| Title: | Role-Based Access Control |
| Authors: | David Ferraiolo
Richard Kuhn |
| Organizations: | National Institute of Standards and Technology
National Institute of Standards and Technology |
| Print Information: | Proceedings of the 15th National Computer Security Conference (NCSC'92)
Pages -
NIST: 15th National Computer Security Conference (NCSC'92) Conference
, 1992 |
| Online: | |
Good introduction to Role-Based Access Control (RBAC) security
mechanisms. Creation of RBAC was driven by the observation that
control is often based on user functions rather than data
ownership. RBAC makes access control decisions on the functions
a user is allowed to perform within an organization.
By contrast:
- DAC permits users to allow or disallow other users access
to objects under their control.
- MAC is a means of restricting access to objects based on
the sensitivity of the information contained and the
authorization (i.e. clearance) of subjects.
In RBAC, subjects have roles, and roles have transactions. A
transaction performs operations on a system object. RBAC can
support integrity, where data and processes can be modified only
in authorized ways by authorized users. Through RBAC one can
implement the principle of least privilege, as well as the
policy of separation of duties.
Rules:
- Role assignment: a subject can execute a transaction only
if the subject has selected or has been assigned a role.
- Role authorization: a subject's active role must be
authorized for the subject.
- Transaction authorization: a subject can execute a
transaction only if the transaction is authorized for the
subject's active role.
|