Role based access control (RBAC) is an approach in computer systems security in which each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. This is useful because security administration can be costly, complex, and prone to error, especially while managing large networks for which administrators usually specify access control lists for each user on the system individually.
According to INCITS 359-2012 (R2022): Information technology – Role Based Access Control, a role is a “job function within the context of an organization with some associated semantics regarding the authority and responsibility conferred on the user assigned to the role.” This standard addresses RBAC, helping to manage security at a level that corresponds closely to the organization’s structure.
Role based access control was formalized in 1992 by David Ferraiolo and Rick Kuhn of NIST in their paper, “Role-Based Access Controls.” Within a couple of years, a variety of IT vendors, most notably IBM, Sybase, Secure Computing, and Siemens, began developing products based on this model.
After some time passed and a positive economic impact was felt, there was a need adopt the NIST model for RBAC into a standard. This task was pursued by the ANSI-accredited International Committee for Information Technology Standards (INCITS), and they published the ANSI/INCITS 359 standard in 2004. This document was republished as INCITS 359-2012, which has since been reaffirmed (hence INCITS 359-2012 (R2022)).
The INCITS 359-2012 (R2022) standard actually consists of two main parts—the RBAC Reference Model and the RBAC System and Administrative Functional Specification.
The RBAC Reference Model defines sets of RBAC elements, such as users, roles, permissions, operations, and objects, and relations as types and functions. This model serves a purpose similar to that of other standards documents—it identifies the minimum guidelines for features included in all RBAC systems, as well as the aspects of role hierarchies, static constraint relations, and dynamic constraint relations.
However, the Reference Model also provides a precise and consistent language to be used in defining the functional specification.
The RBAC System and Administrative Functional Specification details the features required of an RBAC system. These fall into three categories: administrative operations, administrative reviews, and system level functionality.
Administrative operations define functions that provide the capability to create, delete, and maintain RBAC elements and relations, such as deleting or creating user assignments. Administrative review functions provide the capability to perform query operations on elements and relations. System level functionality features are for the creation of user sessions for role activation/deactivation, the enforcement of constrains on activation, and for the calculation of an access decision.
As for the success of the role based access control approach, research indicates that it has waged a positive impact on the industry. According to Economic Analysis of Role-Based Access Control: Final Report, RBAC is one of the most important innovations in identity and access management, and, ever since it has been used for managing users’ access to information technology resources, it is estimated to have saved industry over $1 billion.
INCITS 359-2012 (R2022): Information technology – Role Based Access Control is available on the ANSI Webstore.