Google Git
Sign in
apache / archiva-redback-site / da0117b9ebf2fa10a857ff2c5a117d2b01874c86 / . / src / site / apt / rbac / introduction.apt
blob: 278616e43af868f787b5ab166597eda7ede812af [file] [log] [blame]
-----
An Introduction to Role Based Access
-----
-----
28 June 2006
-----
~~ Licensed to the Apache Software Foundation (ASF) under one
~~ or more contributor license agreements. See the NOTICE file
~~ distributed with this work for additional information
~~ regarding copyright ownership. The ASF licenses this file
~~ to you under the Apache License, Version 2.0 (the
~~ "License"); you may not use this file except in compliance
~~ with the License. You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing,
~~ software distributed under the License is distributed on an
~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~~ KIND, either express or implied. See the License for the
~~ specific language governing permissions and limitations
~~ under the License.
~~ NOTE: For help with the syntax of this file, see:
~~ http://maven.apache.org/guides/mini/guide-apt-format.html
An Introduction to Role Based Access
This introduction provides background information on Role-Based
Access Control (RBAC), a technical means for controlling access
to computer resources. While still largely in the demonstration
and prototype stages of development, RBAC appears to be a
promising method for controlling what information computer users
can utilize, the programs that they can run, and the
modifications that they can make. Only a few off-the-shelf
systems that implement RBAC are commercially available; however,
organizations may want to start investigating RBAC for future
application in their multi-user systems. RBAC is appropriate for
consideration in systems that process unclassified but sensitive
information, as well as those that process classified
information.
What is Role-Based Access Control
Access is the ability to do something with a computer resource
(e.g., use, change, or view). Access control is the means by
which the ability is explicitly enabled or restricted in some way
(usually through physical and system-based controls). Computer-
based access controls can prescribe not only who or what process
may have access to a specific system resource, but also the type
of access that is permitted. These controls may be implemented
in the computer system or in external devices.
With role-based access control, access decisions are based on the
roles that individual users have as part of an organization.
Users take on assigned roles (such as doctor, nurse, teller,
manager). The process of defining roles should be based on a
thorough analysis of how an organization operates and should
include input from a wide spectrum of users in an organization.
Access rights are grouped by role name, and the use of resources
is restricted to individuals authorized to assume the associated
role. For example, within a hospital system the role of doctor
can include operations to perform diagnosis, prescribe
medication, and order laboratory tests; and the role of
researcher can be limited to gathering anonymous clinical
information for studies.
The use of roles to control access can be an effective means for
developing and enforcing enterprise-specific security policies,
and for streamlining the security management process.
Users and Roles
Under the RBAC framework, users are granted membership into roles
based on their competencies and responsibilities in the
organization. The operations that a user is permitted to perform
are based on the user's role. User membership into roles can be
revoked easily and new memberships established as job assignments
dictate. Role associations can be established when new
operations are instituted, and old operations can be deleted as
organizational functions change and evolve. This simplifies the
administration and management of privileges; roles can be updated
without updating the privileges for every user on an individual
basis.
When a user is associated with a role:
the user can be given no more privilege than is necessary to
perform the job. This concept of least privilege requires
identifying the user's job functions, determining the
minimum set of privileges required to perform that function,
and restricting the user to a domain with those privileges
and nothing more. In less precisely controlled systems,
this is often difficult or costly to achieve. Someone
assigned to a job category may be allowed more privileges
than needed because is difficult to tailor access based on
various attributes or constraints. Since many of the
responsibilities overlap between job categories, maximum
privilege for each job category could cause unlawful access.
Roles and Role Hierarchies
Under RBAC, roles can have overlapping responsibilities and
privileges; that is, users belonging to different roles may need
to perform common operations. Some general operations may be
performed by all employees. In this situation, it would be
inefficient and administratively cumbersome to specify repeatedly
these general operations for each role that gets created. Role
hierarchies can be established to provide for the natural
structure of an enterprise. A role hierarchy defines roles that
have unique attributes and that may contain other roles; that is,
one role may implicitly include the operations that are
associated with another role.
In the healthcare situation, a role Specialist could contain the
roles of Doctor and Intern. This means that members of the role
Specialist are implicitly associated with the operations
associated with the roles Doctor and Intern without the
administrator having to explicitly list the Doctor and Intern
operations. Moreover, the roles Cardiologist and Rheumatologist
could each contain the Specialist role.
