David F. Ferraiolo
Abstract
This paper describes NIST's enhanced RBAC model and our approach to designing and implementing RBAC features for networked Web servers. The RBAC model formalized in this paper is based on the properties that were first described in Ferraiolo and Kuhn [1992] and Ferraiolo et al. [1995], with adjustments resulting from experience gained by prototype implementations, market analysis, and observations made by Jansen [1988] and Hoffman [1996]. The implementation of RBAC for the Web (RBAC/Web) provides an alternative to the conventional means of administering and enforcing authorization policy on a server-by-server basis. RBAC/Web provides administrators with a means of managing authorization data at the enterprise level, in a manner consistent with the current set of laws, regulations, and practices.
- BARKLEY, J. AND CINCOTTA, A. 1998. Managing role/permission relationships using object access types. In Proceedings of the 3rd ACM Workshop on Role-Based Access Control (RBAC, Fairfax, VA, Oct. 22-23). ACM Press, New York, NY, 73-80. Google Scholar
- FERRAIOLO, D. AND KUHN, D. R. 1992. Role based access control. In Proceedings of the 15th Annual Conference on National Computer Security. National Institute of Standards and Technology, Gaithersburg, MD, 554-563.Google Scholar
- FERRAIOLO, D., CUGINI, J., AND KUHN, D. R. 1995. Role based access control: Features and motivations. In Proceedings of the 11th Annual Conference on Computer Security Applications. IEEE Computer Society Press, Los Alamitos, CA, 241-248.Google Scholar
- FERRAIOLO, D. F., GILBERT, D. M., AND LYNCH, N. 1993. An examination of federal and commercial access control policy needs. In Proceedings of the 16th National Conference on Computer Security (Baltimore, MD, Sept. 20-23). National Institute of Standards and Technology, Gaithersburg, MD, 107-116.Google Scholar
- FEINSTEIN, H. L. 1995. Final report: NIST small business innovative research (SBIR) grant: Role based access control: Phase 1. SETA Corporation. SETA Corporation.Google Scholar
- GAVRILA, S. AND BARKLEY, J. 1998. Formal specification for role-based access control user/role and role/role relationship management. In Proceedings of the 3rd ACM Workshop on Role-Based Access Control (RBAC, Fairfax, VA, Oct. 22-23). ACM Press, New York, NY, 81-90. Google Scholar
- HOFFMAN, J. 1997. Implementing RBAC on type enforced systems. In Proceedings of the 13th Annual Conference on Computer Security Applications. IEEE Computer Society Press, Los Alamitos, CA, 158-163. Google Scholar
- JANSEN, W.A. 1988. Revised model for role based access control. NIST-IR 6192. National Institute of Standards and Technology, Gaithersburg, MD.Google Scholar
- KUHN, D. R. 1997. Mutual exclusion as a means of implementing separation of duty requirements in role-based access control systems. In Proceedings of the 2nd ACM Workshop on Role-Based Access Control (Fairfax, VA, Nov. 6-7). ACM Press, New York, NY, 23-30. Google Scholar
- NYANCHAMA, M. AND OSBORN, S. L. 1994. Access rights administration in role-based security systems. In Proceedings of the IFIP Working Group 11.3 Working Conference on Database Security. Elsevier North-Holland, Inc., Amsterdam, The Netherlands. Google Scholar
- SANDHU, R., COYNE, E. J., FEINSTEIN, H. L., AND YOUMAN, C. E. 1996. Role-based access control models. IEEE Comput. 29, 2 (Feb.), 38-47. Google ScholarDigital Library
- SANDHU, R. AND MUNAWER, Q. 1998. How to do discretionary access control using rules. In Proceedings of the 3rd ACM Workshop on Role-Based Access Control (RBAC, Fairfax, VA, Oct. 22-23). ACM Press, New York, NY, 47-54. Google ScholarDigital Library
- SANDHU, R. 1998. Role activation hierarchies. In Proceedings of the 3rd ACM Workshop on Role-Based Access Control (RBAC, Fairfax, VA, Oct. 22-23). ACM Press, New York, NY, 33-42. Google Scholar
- SANDHU, R., BHAMIDIPATI, V., COYNE, E., GANTA, S., AND YOUMAN, C. 1997. The ARBAC97 model for role-based administration of roles: Preliminary description and model. In Proceedings of the 2nd ACM Workshop on Role-Based Access Control (Fairfax, VA, Nov. 6-7). ACM Press, New York, NY, 41-54. Google Scholar
- SIMON, R. AND ZURKO, M. E. 1997. Separation of duty in role based access control environments. In Proceedings of the l Oth IEEE Workshop on Computer Security Foundations (Rockport, MA, June 10-12). IEEE Computer Society Press, Los Alamitos, CA, 183-194. Google Scholar
- VON SOLMS, S. H. AND VAN DER MERVE, I. 1994. The management of computer security profiles using a role-oriented approach. Comput. Secur. 13, 8, 673-680. Google ScholarDigital Library
Index Terms
- A role-based access control model and reference implementation within a corporate intranet
Recommendations
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
Practical Role-Based Access Control
This article presents access control from a general and a role-based perspective. The article's focus is role based Access Control from a practical vice a theoretical perspective. The article starts with some access control definitions and two secure ...
Task-role-based access control model
There are many information objects and users in a large company. It is an important issue how to control user's access in order that only authorized user can access information objects. Traditional access control models-- discretionary access control, ...
Comments