In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement
mandatory access control
In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a ''subject'' or ''initiator'' to access or generally perform some sort of operation on a ...
(MAC) or
discretionary access control
In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria (TCSEC) as a means of restricting access to objects based on the identity of subjects and/or groups to ...
(DAC).
Role-based access control is a policy-neutral access-control mechanism defined around roles and privileges. The components of RBAC such as role-permissions, user-role and role-role relationships make it simple to perform user assignments. A study by NIST has demonstrated that RBAC addresses many needs of commercial and government organizations. RBAC can be used to facilitate administration of security in large organizations with hundreds of users and thousands of permissions. Although RBAC is different from MAC and DAC access control frameworks, it can enforce these policies without any complication.
Design
Within an organization,
roles
A role (also rôle or social role) is a set of connected behaviors, rights, obligations, beliefs, and norms as conceptualized by people in a social situation. It is an expected or free or continuously changing behavior and may have a given indiv ...
are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the permissions needed to perform particular system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department.
Role based access control interference is a relatively new issue in security applications, where multiple user accounts with dynamic access levels may lead to encryption key instability, allowing an outside user to exploit the weakness for unauthorized access. Key sharing applications within dynamic virtualized environments have shown some success in addressing this problem.
Three primary rules are defined for RBAC:
# Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role.
# Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.
# Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can exercise only permissions for which they are authorized.
Additional constraints may be applied as well, and roles can be combined in a
hierarchy
A hierarchy (from Greek: , from , 'president of sacred rites') is an arrangement of items (objects, names, values, categories, etc.) that are represented as being "above", "below", or "at the same level as" one another. Hierarchy is an important ...
where higher-level roles subsume permissions owned by sub-roles.
With the concepts of
role hierarchy {{Unreferenced, date=June 2019, bot=noref (GreenC bot)
In role based access control, the role hierarchy defines an inheritance relationship among roles. For example, the role structure for a bank may treat all employees as members of the ‘employ ...
and constraints, one can control RBAC to create or simulate
lattice-based access control In computer security, lattice-based access control (LBAC) is a complex access control model based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or org ...
(LBAC). Thus RBAC can be considered to be a superset of LBAC.
When defining an RBAC model, the following conventions are useful:
* S = Subject = A person or automated agent
* R = Role = Job function or title which defines an authority level
* P = Permissions = An approval of a mode of access to a resource
* SE = Session = A mapping involving S, R and/or P
* SA = Subject Assignment
* PA = Permission Assignment
* RH = Partially ordered Role Hierarchy. RH can also be written: ≥ (The notation: x ≥ y means that x inherits the permissions of y.)
** A subject can have multiple roles.
** A role can have multiple subjects.
** A role can have many permissions.
** A permission can be assigned to many roles.
** An operation can be assigned to many permissions.
** A permission can be assigned to many operations.
A constraint places a restrictive rule on the potential inheritance of permissions from opposing roles, thus it can be used to achieve appropriate
separation of duties
Separation of duties (SoD), also known as segregation of duties is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of informati ...
. For example, the same person should not be allowed to both create a login account and to authorize the account creation.
Thus, using
set theory notation:
*
and is a many to many permission to role assignment relation.
*
and is a many to many subject to role assignment relation.
*
A subject may have ''multiple'' simultaneous sessions with/in different roles.
Standardized levels
The NIST/ANSI/
INCITS
The InterNational Committee for Information Technology Standards (INCITS), (pronounced "insights"), is an ANSI-accredited standards development organization composed of Information technology developers. It was formerly known as the X3 and NCITS. ...
RBAC standard (2004) recognizes three levels of RBAC:
# core RBAC
# hierarchical RBAC, which adds support for inheritance between roles
# constrained RBAC, which adds separation of duties
Relation to other models
RBAC is a flexible access control technology whose flexibility allows it to implement
DAC or
MAC. DAC with groups (e.g., as implemented in POSIX file systems) can emulate RBAC. MAC can simulate RBAC if the role graph is restricted to a tree rather than a
partially ordered set
In mathematics, especially order theory, a partially ordered set (also poset) formalizes and generalizes the intuitive concept of an ordering, sequencing, or arrangement of the elements of a Set (mathematics), set. A poset consists of a set toget ...
.
Prior to the development of RBAC, the
Bell-LaPadula (BLP) model was synonymous with MAC and
file system permissions
Most file systems include attributes of files and directories that control the ability of users to read, change, navigate, and execute the contents of the file system. In some cases, menu options or functions may be made visible or hidden depending ...
were synonymous with DAC. These were considered to be the only known models for access control: if a model was not BLP, it was considered to be a DAC model, and vice versa. Research in the late 1990s demonstrated that RBAC falls in neither category. Unlike
context-based access control
Context-based access control (CBAC) is a feature of firewall software, which intelligently filters TCP and UDP packets based on application layer protocol session information. It can be used for intranets, extranets and internets.
CBAC can ...
