John Barkley

A role-based access control model and reference implementation within a corporate intranet

This paper describes NISTs enhanced RBAC model and our approach to designing and implementing RBAC features for networked Web servers. The RBAC model formalized in this paper is based on the properties that were first described in Ferraiolo and Kuhn [1992] and Ferraiolo et al. [1995], with adjustments resulting from experience gained by prototype implementations, market analysis, and observations made by Jansen [1988] and Hoffman [1996]. The implementation of RBAC for the Web (RBAC/Web) provides an alternative to the conventional means of administering and enforcing authorization policy on a server-by-server basis. RBAC/Web provides administrators with a means of managing authorization data at the enterprise level, in a manner consistent with the current set of laws, regulations, and practices.

Formal specification for role based access control user/role and role/role relationship management

Role Based Access Control (RBAC), an access control mechanism, reduces the cost of administering access control policies as well as making the process less error-prone. The Admin Tool developed for the NIST RBAC Model manages user/role and role/role relationships stored in the RBAC Database. This paper presents a formal specification of the RBAC Database and Admin Tool operations. Consistency requirements for the RBAC Database are defined as a set of properties. Alternative properties, substantially simpler to verify in an implementation, are shown to be equivalent. In addition, the paper defines the semantics of Admin Tool operations, and shows that, given a consistent RBAC Database and an operation which meets specified conditions, the RBAC Database remains consistent after the operation is performed.

Supporting relationships in access control using role based access control

The Role Based Access Control (RBAC) model and mechanism have proven to be useful and effective. This is clear from the many RBAC implementations in commercial products. However, there are many common examples where access decisions must include other factors, in particular, relationships between entities, such as, the user, the object to be accessed, and the subject of the information contained within the object. Such relationships are often not efficiently represented using traditional static security attributes centrally administered. Furthermore, the extension of RBAC models to include relationships obscures the fundamental RBAC metaphor. This paper furthers the concept of relationships for use in access control, and it shows how relationships can be supported in role based access decisions by using the Object Management Group’s (OMG) Resource Access Decision facility (RAD). This facility allows relationship information, which can dynamically change as part of normal application processing, to be used in access decisions by applications. By using RAD, the access decision logic is separate from application logic. In addition, RAD allows access decision logic from different models to be combined into a single access decision. Each access control model is thus able to retain its metaphor.

Managing role/permission relationships using object access types

The role metaphor in Role Based Access Control (RBAC) is particularly powerful in its ability to express access policy in terms of the way in which administrators view organizations. Much of the effort in providing administrative tools for RBAC has been devoted to tools for associating users with roles and roles with roles. This paper introduces the concept of an “Object Access Type” and describes the tool “RGP-Admin” for administering associations between roles and permissions using Object Access Types. RGP-Admin is applicable to most RBAC mechanisms and Access Control List mechanisms which support groups. A prototype demonstration of RGPAdmin was developed to illustrate how Object Access Types are used to manage associations between Windows NT groups, representing roles, and file permissions within the Windows NT File System.

Comparing simple role based access control models and access control lists

The RBAC metaphor is powerful in its ability to express access control policy in terms of the way in which administrators view organizations. The functionality of simple Role Based Access Control (RBAC) models are compared to access control lists (ACL). A very simple RBAC model is shown to be no different from a group ACL mechanism from the point of view of its ability to express access control policy. RBAC is often distinguished from ACLs by the inclusion of a feature which allows a session to be associated with a proper subset of the roles (i.e., groups in ACL terms) authorized for a user. Two possible semantics for this feature are described: one which requires a similar amount of processing as that required by ACLs, and another which requires significantly more processing than that required by ACLs. In addition, the capability to define role hierarchies is compared to an equivalent feature in ACLs.

Object retrieval and access management in electronic commerce

Electronic commerce over the Internet is now tens of billions of dollars per year and growing. This article describes how objects used in EC can be located and protected from unauthorized access. It discusses the three kinds of EC: customer interactions with a business, business interactions with other businesses, and interactions within a business. It characterizes the object retrieval and access management required to support the types of EC. It describes how metadata expressed in XML can be used to locate objects for retrieval and how a public key infrastructure along with role-based access control can be used to implement the distributed authentication and access control necessary to support complex access policies. In addition, the article describes activities within the Information Technology Laboratory at the National Institute of Standards and Technology which contribute to the development of related standards and tests.