Role hierarchies are a natural way of organizing roles to reflect
authority, responsibility, and competency:
the role in which the user is gaining membership is not
mutually exclusive with another role for which the user
already possesses membership. These operations and roles
can be subject to organizational policies or constraints.
When operations overlap, hierarchies of roles can be
established. Instead of instituting costly auditing to
monitor access, organizations can put constraints on access
through RBAC. For example, it may seem sufficient to allow
physicians to have access to all patient data records if
their access is monitored carefully. With RBAC, constraints
can be placed on physician access so that only those records
that are associated with a particular physician can be
accessed.
Roles and Operations
Organizations can establish the rules for the association of
operations with roles. For example, a healthcare provider may
decide that the role of clinician must be constrained to post
only the results of certain tests but not to distribute them
where routing and human errors could violate a patient's right to
privacy. Operations can also be specified in a manner that can
be used in the demonstration and enforcement of laws or
regulations. For example, a pharmacist can be provided with
operations to dispense, but not to prescribe, medication.
An operation represents a unit of control that can be referenced
by an individual role, subject to regulatory constraints within
the RBAC framework. An operation can be used to capture complex
security-relevant details or constraints that cannot be
determined by a simple mode of access.
For example, there are differences between the access needs of a
teller and an accounting supervisor in a bank. An enterprise
defines a teller role as being able to perform a savings deposit
operation. This requires read and write access to specific
fields within a savings file. An enterprise may also define an
accounting supervisor role that is allowed to perform correction
operations. These operations require read and write access to
the same fields of a savings file as the teller. However, the
accounting supervisor may not be allowed to initiate deposits or
withdrawals but only perform corrections after the fact.
Likewise, the teller is not allowed to perform any corrections
once the transaction has been completed. The difference between
these two roles is the operations that are executed by the
different roles and the values that are written to the
transaction log file.
The RBAC framework provides administrators with the capability to
regulate who can perform what actions, when, from where, in what
order, and in some cases under what relational circumstances:
only those operations that need to be performed by members
of a role are granted to the role. Granting of user
membership to roles can be limited. Some roles can only be
occupied by a certain number of employees at any given
period of time. The role of manager, for example, can be
granted to only one employee at a time. Although an
employee other than the manager may act in that role, only
one person may assume the responsibilities of a manager at
any given time. A user can become a new member of a role as
long as the number of members allowed for the role is not
exceeded.
Advantages of RBAC
A properly-administered RBAC system enables users to carry out a
broad range of authorized operations, and provides great
flexibility and breadth of application. System administrators
can control access at a level of abstraction that is natural to
the way that enterprises typically conduct business. This is
achieved by statically and dynamically regulating users' actions
through the establishment and definition of roles, role
hierarchies, relationships, and constraints. Thus, once an RBAC
framework is established for an organization, the username
administrative actions are the granting and revoking of users
into and out of roles. This is in contrast to the more
conventional and less intuitive process of attempting to
administer lower-level access control mechanisms directly (e.g.,
access control lists [ACLs], capabilities, or type enforcement
entities) on an object-by-object basis.
Further, it is possible to associate the concept of an RBAC
operation with the concept of "method" in Object Technology.
This association leads to approaches where Object Technology can
be used in applications and operating systems to implement an
RBAC operation.
For distributed systems, RBAC administrator responsibilities can
be divided among central and local protection domains; that is,
central protection policies can be defined at an enterprise level
while leaving protection issues that are of local concern at the
organizational unit level. For example, within a distributed
healthcare system, operations that are associated with healthcare
providers may be centrally specified and pertain to all hospitals
and clinics, but the granting and revoking of memberships into
specific roles may be specified by administrators at local sites.
Status of Current RBAC Activities
Several organizations are experimenting with the inclusion of
provisions for RBAC in open consensus specifications. RBAC is an
integral part of the security models for Secure European System
for Applications in a Multi-vendor Environment (SESAME)
distributed system and the database language SQL3. In addition,
the Object Management Group's (OMG) Common Object Request Broker
Architecture (CORBA) Security specification uses RBAC as an
example of an access control mechanism which can be used with the
distributed Object Technology defined by the OMG. (See reference
below.)
CSL has been developing and defining RBAC and its applicability
cooperatively with industry, government, and academic partners.
