ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
A role-based access control model and reference implementation within a corporate intranet
Full text PdfPdf (253 KB)
Source ACM Transactions on Information and System Security (TISSEC) archive
Volume 2 ,  Issue 1  (February 1999) table of contents
Special issue on role-based access control
Pages: 34 - 64  
Year of Publication: 1999
ISSN:1094-9224
Authors
David F. Ferraiolo  National Institute of Standards and Technology, Gaithersburg, MD
John F. Barkley  National Institute of Standards and Technology, Gaithersburg, MD
D. Richard Kuhn  National Institute of Standards and Technology, Gaithersburg, MD
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 32,   Downloads (12 Months): 210,   Citation Count: 65
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/300830.300834
What is a DOI?

ABSTRACT

This paper describes NIST's enhanced RBAC model and our approach to designing and implementing RBAC features for networked Web servers. The RBAC model formalized in this paper is based on the properties that were first described in Ferraiolo and Kuhn [1992] and Ferraiolo et al. [1995], with adjustments resulting from experience gained by prototype implementations, market analysis, and observations made by Jansen [1988] and Hoffman [1996]. The implementation of RBAC for the Web (RBAC/Web) provides an alternative to the conventional means of administering and enforcing authorization policy on a server-by-server basis. RBAC/Web provides administrators with a means of managing authorization data at the enterprise level, in a manner consistent with the current set of laws, regulations, and practices.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
John Barkley , Anthony Cincotta, Managing role/permission relationships using object access types, Proceedings of the third ACM workshop on Role-based access control, p.73-80, October 22-23, 1998, Fairfax, Virginia, United States  [doi>10.1145/286884.286901]
 
2
FERRAIOLO, D. AND KUHN, D. R. 1992. Role based access control. In Proceedings of the 15th Annual Conference on National Computer Security. National Institute of Standards and Technology, Gaithersburg, MD, 554-563.
 
3
FERRAIOLO, D., CUGINI, J., AND KUHN, D. R. 1995. Role based access control: Features and motivations. In Proceedings of the 11th Annual Conference on Computer Security Applications. IEEE Computer Society Press, Los Alamitos, CA, 241-248.
 
4
FERRAIOLO, D. F., GILBERT, D. M., AND LYNCH, N. 1993. An examination of federal and commercial access control policy needs. In Proceedings of the 16th National Conference on Computer Security (Baltimore, MD, Sept. 20-23). National Institute of Standards and Technology, Gaithersburg, MD, 107-116.
 
5
FEINSTEIN, H. L. 1995. Final report: NIST small business innovative research (SBIR) grant: Role based access control: Phase 1. SETA Corporation. SETA Corporation.
6
Serban I. Gavrila , John F. Barkley, Formal specification for role based access control user/role and role/role relationship management, Proceedings of the third ACM workshop on Role-based access control, p.81-90, October 22-23, 1998, Fairfax, Virginia, United States  [doi>10.1145/286884.286902]
 
7
J. Hoffman, Implementing RBAC on a type enforced system, Proceedings of the 13th Annual Computer Security Applications Conference, p.158, December 08-12, 1997
 
8
JANSEN, W.A. 1988. Revised model for role based access control. NIST-IR 6192. National Institute of Standards and Technology, Gaithersburg, MD.
9
D. Richard Kuhn, Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems, Proceedings of the second ACM workshop on Role-based access control, p.23-30, November 06-07, 1997, Fairfax, Virginia, United States  [doi>10.1145/266741.266749]
 
10
Matunda Nyanchama , Sylvia L. Osborn, Access Rights Administration in Role-Based Security Systems, Proceedings of the IFIP WG11.3 Working Conference on Database Security VII, p.37-56, August 23-26, 1994
 
11
Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
12
Ravi Sandhu , Qamar Munawer, How to do discretionary access control using roles, Proceedings of the third ACM workshop on Role-based access control, p.47-54, October 22-23, 1998, Fairfax, Virginia, United States  [doi>10.1145/286884.286893]
13
Ravi Sandhu, Role activation hierarchies, Proceedings of the third ACM workshop on Role-based access control, p.33-40, October 22-23, 1998, Fairfax, Virginia, United States  [doi>10.1145/286884.286891]
14
Ravi Sandhu , Venkata Bhamidipati , Edward Coyne , Srinivas Ganta , Charles Youman, The ARBAC97 model for role-based administration of roles: preliminary description and outline, Proceedings of the second ACM workshop on Role-based access control, p.41-50, November 06-07, 1997, Fairfax, Virginia, United States  [doi>10.1145/266741.266752]
 
15
Richard Simon , Mary Ellen Zurko, Separation of Duty in Role-based Environments, Proceedings of the 10th Computer Security Foundations Workshop (CSFW '97), p.183, June 10-12, 1997
 
