---

title: 1.3 - What ANSI RBAC is navPrev: 1.2-what-is-not-rbac.html navPrevText: 1.2 - What ANSI RBAC is not navUp: 1-intro-rbac.html navUpText: 1 - An Introduction to Role-Based Access Control ANSI INCITS 359-2004 navNext: 1.4-why-rbac-is-important.html navNextText: 1.4 - Why is ANSI RBAC Important?

1.3 - What ANSI RBAC is

There is more to RBAC than using a Role object during policy enforcement.

• ANSI INCITS 359-2001, http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf - The ANSI specification describes RBAC and provides functional specifications in Z-notation.

• RBAC0 - Users, Roles, Permissions (Objects-Operations), Sessions - Form the Core of ANSI RBAC. Role activation and Permissions mapped to Object->Operation pairing are key facets of the basic ANSI RBAC model.

• RBAC1 - Hierarchical Roles - Encourages proper role engineering. Parent roles are Business Roles while child roles map to IT Roles. Role hierarchies should be many-to-many or multi-inheritance.

• RBAC2 - Static Separation of Duties - Used to limit the privilege of users to within normal boundaries. SSD constraints are applied at role assignment time.

• RBAC3 - Dynamic Separation of Duties - Enforces constraints on what functions may used together at any point in time. DSD constraints may be used to enforce strict controls during multi-step approval processes. DSD constraints are applied at role activation time.

• Well defined APIs that can be shared across projects and application development teams.

• Well defined data model. Easily created and replicated across the enterprise.