Role-based access control

In computer systems security, role-based access control (RBAC) [cite conference
author = Ferraiolo, D.F. and Kuhn, D.R.
title = Role Based Access Control
booktitle=15th National Computer Security Conference
year = 1992
month = October
pages=554-563
url = http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf
format = PDF ] [cite journal
author = Sandhu, R., Coyne, E.J., Feinstein, H.L. and Youman, C.E.
title = Role-Based Access Control Models
journal = IEEE Computer
volume = 29
issue = 2
year = 1996
month = August
pages = 38–47
publisher = IEEE Press
url = http://csrc.nist.gov/rbac/sandhu96.pdf
format = PDF ] is an approach to restricting system access to authorized users. It is a newer alternative approach to mandatory access control (MAC) and discretionary access control (DAC).

RBAC is a policy neutral and flexible access control technology sufficiently powerful to simulate Discretionary Access Control (DAC) [cite conference
author = Ravi Sandhu, Qamar Munawer
title = How to do discretionary access controlusing roles
booktitle=3rd ACM Workshop on Role-Based AccessControl
year = 1998
month = October
pages=47-54 ] and Mandatory Access Control (MAC). [cite conference
author = Sylvia Osborn, Ravi Sandhu, and Qamar Munawer
title = Configuring role-based access controlto enforce mandatory and discretionary access control policies
booktitle=ACM Transactionson Information and System Security (TISSEC)
year = 2000
pages=85-106 ]

Prior to the development of RBAC, MAC and DAC were considered to be the only known models for access control: if a model was not MAC, it was considered to be a DAC model, and vice versa. Research in the late 1990s demonstrated that RBAC falls in neither category. [See [http://csrc.nist.gov/rbac/rbac-faq.html National Institute of Standards and Technology FAQ on RBAC models and standards] , and the research of [http://csrc.nist.gov/groups/SNS/rbac/documents/ferraiolo-kuhn-92.pdf David Ferraiolo and Richard Kuhn] ]

Within an organization, roles are created for various job functions. The permissions to perform certain operations ('permissions') are assigned to specific roles. Members of staff (or other system users) are assigned particular roles, and through those role assignments acquire the permissions to perform particular system functions. Unlike context-based access control (CBAC), RBAC does not look at the message context (such as where the connection was started from).

Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning the appropriate roles to the user, which simplifies common operations such as adding a user, or changing a user's department.

RBAC differs from access control lists (ACLs) used in traditional discretionary access control systems in that it assigns permissions to specific operations with meaning in the organization, rather than to low level data objects. For example, an access control list could be used to grant or deny write access to a particular system file, but it would not say in what ways that file could be changed. In an RBAC-based system an operation might be to create a 'credit account' transaction in a financial application or to populate a 'blood sugar level test' record in a medical application. The assignment of permission to perform a particular operation is meaningful, because the operations are fine grained and themselves have meaning within the application.

With the concepts of role hierarchy and constraints, one can control RBAC to create or simulate lattice-based access control (LBAC). Thus RBAC can be considered a superset of LBAC.

When defining an RBAC model, the following conventions are useful:

* S = Subject = A person or automated agent
* R = Role = Job function or title which defines an authority level
* P = Permissions = An approval of a mode of access to a resource
* SE = Session = A mapping involving S, R and/or P
* SA = Subject Assignment
* PA = Permission Assignment
* RH = Partially ordered role Hierarchy. RH can also be written: ≥
* A subject can have multiple roles.
* A role can have multiple subjects.
* A role can have many permissions.
* A permission can be assigned to many roles.

A constraint places a restrictive rule on the potential inheritance of permissions from opposing roles, thus it can be used to achieve appropriate segregation of duties. For example, the same person should not be allowed to both create a login account for someone, and also be allowed to authorize the procedure.

Thus, using set theory notation:

* $PA\; subseteq\; P\; imes\; R$ and is a many to many permission to role assignment relation.
* $SA\; subseteq\; S\; imes\; R$ and is a many to many subject to role assignment relation.
* $RH\; subseteq\; R\; imes\; R$

The notation: x ≥ y means that x inherits the permissions of y.

A subject may have multiple simultaneous sessions with different permissions.

The use of RBAC to manage user privileges within a single system or application is widely accepted as a best practice. Systems including Microsoft Active Directory, SELinux, FreeBSD, Solaris, Oracle DBMS, PostgreSQL 8.1, SAP R/3 and many others effectively implement some form of RBAC.

In an organization with a heterogeneous IT infrastructure and requirements that span dozens or hundreds of systems and applications, using RBAC to manage sufficient roles and assign adequate role memberships becomes extremely complex without hierarchical creation of roles and privilege assignments. Alternate strategies for large scale assignment of privileges to users are discussed in this white paper: [http://www.idsynch.com/docs/beyond-roles.html Beyond Roles: A Practical Approach to Enterprise User Provisioning] . Newer systems extend the older NIST model [cite conference
author = Sandhu, R., Ferraiolo, D.F. and Kuhn, D.R.
title = The NIST Model for Role Based Access Control: Toward a Unified Standard
booktitle=5th ACM Workshop Role-Based Access Control
year = 2000
month = July
pages=47-63
url = http://csrc.nist.gov/rbac/sandhu-ferraiolo-kuhn-00.pdf
format = PDF ] to address the limitations of RBAC for enterprise-wide deployments. Several academic papers exist.

ee also

* Lattice-based access control (LBAC), equivalent to mandatory access control (MAC).
* Security label
* Security classification
* Covert channel
* Chinese wall
* Authentication
* Blind credential
* Sudo (superuser do) Unix program
* Identity Driven Networking
* XACML A Attribute Based Access Control (ABAC) model which incorporates RBAC
* grsecurity

References

External links

* [http://csrc.nist.gov/rbac/rbac-faq.html FAQ on RBAC models and standards]
* [http://csrc.nist.gov/rbac/ Role Based Access Controls at NIST] - huge US government website with lots of information on the theory and implementation of RBAC
* [http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf XACML core and hierarchical role based access control profile] - OASIS XACML standard. (PDF file)
* [http://technet2.microsoft.com/WindowsServer/en/library/72b55950-86cc-4c7f-8fbf-3063276cd0b61033.mspx?mfr=true RBAC Microsoft's article]
* [http://www.visual-guard.com/EN/.net-security-user-role-permission/.net-dotnet-security-article-ressources/role-based-access-control.html RBAC .net article]
* [http://channel9.msdn.com/Showpost.aspx?postid=289062 Getting Started with AzMan]
* [http://www.ics.utsa.edu Institute for Cyber Security at the University of Texas San Antonio]