Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Role-Based Access Control", David F. Ferraiolo/D. Richard Kuhn/Ramaswamy Chandramouli

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKROLBAC.RVW 20051106 Role-Based Access Control , David F. Ferraiolo/D. Richard Kuhn/Ramaswamy Chandramouli, 2003, 1-58053-370-1 %A David F. Ferraiolo %A
    Message 1 of 1 , Jan 30, 2006
    • 0 Attachment
      BKROLBAC.RVW 20051106

      "Role-Based Access Control", David F. Ferraiolo/D. Richard
      Kuhn/Ramaswamy Chandramouli, 2003, 1-58053-370-1
      %A David F. Ferraiolo
      %A D. Richard Kuhn
      %A Ramaswamy Chandramouli
      %C 685 Canton St., Norwood, MA 02062
      %D 2003
      %G 1-58053-370-1
      %I Artech House/Horizon
      %O 617-769-9750 800-225-9977 fax: 6177696334 artech@...
      %O http://www.amazon.com/exec/obidos/ASIN/1580533701/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/1580533701/robsladesin03-20
      %O Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
      %P 316 p.
      %T "Role-Based Access Control"

      The original papers on role-based access control (RBAC) saw it as an
      extension of mandatory access control (MAC): a given role in an
      organization would have a given requirement for clearance, and
      therefore a particular person in a role would have access to material
      labelled at a specific sensitivity. In the preface, the authors state
      that they are following current interest in RBAC as a means of
      identity management, with little distinction made between the use of
      discretionary or mandatory access control policies. The intended
      audiences are security professionals, software developers, and
      instructors and students in security courses.

      Chapter one outlines the basics of access control, moves to a history
      of access control and RBAC, and ends with a justification for the use
      of RBAC in the enterprise. More details of access control concepts
      are provided in chapter two, along with some repetitions of the models
      in chapter one. The basics of role-based access control are outlined
      in chapter three. Chapter four examines role hierarchies and the
      inheritance of privilege. Separation of duties (somewhat
      oversimplified in the equation to the "two man rule") addresses the
      issue of conflation of roles, although chapter five is rather weak in
      terms of practical implementation. Chapter six looks at the use of
      RBAC with both mandatory (MAC) and discretionary (DAC) access control.
      The NIST (US National Institute of Standards and Technology) RBAC
      standard is explained in chapter seven.

      Chapter eight examines the intriguing idea of using role-based
      adminstration to manage the assignments and permissions of RBAC
      itself. (This material is highly formal, and would require dedicated
      study by those attempting to implement it.) Enterprise access
      frameworks (EAFs) are proposed in chapter nine, reaching back to
      mandatory access control for a kind of automated assignment of
      permissions direct from corporate policy. (Much of this text is taken
      up with XML code.) The relation of RBAC to various popular
      technologies is suggested in chapter ten. A short case study of the
      transition of a company to RBAC is provided in chapter eleven.
      Chapter twelve deals with RBAC facilities in a number of commercial

      The writing is frequently uneven and repetitious, but the concepts are
      generally clear enough. The book also uses lots of acronyms, and
      isn't always careful about providing an explanation for them.

      In regard to the stated audiences, most security professionals will
      find much of interest and value in the first half of the book, and it
      would act as a useful text in a number of security courses. Software
      developers might not find as much to their advantage. The second half
      of the book is questionable. For those involved in the formal and
      theoretical study of role-based access control, this work will have
      much merit, but that is a select audience, and the demands on the
      reader will be significant.

      copyright Robert M. Slade, 2005 BKROLBAC.RVW 20051106

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Woe be to him that reads but one book. - George Herbert, 1651
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.