Resources below can be helpful in planning a migration to RBAC.

• RBAC Role Engineering Process - used by the Deparment of Veterans Affairs to implement a large RBAC system for VA hospitals (pdf) - role engineering based on the Neumann and Strembeck process cited below
• Role Engineering Process - HL7 Security Technical Cmte (pdf)
• BOOK on the process, entitled Role Engineering, E. Coyne and M. Davis, Artech House, 2007.
• CASE STUDY: Andreas Schaad, Jonathan Moffett, Jeremy Jacob. The Role-Based Access Control System of a European Bank: A case Study and Discussion, proc. of the 6th ACM Symposium on Access Control Models and Technologies, pp. 3-9, 2001. (pdf)
  • Case study of implementing RBAC for a large European bank with over 50,000 employees and 1,400 branches serving more than 6 million customers.
• EXPERIENCE REPORT: A. Kern, Advanced Features for Enterprise-Wide Role Based Access Control (pdf)
  • describes RBAC in a large bank with roles that span the entire organziation
• SCENARIO DRIVEN ROLE ENGINEERING: G. Neumann and M. Strembeck. A Scenario-driven Role Engineering Process for Functional RBAC Roles, proc. of the 7th ACM Symposium on Access Control Models and Technologies, pp 33-42, 2002. (pdf)
  • an adaptation of the software engineering process for identification of system requirements for role-engineering
• GOAL DRIVEN ROLE ENGINEERING: Q He. A structured Role Engineering Process for Privacy-Aware RBAC Systems
  • a goals-driven requirements analysis that can be used to derive RBAC entities and relationships. Also
  • Q. He and A. Anton, A Framework for Modeling Privacy equirements in Role Engineering (pdf)

American National Standard 359-2004 is the fundamental Information Technology industry consensus standard for RBAC. In 2000, NIST proposed a unified model for RBAC, based on the Ferraiolo-Kuhn (1992) model, in the framework developed by Sandhu et al (1996). The model was further refined within the RBAC community and has been adopted by the American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS) as ANSI INCITS 359-2004.

• Tutorial-style explanation of the NIST model used in the standard.
• Podcast on the standard and the NIST model (not affiliated with NIST or ANSI/INCITS)
• ANSI/INCITS 359-2004 standard

RBAC has a natural fit with many health care applications. Standards are being developed under the HL7 Standards Development Organization. The Department of Veterans Affairs is leading a number of these activities. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates use of RBAC to protect patient information. The HL7 RBAC activities are oriented toward application level systems that are built using the services defined in the general purpose RBAC standards.

• HL7 Security and Accountability SIG
• VA RBAC and Role Engineering site
• Healthcare Role-Based Access Control Task Force Charter
• HIPA Advisory article on RBAC and HIPAA rules
• HIPAA security requirements

RBAC is being used to secure the networks and applications that control power plants, manufaturing facilities, and other process control systems. These activities were initiated in 2004 and are still developing.

• Cybersecurity Procurement Language for Control Systems - includes RBAC
• ISA-TR99.00.01 Security Technologies for Industrial Automation and Control Systems

The US Navy COMPACFLT has a project that builds on ANSI/INCITS 359: Enterprise Dynamic Access Control (EDAC).

• Enterprise Dynamic Access Control (EDAC) Overview (pdf)
• EDAC Presentation (pdf)
• EDAC Compliance with the NIST RBAC Standard ANSI/INCITS 359 (pdf)
• Enterprise Dynamic Access Control (EDAC) Case Study (pdf)

INCITS working group M1 is developing a set of biometric standards that reference and use RBAC, including ANSI/INCITS 359.

• INCITS M1 Working Group

XML-based Web applications for E-CommerceFrom OASIS, the e-business consortium. XACML Technical Committee. The XACML specification describes building blocks that "may be used to implement the various elements of the RBAC model presented in [ANSI/INCITS 359]." Thus, the XACML profile may be considered complementary to ANSI/INCITS 359.

• XACML Profile for Role Based Access Control (RBAC) Version 1.0