RBAC Standard Rationale: Comments on "A Critique of the ANSI Standard on Role-Based Access Control"

@article{Ferraiolo2007RBACSR,
  title={RBAC Standard Rationale: Comments on "A Critique of the ANSI Standard on Role-Based Access Control"},
  author={David F. Ferraiolo and D. Richard Kuhn and Ravi S. Sandhu},
  journal={IEEE Security \& Privacy},
  year={2007},
  volume={5}
}
"For original paper see Ninghui Li et al., vol. 5, no. 6, p.41, (2007)". Some notion of roles for access control predates the research papers cited by the authors by at least a decade. Our work was designed to formalize RBAC and add features (such as hierarchies and constraints) to make it more useful to software developers and administrators. Extensive discussion of these and subsequent papers over many years led to the consensus standard for RBAC. 

Advantages of a non-technical XACML notation in role-based models

TLDR
This paper shows how a non-technical notation proposed in earlier work allows users to work with a very compact and readable form of XACML rules, thus allowing them to take advantage ofXACML's full expressive power.

A business-independence administrative model for role-based access control

  • Wei-an Tao
  • Computer Science
    The 2nd International Conference on Information Science and Engineering
  • 2010
TLDR
A kind of general permission management module based on an improved RBAC, which described the inheritance relation between the roles and the composition relation of the modules based on hierarchical namespace, using function mask to separate permission controls from concrete business to achieve the purpose of fine-grained control.

Suggested improvements to the DoDAF for modeling architectural security

TLDR
This paper uses some existing modifications that have been suggested as separate additions and provides a way to integrate them into the DoDAF and suggests templates for new views as well as modifications to any existing templates.

Evaluation of Purpose Mark Releasing Protocol for Purpose-based Marking (PM) Protocol

TLDR
A novel synchronization protocol to make an information system secure and consistent is discussed and how to prevent illegal information flow to occur by performing conflicting transactions is discussed.

A UML profile for role-based access control

TLDR
A Unified Modeling Language (UML) Profile for Role-Based Access Control (RBAC) is proposed, with which access control specifications can be modeled graphically together with problem domain specifications from the beginning of the design phase, making it possible to extend security integration over entire development process.

A holistic approach for access control policies: from formal specification to aspect-based enforcement

TLDR
A novel approach to non-functional safety properties, combining formal methods and Aspect-Oriented Programming (AOP) is presented, which supports both the formal specification and the enforcement of such properties through runtime monitoring.

DS RBAC - Dynamic Sessions in Role Based Access Control

TLDR
Dynamic Sessions in RBAC (DS RBAC) is an extension to the existing RBAC ANSI standard that dynamically deactivates roles in a session if they are not exercised for a certain period of time, and allows for the selection of an outer-shell of possibly needed permissions at the initation of a session through a user.

Analysis of ANSI RBAC support in commercial middleware

TLDR
This thesis establishes a framework for assessing implementations of ANSI RBAC in the analyzed middleware technologies and suggests algorithms that define the semantics of authorization decisions in CORBA, EJB, and COM+.

Integration of Access Control Requirements into System Specifications

TLDR
The BTRBAC is an integrated graphical model that aims to simplify the formal specification, validation, verification and integration of access control requirements into the system design.
...

References

SHOWING 1-3 OF 3 REFERENCES

The NIST model for role-based access control: towards a unified standard

TLDR
The NIST model focuses on those aspects of RBAC for which consensus is available and is organized into four levels of increasing functional capabilities called flat RBAC, hierarchicalRBAC, constrained RBAC and symmetric RBAC.

Role-Based Access Control Models

TLDR
Why RBAC is receiving renewed attention as a method of security administration and review is explained, a framework of four reference models developed to better understandRBAC is described, and the use of RBAC to manage itself is discussed.

Role-Based Access Proc. 15th Nat'l Computer Security Conf

  • US Nat'l Security Agency/ Nat'l Inst. of Standards Technology
  • 1992