(CBAC), RBAC does not look at the message context (such as a connection's source). RBAC has also been criticized for leading to role explosion, a problem in large enterprise systems which require access control of finer granularity than what RBAC can provide as roles are inherently assigned to operations and data types. In resemblance to CBAC, an Entity-Relationship Based Access Control (ERBAC, although the same acronym is also used for modified RBAC systems, such as Extended Role-Based Access Control) system is able to secure instances of data by considering their association to the executing subject.
Comparing to ACL
Access control lists
In computer security, an access-control list (ACL) is a list of File-system permissions, permissions associated with a system resource (object). An ACL specifies which User (computing), users or Process (computing), system processes are granted acc ...
(ACLs) are used in traditional discretionary access-control (DAC) systems to affect low-level data-objects. RBAC differs from ACL in assigning permissions to operations which change the direct-relations between several entities (see: ''ACLg'' below). For example, an ACL could be used for granting or denying write access to a particular system file, but it wouldn't dictate how that file could be changed. In an RBAC-based system, an operation might be to 'create a credit account' transaction in a financial application or to 'populate a blood sugar level test' record in a medical application. A Role is thus a sequence of operations within a larger activity. RBAC has been shown to be particularly well suited to separation of duties (SoD) requirements, which ensure that two or more people must be involved in authorizing critical operations. Necessary and sufficient conditions for safety of SoD in RBAC have been analyzed. An underlying principle of SoD is that no individual should be able to effect a breach of security through dual privilege. By extension, no person may hold a role that exercises audit, control or review authority over another, concurrently held role.
Then again, a "minimal RBAC Model", ''RBACm'', can be compared with an ACL mechanism, ''ACLg'', where only groups are permitted as entries in the ACL. Barkley (1997) showed that ''RBACm'' and ''ACLg'' are equivalent.
In modern
SQL implementations, lik
ACL of theCakePHP
CakePHP is an open-source web framework. It follows the model–view–controller (MVC) approach and is written in PHP, modeled after the concepts of Ruby on Rails, and distributed under the MIT License.
CakePHP uses well-known software engineeri ...
framework, ACLs also manage groups and inheritance in a hierarchy of groups. Under this aspect, specific "modern ACL" implementations can be compared with specific "modern RBAC" implementations, better than "old (file system) implementations".
For data interchange, and for "high level comparisons", ACL data can be translated to
XACML
XACML stands for "eXtensible Access Control Markup Language". The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests a ...
.
Attribute-based access control
Attribute-based access control or
ABAC is a model which evolves from RBAC to consider additional attributes in addition to roles and groups. In ABAC, it is possible to use attributes of:
* the user e.g. citizenship, clearance,
* the resource e.g. classification, department, owner,
* the action, and
* the context e.g. time, location, IP.
ABAC is policy-based in the sense that it uses policies rather than static permissions to define what is allowed or what is not allowed.
Use and availability
The use of RBAC to manage user privileges (computer permissions) within a single system or application is widely accepted as a best practice. A 2010 report prepared for
NIST
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
by the
Research Triangle Institute
Research Triangle Institute, trading as RTI International, is a nonprofit organization headquartered in the Research Triangle Park in North Carolina. RTI provides research and technical services. It was founded in 1958 with $500,000 in funding f ...
analyzed the economic value of RBAC for enterprises, and estimated benefits per employee from reduced employee downtime, more efficient provisioning, and more efficient access control policy administration.
In an organization with a heterogeneous
IT infrastructure
Information technology infrastructure is defined broadly as a set of information technology (IT) components that are the foundation of an IT service; typically physical components (computer and networking hardware and facilities), but also variou ...
and requirements that span dozens or hundreds of systems and applications, using RBAC to manage sufficient roles and assign adequate role memberships becomes extremely complex without hierarchical creation of roles and privilege assignments. Newer systems extend the older
NIST RBAC model The NIST RBAC model is a standardized definition of role-based access control. Although originally developed by the National Institute of Standards and Technology, the standard was adopted and is copyrighted and distributed as INCITS 359-2004 by th ...
to address the limitations of RBAC for enterprise-wide deployments. The NIST model was adopted as a standard by
INCITS
The InterNational Committee for Information Technology Standards (INCITS), (pronounced "insights"), is an ANSI-accredited standards development organization composed of Information technology developers. It was formerly known as the X3 and NCITS. ...
as ANSI/INCITS 359-2004. A discussion of some of the design choices for the NIST model has also been published.
See also
References
Further reading
* {{cite book, author1=David F. Ferraiolo, author2=D. Richard Kuhn, author3=Ramaswamy Chandramouli, title=Role-based Access Control, edition=2nd, year=2007, publisher=Artech House, isbn=978-1-59693-113-8
External links
FAQ on RBAC models and standardsRole Based Access Controls at NISTXACML core and hierarchical role based access control profileInstitute for Cyber Security at the University of Texas San AntonioPractical experiences in implementing RBAC
Computer security models
Access control