In conjunction with Dr. Ravi Sandhu of George Mason University
and Seta Corporation, CSL is defining RBAC and its feasibility.
We are working with Dr. Virgil Gligor and his associates at the
University of Maryland and with the National Security Agency
(NSA) to develop a formal reference model for RBAC to provide a
safe, effective, and consistent mechanism for access control.
This effort is also implementing RBAC on NSA's Synergy Platform,
a secure platform based on the Mach Operating System. CSL is
also developing a demonstration of RBAC use in healthcare. The
access policy used in this demonstration is based on a draft
consensus policy for patient record access developed in the
United Kingdom. In conjunction with the Internal Revenue Service
(IRS), CSL is defining roles and operations suitable for the IRS
environment. In conjunction with the Veterans Administration
(VA), CSL is studying the applicability of RBAC to VA systems.
Based on current research and experience, RBAC appears to fit
well into the widely varying security policies of industry and
government organizations.
For additional information on Role-Based Access Control see:
http://waltz.ncsl.nist.gov/rbac/
or contact David Ferraiolo, dferraiolo@nist.gov, (301) 975-3046.
References
Department of Defense, "Trusted Computer Security Evaluation
Criteria," DoD 5200.28-STD, 1985.
David F. Ferraiolo and D. Richard Kuhn, "Role-Based Access
Controls," Proceedings of the 15th NIST-NSA National Computer
Security Conference, Baltimore, Maryland, October 13-16, 1992.
David F. Ferraiolo, Dennis M. Gilbert, and Nickilyn Lynch, "An
Examination of Federal and Commercial Access Control Policy
Needs," Proceedings of the 16th NIST-NSA National Computer
Security Conference, Baltimore, Maryland, September 20-23, 1993.
ISO/IEC 9075, (Working Draft) Database Language SQL - Part 2:
Foundation, Document ISO/IEC JTC1/SC21 N9463, March 1995.
A. Griew and R. Currell, "A Strategy for Security of the
Electronic Patient Record," Institute for Health Informatics,
Aberystwyth, Draft Version 2.1, March 8, 1995.
David F. Ferraiolo, Janet A. Cugini, and D. Richard Kuhn,
"Role-Based Access Control (RBAC): Features and Motivations,"
11th Annual Computer Security Applications Proceedings, 1995.
John Barkley, "Application Engineering in Health Care,"
Proceedings of the 2nd Annual CHIN Summit, 1995.
CORBA Security Draft, Object Management Group (OMG) Document
Number 95-9-1, September 1995.
John Barkley, "Implementing Role-Based Access Control using
Object Technology," First ACM Workshop on Role-Based Access
Control, Gaithersburg, Maryland, November 30-December 1, 1995.
T. Parker and D. Pinkas, "SESAME Technology Version 3: Overview,"
http://www.esat.kuleuven.ac.be/cosic/sesame/doc-txt/overview.txt
Background material in a text box in the paper document:
Access control technology has evolved from research and
development efforts supported by the Department of Defense (DoD).
This research has resulted in two fundamental types of access
control: Discretionary Access Control (DAC) and Mandatory Access
Control (MAC). While initial research and applications addressed
preventing the unauthorized access to classified information,
recent applications have applied these policies to commercial
processing environments.
DAC permits the granting and revoking of access control
privileges to be left to the discretion of the individual users.
A DAC mechanism allows users to grant or revoke access to any of
the objects under their control. As such, users are said to be
the owners of the objects under their control. However, for many
organizations, the end users do not own the information for which
they are allowed access. For these organizations, the
corporation or agency is the actual owner of system objects as
well as the programs that process them. Access priorities are
controlled by the organization and are often based on employee
functions rather than data ownership.
MAC, as defined in the DoD's Trusted Computer Security Evaluation
Criteria (TCSEC), is "A means of restricting access to objects
based on the sensitivity (as represented by a label) of the
information contained in the objects and the formal authorization
(i.e. clearance) of subjects to access information of such
sensitivity."
These policies for access control are not particularly well
suited to the requirements of government and industry
organizations that process unclassified but sensitive
information. In these environments, security objectives often
support higher-level organizational policies which are derived
from existing laws, ethics, regulations, or generally accepted
practices. Such environments usually require the ability to
control actions of individuals beyond just an individual's
ability to access information according to how that information
is labeled based on its sensitivity.