16
S. H. von Solms , Isak van der Merwe, The management of computer security profiles using a role-oriented approach, Computers and Security, v.13 n.9, p.673-680, Oct. 1994  [doi>10.1016/0167-4048(94)90049-3]

CITED BY  65
Walt Yao , Ken Moody , Jean Bacon, A model of OASIS role-based access control and its support for active security, Proceedings of the sixth ACM symposium on Access control models and technologies, p.171-181, May 2001, Chantilly, Virginia, United States
Hua Wang , Jinli Cao , Yanchun Zhang, A flexible payment scheme and its permission-role assignment, Proceedings of the twenty-sixth Australasian conference on Computer science: research and practice in information technology, p.189-198, February 01, 2003, Adelaide, Australia
Trent Jaeger, On the increasing importance of constraints, Proceedings of the fourth ACM workshop on Role-based access control, p.33-42, October 28-29, 1999, Fairfax, Virginia, United States
Gustaf Neumann , Mark Strembeck, A scenario-driven role engineering process for functional RBAC roles, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001
Luigi Giuri, Role-based access control on the Web using Java, Proceedings of the fourth ACM workshop on Role-based access control, p.11-18, October 28-29, 1999, Fairfax, Virginia, United States
Gail-Joon Ahn , Ravi Sandhu, The RSL99 language for role-based separation of duty constraints, Proceedings of the fourth ACM workshop on Role-based access control, p.43-54, October 28-29, 1999, Fairfax, Virginia, United States
Glenn Faden, RBAC in UNIX administration, Proceedings of the fourth ACM workshop on Role-based access control, p.95-101, October 28-29, 1999, Fairfax, Virginia, United States
John Barkley , Konstantin Beznosov , Jinny Uppal, Supporting relationships in access control using role based access control, Proceedings of the fourth ACM workshop on Role-based access control, p.55-65, October 28-29, 1999, Fairfax, Virginia, United States
Ravi Sandhu , Venkata Bhamidipati , Qamar Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.105-135, Feb. 1999
Gustaf Neumann , Mark Strembeck, Design and implementation of a flexible RBAC-service in an object-oriented scripting language, Proceedings of the 8th ACM conference on Computer and Communications Security, November 05-08, 2001, Philadelphia, PA, USA
James B. D. Joshi , Walid G. Aref , Arif Ghafoor , Eugene H. Spafford, Security models for web-based applications, Communications of the ACM, v.44 n.2, p.38-44, Feb. 2001
Hua Wang , Yanchun Zhang , Jinli Cao, Formal authorisation allocation approaches for permission-role assignments using relational algebra operations, Proceedings of the fourteenth Australasian database conference, p.125-133, February 01, 2003, Adelaide, Australia
John A. Hine , Walt Yao , Jean Bacon , Ken Moody, An architecture for distributed OASIS services, IFIP/ACM International Conference on Distributed systems platforms, p.104-120, April 03-07, 2000, New York, New York, United States
Z. Zhang , E. Haffner , A. Heuer , T. Engel , Ch. Meinel, Role-based access control in online authoring and publishing systems vs. document hierarchy, Proceedings of the 17th annual international conference on Computer documentation, p.193-198, September 12-14, 1999, New Orleans, Louisiana, United States
Michael J. Covington , Wende Long , Srividhya Srinivasan , Anind K. Dev , Mustaque Ahamad , Gregory D. Abowd, Securing context-aware applications using environment roles, Proceedings of the sixth ACM symposium on Access control models and technologies, p.10-20, May 2001, Chantilly, Virginia, United States
Haio Roeckle , Gerhard Schimpf , Rupert Weidinger, Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization, Proceedings of the fifth ACM workshop on Role-based access control, p.103-110, July 26-28, 2000, Berlin, Germany
Ravi Sandhu, Engineering authority and trust in cyberspace: the OM-AM and RBAC way, Proceedings of the fifth ACM workshop on Role-based access control, p.111-119, July 26-28, 2000, Berlin, Germany
Jean Bacon , Ken Moody , Walt Yao, Access control and trust in the use of widely distributed services, Software—Practice & Experience, v.33 n.4, p.375-394, 10 April 2003
K. Komathy , V. Ramachandran , P. Vivekanandan, Security for XML messaging services: a component-based approach, Journal of Network and Computer Applications, v.26 n.2, p.197-211, April 2003
Günter Karjoth, Access control with IBM Tivoli access manager, ACM Transactions on Information and System Security (TISSEC), v.6 n.2, p.232-257, May 2003
S. V. Raghavan , N. Dhyanesh, Formal description of perfect security, Proceedings of the 15th international conference on Computer communication, p.1113-1131, August 12-14, 2002, Mumbai, Maharashtra, India
