A role-based access control model and reference implementation within a corporate intranet

This paper describes NIST's enhanced RBAC model and our approach to designing and implementing RBAC features for networked Web servers. The RBAC model formalized in this paper is based on the properties that were first described in Ferraiolo and Kuhn [1992] and Ferraiolo et al. [1995], with adjustments resulting from experience gained by prototype implementations, market analysis, and observations made by Jansen [1988] and Hoffman [1996]. The implementation of RBAC for the Web (RBAC/Web) provides an alternative to the conventional means of administering and enforcing authorization policy on a server-by-server basis. RBAC/Web provides administrators with a means of managing authorization data at the enterprise level, in a manner consistent with the current set of laws, regulations, and practices.

[1]  Sylvia L. Osborn,et al.  Access Rights Administration in Role-Based Security Systems , 1994, DBSec.

[2]  David F. Ferraiolo,et al.  An Examination of Federal and Commercial Access Control Policy Needs , 1993 .

[3]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[4]  Sebastiaan H. von Solms,et al.  The management of computer security profiles using a role-oriented approach , 1994, Comput. Secur..

[5]  Ravi S. Sandhu,et al.  The ARBAC97 model for role-based administration of roles: preliminary description and outline , 1997, RBAC '97.

[6]  David R. Kuhn,et al.  Role-Based Access Control (RBAC): Features and Motivations | NIST , 1995 .

[7]  Wayne Jansen,et al.  A Revised Model for Role Based Access Control , 1998 .

[8]  D. Richard Kuhn,et al.  Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems , 1997, RBAC '97.

[9]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[10]  Ravi S. Sandhu,et al.  How to do discretionary access control using roles , 1998, RBAC '98.

[11]  Serban I. Gavrila,et al.  Formal specification for role based access control user/role and role/role relationship management , 1998, RBAC '98.

[12]  J. Hoffman Implementing RBAC on a type enforced system , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[13]  John F. Barkley,et al.  Managing role/permission relationships using object access types , 1998, RBAC '98.

[14]  Ravi S. Sandhu,et al.  Role activation hierarchies , 1998, RBAC '98.

[15]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.