14-Oct-2024
https://dl.acm.org/doi/10.1145/3697833
Show More Cited By

Index Terms

Proposed NIST standard for role-based access control
1. Security and privacy
  1. Network security

Recommendations

Configuring role-based access control to enforce mandatory and discretionary access control policies

Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
A Critique of the ANSI Standard on Role-Based Access Control

Vendors have widely adopted RBAC to manage user access to computer resources in various products, including database management systems. However, as this analysis shows, the standard is hindered by limitations, errors, and design flaws.
Delegation in role-based access control

User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 4, Issue 3

August 2001

129 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/501978

Issue’s Table of Contents

Copyright © 2001 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 August 2001

Published in TISSEC Volume 4, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1,872
Total Citations
View Citations
7,571
Total Downloads

Downloads (Last 12 months)288
Downloads (Last 6 weeks)36

Reflects downloads up to 23 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lund BLee TWang ZWang TMannuru N(2024)Zero Trust Cybersecurity: Procedures and Considerations in ContextEncyclopedia10.3390/encyclopedia40400994:4(1520-1533)Online publication date: 11-Oct-2024
https://doi.org/10.3390/encyclopedia4040099
Ou HPan CTseng YLin I(2024)Decentralized Identity Authentication Mechanism: Integrating FIDO and Blockchain for Enhanced SecurityApplied Sciences10.3390/app1409355114:9(3551)Online publication date: 23-Apr-2024
https://doi.org/10.3390/app14093551
Crampton JEiben EGutin GKarapetyan DMajumdar D(2024)Bi-objective Optimization in Role MiningACM Transactions on Privacy and Security10.1145/369783328:1(1-22)Online publication date: 14-Oct-2024
https://dl.acm.org/doi/10.1145/3697833
Zhong YChen PZhang H(2024)eGBox: A Secure Shell Runtime based on eBPFProceedings of the 2024 6th International Conference on Big-data Service and Intelligent Computation10.1145/3686540.3686544(26-34)Online publication date: 29-May-2024
https://dl.acm.org/doi/10.1145/3686540.3686544
Billoir ELaborde RWazan ARutschle YBenzekri A(2024)Enhancing Secure Deployment with Ansible: A Focus on Least Privilege and Automation for LinuxProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670929(1-7)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670929
Rubio-Medrano CKotak AWang WSohr KNiu JVaidya J(2024)Pairing Human and Artificial Intelligence: Enforcing Access Control Policies with LLMs and Formal SpecificationsProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657032(105-116)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3649158.3657032
Anderer SJusten NScheuermann BMostaghim SLi XHandl J(2024)Survival Strategies for Evolutionary Role Mining Algorithms Using Expert KnowledgeProceedings of the Genetic and Evolutionary Computation Conference Companion10.1145/3638530.3654183(623-626)Online publication date: 14-Jul-2024
https://dl.acm.org/doi/10.1145/3638530.3654183
Zheng YMa J(2024)A method of attribute-based access control based on consortium blockchain and smart contractThird International Conference on Electronic Information Engineering, Big Data, and Computer Technology (EIBDCT 2024)10.1117/12.3031117(127)Online publication date: 19-Jul-2024
https://doi.org/10.1117/12.3031117
Yang BHu H(2024)Resiliency Analysis of Role-Based Access Control via Constraint Enforcement and Mathematical ProgrammingIEEE Transactions on Systems, Man, and Cybernetics: Systems10.1109/TSMC.2024.337356754:7(4089-4100)Online publication date: Jul-2024
https://doi.org/10.1109/TSMC.2024.3373567
Siderova ADaneva MBukhsh FArachchige J(2024)Security Approaches in Model-Driven Engineering for Web Applications: the State-of-the-art in the Last 10 Years2024 IEEE 32nd International Requirements Engineering Conference Workshops (REW)10.1109/REW61692.2024.00026(155-163)Online publication date: 24-Jun-2024
https://doi.org/10.1109/REW61692.2024.00026
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents