The NIST model for role-based access control: towards a unified standard

@inproceedings{Sandhu2000TheNM,
  title={The NIST model for role-based access control: towards a unified standard},
  author={Ravi S. Sandhu and David F. Ferraiolo and D. Richard Kuhn},
  booktitle={RBAC '00},
  year={2000}
}
This paper describes a unified model for role-based access control (RBAC). RBAC is a proven technology for large-scale authorization. However, lack of a standard model results in uncertainty and confusion about its utility and meaning. The NIST model seeks to resolve this situation by unifying ideas from prior RBAC models, commercial products and research prototypes. It is intended to serve as a foundation for developing future standards. RBAC is a rich and open-ended technology which is… 

Proposed NIST standard for role-based access control

TLDR
Although RBAC continues to evolve as users, researchers, and vendors gain experience with its application, the features and components proposed in this standard represent a fundamental and stable set of mechanisms that may be enhanced by developers in further meeting the needs of their customers.

Future Directions in Role-Based Access Control Models

TLDR
Some of the directions which are likely to result in practically useful enhancements to the current state of art in RBAC models are discussed.

A formal model for flat role-based access control

TLDR
A formal state-based model for flat role based access control (FRBAC) is constructed and described in the specification notation Z, which permits the close examination of the states in the system.

Formal Z Specifications of Several Flat Role-Based Access Control Models

TLDR
This paper attempts to clarify and define essential RBAC concepts and develops a variety of state-based flat role based access control models which have increasing degrees of complexity.

A Formal Model for Parameterized Role-Based Access Control

TLDR
This work has shown that current RBAC models can be adapted to capture fine grained authorizations by dramatically increasing the number of distinct roles in these models, however, this solution comes at an unacceptably high cost of allocating low level privileges which eliminates the major benefits gained from having a high level RBAC model.

A role-based access control model and reference implementation within a corporate intranet

TLDR
NIST's enhanced RBAC model and the approach to designing and implementing RBAC features for networked Web servers are described, which provides administrators with a means of managing authorization data at the enterprise level, in a manner consistent with the current set of laws, regulations, and practices.

An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security

TLDR
The true dimensions of RBAC model are identified to change the mindset of researchers that RBAC is evolved for easier administration instead of tight access control and a solution to incorporate the concept of roles for relaxed administration along with the permission-based access control is proposed.

A United Access Control Model for Systems in Collaborative Commerce

TLDR
A united access control model for systems in collaborative commerce is introduced, combining the advantages of conventional role-based access control, task-based authentication control and that of recent ABAC and automated trust negotiation (ATN).

Scalable Role & Organization Based Access Control and Its Administration

TLDR
It is proved that the expressive power of ROBAC is equal to that of traditional RBAC, and it is shown that ROBAC can significantly reduce the administrative complexities of applications involving a large number of similar organizational units.
...

References

SHOWING 1-10 OF 24 REFERENCES

A role-based access control model and reference implementation within a corporate intranet

TLDR
NIST's enhanced RBAC model and the approach to designing and implementing RBAC features for networked Web servers are described, which provides administrators with a means of managing authorization data at the enterprise level, in a manner consistent with the current set of laws, regulations, and practices.

Role-Based Access Control

Role-Based Access Control Features in Commercial Database Management Systems

TLDR
This paper analyzes and compares role-based access control (RBAC) features supported in the most recent versions of three popular commercial database management systems and concludes that these products provide a sound basis for implementing the basic features of RBAC, although there are signi cant di erences.

Configuring role-based access control to enforce mandatory and discretionary access control policies

TLDR
This paper provides systematic constructions for various common forms of both of the traditional access control paradigms using the role-based access control (RBAC) models of Sandhu et al., commonly called RBAC96.

Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems

TLDR
This paper explores some aspects of mutual exclusion of roles as a means of implementing separation ofduty policies, including a safety property for separation of duty; relationships between different types of exclusion rules; properties of Mutual exclusion for roles; constraints on the role hierarchy introduced by mutual exclusion rules.

The RSL99 language for role-based separation of duty constraints

TLDR
A framework for specifying separation of duty and conflict of interest policies in role-based systems is described and an intuitive formal language which uses system functions and sets as its basic elements is proposed.

Role-Based Access Control Models

TLDR
Why RBAC is receiving renewed attention as a method of security administration and review is explained, a framework of four reference models developed to better understandRBAC is described, and the use of RBAC to manage itself is discussed.

Role activation hierarchies

TLDR
This paper explores RBAC with respect to read-write access, and its relationship to traditional lattice-based access control or LBAC (also known as mandatory access control), and considers roles that are required to have dynamic separation of duty.

On the formal definition of separation-of-duty policies and their composition

TLDR
It is concluded that the practical implementation of SoD policies requires new methods and tools for security administration, even within applications that already support RBAC, such as most database management systems.

Connguring Role-based Access Control to Enforce Mandatory and Discretionary Access Control Policies

TLDR
This paper provides systematic constructions for various common forms of both of the traditional access control paradigms using the role-based access control (RBAC) models of Sandhu et al, commonly called RBAC96.