This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Role-Based Access Control in Retrospect
June 2012 (vol. 45 no. 6)
pp. 81-88
Virginia N.L. Franqueira, VF InfoSec Consulting
Roel J. Wieringa, University of Twente, Netherlands
A review of the state of the art of role-based access control can help practitioners assess RBAC's applicability to their organization and indicates where more research is needed to improve the RBAC model.

1. R. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd ed., John Wiley & Sons, 2008.
2. A.C. O'Connor and R.J. Loomis, 2010 Economic Analysis of Role-Based Access Control, RTI project no. 0211876, Nat'l Inst. of Standards and Technology, 2010; http://csrc.nist.gov/groups/SNS/rbac/documents 20101219_RBAC2_Final_Report.pdf.
3. B. Schneier and M. Ranum, "Schneier-Ranum Face-Off: Is Perfect Access Control Possible?," Information Security, Sept. 2009, http://searchsecurity.techtarget.com/magazineContent Schneier-Ranum-Face-Off-Is-Perfect-Access-Control-Possible.
4. M.P. Gallaher, A.C. O'Connor, and B. Kropp, The Economic Impact of Role-Based Access Control, RTI project no. 07007.012, Nat'l Inst. of Standards and Technology, 2002; www.nist.gov/director/planning/uploadreport02-1.pdf.
5. M. Kuhlmann, D. Shohat, and G. Schimpf, "Role Mining—Revealing Business Roles for Security Administration using Data Mining Technology," Proc. 8th ACM Symp. Access Control Models and Technologies (SACMAT 03), ACM, 2003, pp. 179-186.
6. C.L. Smith et al., A Marketing Survey of Civil Federal Government Organizations to Determine the Need for a Role-Based Access Control (RBAC) Security Product, SETA Corp., 1996; http://csrc.nist.gov/groups/SNS/rbac/documents/ cost_benefitsseta.ps.
7. A.H. Karp, H. Haury, and M.H. Davis, "From ABAC to ZBAC: The Evolution of Access Control Models," Information Systems Security Assoc. J., Apr. 2010, pp. 22-30.
8. D.F. Ferraiolo, D.R. Kuhn, and R. Chandramouli, Role-Based Access Control, Artech House, 2003.
9. B. Hilchenbach, "Observations on the Real-World Implementation of Role-Based Access Control," Proc. 20th Nat'l Information Systems Security Conf., Nat'l Inst. of Standards and Technology, 1997, pp. 341-352; http://csrc.nist.gov/nissc/1997/proceedings 341.pdf.
10. AHIMA/HIMSS HIE Privacy & Security Joint Work Group, "The Privacy and Security Gaps in Health Information Exchange," white paper, American Health Information Management Assoc./Healthcare Information and Management System Soc., 2011; www.himss.org/content/files201106_AHIMA_HIMSS.pdf.
11. K.D. Gordon et al., "Accounting Data Security at JEA," presentation, American Accounting Assoc. Ann. Meeting, 2011; http://aaahq.org/AM2011abstract.cfm?submissionID=2382.
12. N. Li, J.-W. Byun, and E. Bertino, "A Critique of the ANSI Standard on Role-Based Access Control," IEEE Security and Privacy, Nov./Dec. 2007, pp. 41-49.
13. ANSI/INCITS 459-2011, Information Technology—Requirements for the Implementation and Interoperability of Role-Based Access Control, American Nat'l Standards Inst./Int'l Committee for Information Technology Standards, 2011.
14. E. Coyne and T. Weil, "An RBAC Implementation and Interoperability Standard: The INCITS Cyber Security 1.1 Model," IEEE Security and Privacy, Jan./Feb. 2008, pp. 84-87.
15. D.R. Kuhn, E.J. Coyne, and T.R. Weil, "Adding Attributes to Role-Based Access Control," Computer, June 2010, pp. 79-81.
16. R. Fernandez, Enterprise Dynamic Access Control Version 2 Overview, US Navy, 2006; http://csrc.nist.gov/rbacEDACv2overview.pdf.
17. A. Ferreira et al., "How to Securely Break into RBAC: The BTG-RBAC Model," Proc. Ann. Computer Security Applications Conf. (ACSAC 09), IEEE, 2009, pp. 23-31.
18. B. Stepien, S. Matwin, and A. Felty, "Advantages of a Non-Technical XACML Notation in Role-Based Models," Proc. 9th Ann. Int'l Conf. Privacy, Security, and Trust (PST 11), IEEE, 2011, pp. 193-200.
1. D.F. Ferraiolo and D.R. Kuhn, "Role-Based Access Controls," Proc. 15th Nat'l Computer Security Conf., Nat'l Inst. of Standards and Technology, 1992, pp. 554-563; http://csrc.nist.gov/rbacferraiolo-kuhn-92.pdf.
2. R.S. Sandhu et al., "Role-Based Access Control Models," Computer, Feb. 1996, pp. 38-47.
3. R. Sandhu, D. Ferraiolo, and R. Kuhn, "The NIST Model for Role-Based Access Control: Towards a Unified Standard," Proc. 5th ACM Workshop Role-Based Access Control (RBAC 00), ACM, 2000, pp. 47-63.
4. D.F. Ferraiolo et al., "Proposed NIST Standard for Role-Based Access Control," ACM Trans. Information and System Security, Aug. 2001, pp. 224-274.
5. ANSI/INCITS 359-2004, Information Technology—Role-Based Access Control, American Nat'l Standards Inst./Int'l Committee for Information Technology Standards, 2004.
6. D. Ferraiolo, R. Kuhn, and R. Sandhu, "RBAC Standard Rationale: Comments on 'A Critique of the ANSI Standard on Role-Based Access Control,'" IEEE Security and Privacy, Nov./Dec. 2007, pp. 51-53.

Index Terms:
RBAC, access control, identity and access management, role engineering, role management, security management
Citation:
Virginia N.L. Franqueira, Roel J. Wieringa, "Role-Based Access Control in Retrospect," Computer, vol. 45, no. 6, pp. 81-88, June 2012, doi:10.1109/MC.2012.38
Usage of this product signifies your acceptance of the Terms of Use.