Eric Jui-Lin Lu , Rai-Fu Chen, Design and implementation of a fine-grained menu control processor for web-based information systems, Future Generation Computer Systems, v.19 n.7, p.1105-1119, October 2003
Trent Jaeger , Xiaolan Zhang , Fidel Cacheda, Policy management using access control spaces, ACM Transactions on Information and System Security (TISSEC), v.6 n.3, p.327-364, August 2003
Dongwan Shin , Gail-Joon Ahn , Sangrae Cho , Seunghun Jin, A role administration system in role-based authorization infrastructures: design and implementation, Proceedings of the 2003 ACM symposium on Applied computing, March 09-12, 2003, Melbourne, Florida
Longhua Zhang , Gail-Joon Ahn , Bei-Tseng Chu, A rule-based framework for role-based delegation and revocation, ACM Transactions on Information and System Security (TISSEC), v.6 n.3, p.404-441, August 2003
Elisa Bertino , Piero Andrea Bonatti , Elena Ferrari, TRBAC: A temporal role-based access control model, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.191-233, August 2001
Ravi Sandhu , David Ferraiolo , Richard Kuhn, The NIST model for role-based access control: towards a unified standard, Proceedings of the fifth ACM workshop on Role-based access control, p.47-63, July 26-28, 2000, Berlin, Germany
Alfred Kobsa , Jörg Schreck, Privacy through pseudonymity in user-adaptive systems, ACM Transactions on Internet Technology (TOIT), v.3 n.2, p.149-183, May 2003
Longhua Zhang , Gail-Joon Ahn , Bei-Tseng Chu, A role-based delegation framework for healthcare information systems, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
Xuhui Ao , Naftaly H. Minsky, On the role of roles: from role-based to role-sensitive access control, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
Mark Strembeck , Gustaf Neumann, An integrated approach to engineer and enforce context constraints in RBAC environments, ACM Transactions on Information and System Security (TISSEC), v.7 n.3, p.392-427, August 2004
Hua Wang , Jinli Cao , Yanchun Zhang, A Flexible Payment Scheme and Its Role-Based Access Control, IEEE Transactions on Knowledge and Data Engineering, v.17 n.3, p.425-436, March 2005
Susan Older , Shiu-Kai Chin, Outcomes-based assessment as an assurance education tool, Security education and critical infrastructures, Kluwer Academic Publishers, Norwell, MA, 2003
Jean Bacon , Ken Moody , Walt Yao, A model of OASIS role-based access control and its support for active security, ACM Transactions on Information and System Security (TISSEC), v.5 n.4, p.492-540, November 2002
James B. D. Joshi , Elisa Bertino , Usman Latif , Arif Ghafoor, A Generalized Temporal Role-Based Access Control Model, IEEE Transactions on Knowledge and Data Engineering, v.17 n.1, p.4-23, January 2005
William Tolone , Gail-Joon Ahn , Tanusree Pai , Seng-Phil Hong, Access control in collaborative systems, ACM Computing Surveys (CSUR), v.37 n.1, p.29-41, March 2005
Hua Wang , Lili Sun , Yanchun Zhang , Jinli Cao, Authorization algorithms for the mobility of user-role relationship, Proceedings of the Twenty-eighth Australasian conference on Computer Science, p.69-77, January 01, 2005, Newcastle, Australia
David F. Ferraiolo , Serban Gavrila , Vincent Hu , D. Richard Kuhn, Composing and combining policies under the policy machine, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden
R. J. Hulsebosch , A. H. Salden , M. S. Bargh , P. W. G. Ebben , J. Reitsma, Context sensitive access control, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden
Paloma Díaz , Susana Montero , Ignacio Aedo, Modelling hypermedia and web applications: the Ariadne development method, Information Systems, v.30 n.8, p.649-673, December 2005
Rafae Bhatti , Arif Ghafoor , Elisa Bertino , James B. D. Joshi, X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control, ACM Transactions on Information and System Security (TISSEC), v.8 n.2, p.187-227, May 2005
Victoria Ungureanu, Using certified policies to regulate E-commerce transactions, ACM Transactions on Internet Technology (TOIT), v.5 n.1, p.129-153, February 2005
Bechara Al Bouna , Richard Chbeir , Stefania Marrara, A multimedia access control language for virtual and ambient intelligence environments, Proceedings of the 2007 ACM workshop on Secure web services, November 02-02, 2007, Fairfax, Virginia, USA
Timothy Fraser , David Ferraiolo , Mikel L. Matthews , Casey Schaufler , Stephen Smalley , Robert Watson, Panel: which access control technique will provide the greatest overall benefit, Proceedings of the sixth ACM symposium on Access control models and technologies, p.141-149, May 2001, Chantilly, Virginia, United States
Béchara Al Bouna , Richard Chbeir, Multimedia-based authorization and access control policy specification, Proceedings of the 3rd ACM workshop on Secure web services, November 03-03, 2006, Alexandria, Virginia, USA
