Elsevier

Advances in Computers

Volume 46, 1998, Pages 237-286
Advances in Computers

Role-based Access Control1

https://doi.org/10.1016/S0065-2458(08)60206-5Get rights and content

Abstracts

The basic concept of role-based access control (RBAC) is that permissions are associated with roles, and users are made members of appropriate roles, thereby acquiring the roles' permissions. This idea has been around since the advent of multi-user computing. Until recently, however, RBAC has received little attention from the research community. This chapter describes the motivations, results, and open issues in recent MAC research.

The chapter focuses on four areas. First, RBAC is a multidimensional concept that can range from very simple at one extreme to quite complex and sophisticated at the other. This presents problems in coming up with a definitive model of RBAC. We see how this impasse is resolved by having a family of models which can accommodate all these variations. Second, we discuss how RBAC can be used to manage itself. Recent models developed for this purpose are presented. Third, the flexibility of RBAC can be demonstrated in many ways. Here we show how RBAC can be configured to enforce different variations of classical lattice-based mandatory access controls. Fourth, we describe a conceptual three-tier architecture for specification and enforcement of RBAC. The chapter concludes with a discussion of open issues in RBAC.

References (30)

  • I. Mohammed et al.

    Design for dynamic user-role-based security

    Computers & Security

    (1994)
  • S.H. von Solms et al.

    The management of computer security profiles using a role-oriented approach

    Computers & Security

    (1994)
  • R.W. Baldwin (1990). Naming and grouping privileges to simplify security management in large database. Proceedings of...
  • D.E. Bell (1987). Secure computer systems: a network interpretation. Proceedings of 3rd Annual Computer Security...
  • Common Criteria Editorial Board (1996). Common Criteria for Information Technology Security, Version...
  • D.F. Ferraiolo R. Kuhn (1992). Role-based access controls. Proceedings of 15th NIST-NCSC National Computer Security...
  • D.F. Ferraiolo D.M. Gilbert N. Lynch (1993). An examination of federal and commercial access control policy needs....
  • L. Guiri (1995). A new model for role-based access control. Proceedings of 11th Annual Computer Security Application...
  • M.-Y. Hu et al.

    User-role based security in the ADAM object-oriented design and analyses environment

  • ISO

    ISO/IEC 10040: Information Technology—Open Systems Interconnection-Systems Management Overview.

    (1992)
  • D. Jonscher

    Extending access controls with duties—realized by active mechanisms

  • T.M. P. Lee (1988). Using mandatory integrity to enforce “commercial” security. Proceedings of IEEE Symposium on...
  • J.D. Moffett et al.

    Delegation of authority

  • L. Notargiacomo

    Role-based access control in ORACLE7 and Trusted ORACLE7

    (1997)
  • M. Nyanchama et al.

    Access rights administration in role-based security systems

  • Cited by (290)

    • An extended Attribute-based access control with controlled delegation in IoT

      2023, Journal of Information Security and Applications
    View all citing articles on Scopus
    1

    Portions of this chapter have been published earlier in Sandhu et al. (1996), Sandhu (1996), Sandhu and Bhamidipati (1997), Sandhu et al. (1997) and Sandhu and Feinstein (1994).

    2

    Ravi Sandhu is also affiliated with SETA Corporation, 6862 Elm Street, McLean, VA 22101, USA.

    View full text