role engineering and rbac standards

Many organizations are in the process of moving to role based access control. The process of developing an RBAC structure for an organization has become known as "role engineering". Role engineering can be a complex undertaking, For example, in implementating RBAC for a large European bank with over 50,000 employees and 1,400 branches serving more than 6 million customers, approximately 1,300 roles were discovered. In view of the complexities, RBAC is best implemented by applying a structured framework that breaks down each task into its component parts. The resources on this page can help developers and managers with this process.

Because standards are normally a vital part of integrating RBAC into an organization, a number of organizations have developed, or are currently developing, RBAC standards for specialized domains, in addition to general-purpose RBAC standards. Please note that only standards activities are covered here; applications of RBAC, research, and case studies are addressed elsewhere on this site. This page consolidates information on RBAC-related standards, summarizes how they fit together, and will be updated as new standards activities are initiated. (Please note that some authors and organizations below are not affiliated with NIST or any other agency of the US Government, unless otherwise noted, and NIST cannot endorse or comment on these publications.)

For more information on RBAC standards, contact Rick Kuhn at rbac-info@nist.gov. (last update 11 Feb 08)

ROLE INTEROPERABILITY: new community effort to address interoperability of RBAC systems.

Role Engineering

Resources below can be helpful in planning a migration to RBAC.

• RBAC Role Engineering Process - used by the Deparment of Veterans Affairs to implement a large RBAC system for VA hospitals (pdf) - role engineering based on the Neumann and Strembeck process cited below
• Role Engineering Process - HL7 Security Technical Cmte (pdf)
• BOOK on the process, entitled Role Engineering, E. Coyne and M. Davis, Artech House, 2007.
• CASE STUDY: Andreas Schaad, Jonathan Moffett, Jeremy Jacob. The Role-Based Access Control System of a European Bank: A case Study and Discussion, proc. of the 6th ACM Symposium on Access Control Models and Technologies, pp. 3-9, 2001. (pdf)
  • Case study of implementing RBAC for a large European bank with over 50,000 employees and 1,400 branches serving more than 6 million customers.
• EXPERIENCE REPORT: A. Kern, Advanced Features for Enterprise-Wide Role Based Access Control (pdf)
  • describes RBAC in a large bank with roles that span the entire organziation
• SCENARIO DRIVEN ROLE ENGINEERING: G. Neumann and M. Strembeck. A Scenario-driven Role Engineering Process for Functional RBAC Roles, proc. of the 7th ACM Symposium on Access Control Models and Technologies, pp 33-42, 2002. (pdf)
  • an adaptation of the software engineering process for identification of system requirements for role-engineering
• GOAL DRIVEN ROLE ENGINEERING: Q He. A structured Role Engineering Process for Privacy-Aware RBAC Systems
  • a goals-driven requirements analysis that can be used to derive RBAC entities and relationships. Also
  • Q. He and A. Anton, A Framework for Modeling Privacy equirements in Role Engineering (pdf)

General Purpose RBAC Standards

American National Standard 359-2004 is the fundamental Information Technology industry consensus standard for RBAC. In 2000, NIST proposed a unified model for RBAC, based on the Ferraiolo-Kuhn (1992) model, in the framework developed by Sandhu et al (1996). The model was further refined within the RBAC community and has been adopted by the American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS) as ANSI INCITS 359-2004.

• Tutorial-style explanation of the NIST model used in the standard.
• Podcast on the standard and the NIST model (not affiliated with NIST or ANSI/INCITS)
• ANSI/INCITS 359-2004 standard

Health Care

RBAC has a natural fit with many health care applications. Standards are being developed under the HL7 Standards Development Organization. The Department of Veterans Affairs is leading a number of these activities. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates use of RBAC to protect patient information. The HL7 RBAC activities are oriented toward application level systems that are built using the services defined in the general purpose RBAC standards.

• HL7 Security and Accountability SIG
• VA RBAC and Role Engineering site
• Healthcare Role-Based Access Control Task Force Charter
• HIPA Advisory article on RBAC and HIPAA rules
• HIPAA security requirements

Industrial Control Systems

RBAC is being used to secure the networks and applications that control power plants, manufaturing facilities, and other process control systems. These activities were initiated in 2004 and are still developing.

• Cybersecurity Procurement Language for Control Systems - includes RBAC
• ISA-TR99.00.01 Security Technologies for Industrial Automation and Control Systems

Military

The US Navy COMPACFLT has a project that builds on ANSI/INCITS 359: Enterprise Dynamic Access Control (EDAC).

• Enterprise Dynamic Access Control (EDAC) Overview (pdf)
• EDAC Presentation (pdf)
• EDAC Compliance with the NIST RBAC Standard ANSI/INCITS 359 (pdf)
• Enterprise Dynamic Access Control (EDAC) Case Study (pdf)

Biometrics

INCITS working group M1 is developing a set of biometric standards that reference and use RBAC, including ANSI/INCITS 359.

• INCITS M1 Working Group

Oasis

XML-based Web applications for E-CommerceFrom OASIS, the e-business consortium. XACML Technical Committee. The XACML specification describes building blocks that "may be used to implement the various elements of the RBAC model presented in [ANSI/INCITS 359]." Thus, the XACML profile may be considered complementary to ANSI/INCITS 359.

• XACML Profile for Role Based Access Control (RBAC) Version 1.0