Gail-Joon Ahn , Badrinath Mohan , Seng-Phil Hong, Towards secure information sharing using role-based delegation, Journal of Network and Computer Applications, v.30 n.1, p.42-59, January 2007
Song Fu , Cheng-Zhong Xu, Coordinated access control with temporal and spatial constraints on mobile execution in coalition environments, Future Generation Computer Systems, v.23 n.6, p.804-815, July, 2007
Alessandro Colantonio , Roberto Di Pietro , Alberto Ocello, A cost-driven approach to role engineering, Proceedings of the 2008 ACM symposium on Applied computing, March 16-20, 2008, Fortaleza, Ceara, Brazil
David F. Ferraiolo, An argument for the role-based access control model, Proceedings of the sixth ACM symposium on Access control models and technologies, p.142-143, May 2001, Chantilly, Virginia, United States
Bechara Al Bouna , Richard Chbeir, MCSE: a multimedia context-based security engine, Proceedings of the 11th international conference on Extending database technology: Advances in database technology, March 25-29, 2008, Nantes, France
Im Y. Jung , Heon Y. Yeom, An efficient and transparent transaction management based on the data workflow of HVEM DataGrid, Proceedings of the 6th international workshop on Challenges of large applications in distributed environments, June 23-23, 2008, Boston, MA, USA
Joseph Y. Halpern , Vicky Weissman, Using First-Order Logic to Reason about Policies, ACM Transactions on Information and System Security (TISSEC), v.11 n.4, p.1-41, July 2008
Deqing Zou , Ligang He , Hai Jin , Xueguang Chen, CRBAC: Imposing multi-grained constraints on the RBAC model in the multi-application environment, Journal of Network and Computer Applications, v.32 n.2, p.402-411, March, 2009
Alapan Arnab , Andrew Hutchison, Persistent access control: a formal model for drm, Proceedings of the 2007 ACM workshop on Digital Rights Management, October 29-29, 2007, Alexandria, Virginia, USA
Hai Jin , Weizhong Qiang , Xuanhua Shi , Deqing Zou, RB-GACA: an RBAC based grid access control architecture, International Journal of Grid and Utility Computing, v.1 n.1, p.61-70, May 2005
Guangsen Zhang , Manish Parashar, Dynamic Context-aware Access Control for Grid Applications, Proceedings of the 4th International Workshop on Grid Computing, p.101, November 17-17, 2003
Qurban Memon , Shakil Akhtar , Alaa A. Aly, Role management in adhoc networks, Proceedings of the 2007 spring simulaiton multiconference, March 25-29, 2007, Norfolk, Virginia
Bechara Al Bouna , Richard Chbeir , Stefania Marrara, Enforcing role based access control model with multimedia signatures, Journal of Systems Architecture: the EUROMICRO Journal, v.55 n.4, p.264-274, April, 2009
John Strassner , José Neuman Souza , David Raymer , Srini Samudrala , Steven Davy , Keara Barrett, The design of a novel context-aware policy model to support machine-based learning and reasoning, Cluster Computing, v.12 n.1, p.17-43, March 2009
Jean Bacon , Ken Moody , Walt Yao, Access Control and Trust in the Use of Widely Distributed Services, Proceedings of the IFIP/ACM International Conference on Distributed Systems Platforms Heidelberg, p.295-310, November 12-16, 2001
Constantin Serban , Naftaly Minsky, Generalized access control of synchronous communication, Proceedings of the ACM/IFIP/USENIX 2006 International Conference on Middleware, November 01-01, 2006, Melbourne, Australia
Shuhong Wang , Yingjiu Li , Bo Zhu , Nan Hu, A Generic Protocol for Controlling Access to Mobile Services, Proceeding of the 2005 conference on Applied Public Key Infrastructure: 4th International Workshop: IWAP 2005, p.95-110, May 09, 2005
John Strassner , José Neuman Souza , Sven Meer , Steven Davy , Keara Barrett , David Raymer , Srini Samudrala, The Design of a New Policy Model to Support Ontology-Driven Reasoning for Autonomic Networking, Journal of Network and Systems Management, v.17 n.1-2, p.5-32, June 2009
Anil L. Pereira , Vineela Muppavarapu , Soon M. Chung, Role-Based Access Control for Grid Database Services Using the Community Authorization Service, IEEE Transactions on Dependable and Secure Computing, v.3 n.2, p.156-166, April 2006

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS

  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Access controls
      D.4.7 Organization and Design
          Subjects: Distributed systems


General Terms:
Security, Standardization


Keywords:
RBAC, Web arrows, World Wide Web, access control, authorization management, role based access

Collaborative Colleagues:
David F. Ferraiolo: colleagues
John F. Barkley: colleagues
D. Richard Kuhn: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player