Role-Based Access Controls

Ferraiolo, David; Kuhn, Richard

July 19, 2023: URLs for CSRC publication details pages have changed. Legacy URLs should automatically redirect to the new URLs. However, links to the actual publications have NOT changed (e.g., DOIs and PDFs on nvlpubs.nist.gov). Please send inquiries to csrc-inquiry@nist.gov.

Conference Paper

Role-Based Access Controls

Documentation Topics

Published: October 13, 1992

Author(s)

David Ferraiolo (NIST), Richard Kuhn (NIST)

Conference

Name: 15th National Computer Security Conference (NCSC)
Dates: 10/13/1992 - 10/16/1992
Location: Baltimore, Maryland, United States
Citation: Proceedings of the 15th National Computer Security Conference, pp. 554-563

Abstract

While Mandatory Access Controls (MAC) are appropriate for multilevel secure military applications, Discretionary Access Controls (DAC) are often perceived as meeting the security processing needs of industry and civilian government. This paper argues that reliance on DAC as the principal method of access control is unfounded and inappropriate for many commercial and civilian government organizations. The paper describes a type of non-discretionary access control: role-based access control (RBAC) that is more central to the secure processing needs of non-military systems than DAC.

Keywords

computer security; discretionary access control; integrity; mandatory access control; role; RBAC; Role-Based Access Control; access control; TCSEC

Control Families

Access Control

Documentation

Publication:
Paper (pdf)

Supplemental Material:
None available

Document History:
10/13/92: Conference Paper (Final)

Topics

Security and Privacy

access control