RBAC Standard Rationale: Comments on "A Critique of the ANSI Standard on Role-Based Access Control"

@article{Ferraiolo2007RBACSR,
  title={RBAC Standard Rationale: Comments on "A Critique of the ANSI Standard on Role-Based Access Control"},
  author={David F. Ferraiolo and D. R. Kuhn and R. Sandhu},
  journal={IEEE Security \& Privacy},
  year={2007},
  volume={5}
}
"For original paper see Ninghui Li et al., vol. 5, no. 6, p.41, (2007)". Some notion of roles for access control predates the research papers cited by the authors by at least a decade. Our work was designed to formalize RBAC and add features (such as hierarchies and constraints) to make it more useful to software developers and administrators. Extensive discussion of these and subsequent papers over many years led to the consensus standard for RBAC. 
Advantages of a non-technical XACML notation in role-based models
TLDR
This paper shows how a non-technical notation proposed in earlier work allows users to work with a very compact and readable form of XACML rules, thus allowing them to take advantage ofXACML's full expressive power. Expand
A business-independence administrative model for role-based access control
  • Wei-an Tao
  • Computer Science
  • The 2nd International Conference on Information Science and Engineering
  • 2010
TLDR
A kind of general permission management module based on an improved RBAC, which described the inheritance relation between the roles and the composition relation of the modules based on hierarchical namespace, using function mask to separate permission controls from concrete business to achieve the purpose of fine-grained control. Expand
Suggested improvements to the DoDAF for modeling architectural security
TLDR
This paper uses some existing modifications that have been suggested as separate additions and provides a way to integrate them into the DoDAF and suggests templates for new views as well as modifications to any existing templates. Expand
A formal validation of the RBAC ANSI 2012 standard using B
TLDR
It is argued that the ad hoc mathematical notation used in the RBAC ANSI 2012 standard is inappropriate and it is proposed that a more methodological and tool-supported approach must definitely be used for writing standards, in order to avoid the issues identified in the paper. Expand
Evaluation of Purpose Mark Releasing Protocol for Purpose-based Marking (PM) Protocol
TLDR
A novel synchronization protocol to make an information system secure and consistent is discussed and how to prevent illegal information flow to occur by performing conflicting transactions is discussed. Expand
A UML profile for role-based access control
TLDR
A Unified Modeling Language (UML) Profile for Role-Based Access Control (RBAC) is proposed, with which access control specifications can be modeled graphically together with problem domain specifications from the beginning of the design phase, making it possible to extend security integration over entire development process. Expand
A holistic approach for access control policies: from formal specification to aspect-based enforcement
TLDR
A novel approach to non-functional safety properties, combining formal methods and Aspect-Oriented Programming (AOP) is presented, which supports both the formal specification and the enforcement of such properties through runtime monitoring. Expand
DS RBAC - Dynamic Sessions in Role Based Access Control
TLDR
Dynamic Sessions in RBAC (DS RBAC) is an extension to the existing RBAC ANSI standard that dynamically deactivates roles in a session if they are not exercised for a certain period of time, and allows for the selection of an outer-shell of possibly needed permissions at the initation of a session through a user. Expand
Analysis of ANSI RBAC support in commercial middleware
TLDR
This thesis establishes a framework for assessing implementations of ANSI RBAC in the analyzed middleware technologies and suggests algorithms that define the semantics of authorization decisions in CORBA, EJB, and COM+. Expand
Integration of Access Control Requirements into System Specifications
TLDR
The BTRBAC is an integrated graphical model that aims to simplify the formal specification, validation, verification and integration of access control requirements into the system design. Expand
...
1
2
3
4
5
...

References

SHOWING 1-3 OF 3 REFERENCES
The NIST model for role-based access control: towards a unified standard
TLDR
The NIST model focuses on those aspects of RBAC for which consensus is available and is organized into four levels of increasing functional capabilities called flat RBAC, hierarchicalRBAC, constrained RBAC and symmetric RBAC. Expand
Role-Based Access Control Models
TLDR
Why RBAC is receiving renewed attention as a method of security administration and review is explained, a framework of four reference models developed to better understandRBAC is described, and the use of RBAC to manage itself is discussed. Expand
Role-Based Access Proc. 15th Nat'l Computer Security Conf
  • US Nat'l Security Agency/ Nat'l Inst. of Standards Technology
  • 1992