"Role-Based Access Control", David F. Ferraiolo/D. Richard
Kuhn/Ramaswamy Chandramouli, 2003, 1-58053-370-1
%A David F. Ferraiolo
%A D. Richard Kuhn
%A Ramaswamy Chandramouli
%C 685 Canton St., Norwood, MA 02062
%I Artech House/Horizon
%O 617-769-9750 800-225-9977 fax: 6177696334 artech@...
%O Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 316 p.
%T "Role-Based Access Control"
The original papers on role-based access control (RBAC) saw it as an
extension of mandatory access control (MAC): a given role in an
organization would have a given requirement for clearance, and
therefore a particular person in a role would have access to material
labelled at a specific sensitivity. In the preface, the authors state
that they are following current interest in RBAC as a means of
identity management, with little distinction made between the use of
discretionary or mandatory access control policies. The intended
audiences are security professionals, software developers, and
instructors and students in security courses.
Chapter one outlines the basics of access control, moves to a history
of access control and RBAC, and ends with a justification for the use
of RBAC in the enterprise. More details of access control concepts
are provided in chapter two, along with some repetitions of the models
in chapter one. The basics of role-based access control are outlined
in chapter three. Chapter four examines role hierarchies and the
inheritance of privilege. Separation of duties (somewhat
oversimplified in the equation to the "two man rule") addresses the
issue of conflation of roles, although chapter five is rather weak in
terms of practical implementation. Chapter six looks at the use of
RBAC with both mandatory (MAC) and discretionary (DAC) access control.
The NIST (US National Institute of Standards and Technology) RBAC
standard is explained in chapter seven.
Chapter eight examines the intriguing idea of using role-based
adminstration to manage the assignments and permissions of RBAC
itself. (This material is highly formal, and would require dedicated
study by those attempting to implement it.) Enterprise access
frameworks (EAFs) are proposed in chapter nine, reaching back to
mandatory access control for a kind of automated assignment of
permissions direct from corporate policy. (Much of this text is taken
up with XML code.) The relation of RBAC to various popular
technologies is suggested in chapter ten. A short case study of the
transition of a company to RBAC is provided in chapter eleven.
Chapter twelve deals with RBAC facilities in a number of commercial
The writing is frequently uneven and repetitious, but the concepts are
generally clear enough. The book also uses lots of acronyms, and
isn't always careful about providing an explanation for them.
In regard to the stated audiences, most security professionals will
find much of interest and value in the first half of the book, and it
would act as a useful text in a number of security courses. Software
developers might not find as much to their advantage. The second half
of the book is questionable. For those involved in the formal and
theoretical study of role-based access control, this work will have
much merit, but that is a select audience, and the demands on the
reader will be significant.
copyright Robert M. Slade, 2005 BKROLBAC.RVW 20051106
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Woe be to him that reads but one book. - George Herbert, 1651