RBAC: A Primer
When I first started researching Roles Based Access Control (RBAC) in detail at the tail end of last year, I spent an enormous amount of time on the web reading through transcripts and papers from academics and commercial organisations. Those that I found interesting or added to what I knew about RBAC were printed out for reference. I thought it was about time I went through the pile of documents I kept and listed them. So here it is: my primer to Roles Based Access Control theory and practice.
1994
Access Rights Administration in Role-Based Security Systems
1996
Roles Versus Groups (PDF)
1997
Observations On The Real-World Implementation Of Role-Based Access Control (PDF, via NIST)
1998
Towards a more complete model of role
Role-based access control in Java
1999
Integrating Policy-Driven Role Based Access Control with the Common Data Security Architecture
The role graph model and conflict of interest
Migrating to role-based access control
The Uses of Role Hierarchies in Access Control (PDF)
Role-Based Access Control on the Web (PDF)
2000
Injecting RBAC to Secure a Web-based Workflow System
Application of XML tools for enterprise-wide RBAC implementation tasks
Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies
The role-based access control system of a European bank
2001
An Argument for the Role-Based Access Control Model (PDF)
A model of OASIS role-based access control and its support for active security
RBAC Policies In XML For X.509 Based Privilege Management (PDF, Salford University)
2002
RBAC Policies In Xml For X.509 Based Privilege Management (PDF, Salford University)
Implementing Role Based Access Controls Using X.509 Attributes (PDF, Salford University)
The PERMIS X.509 Role Based Privilege Management Infrastructure (PDF, Salford University)
2003
Role Based Access Control (NIST)
2004
SSCSD SD 541, June 2004 (PDF, US Navy, via NIST)
Using UML To Visualize Role-Based Access Control Constraints (PDF)
2005
Roles: Burton Group Reference Architecture Technical Position (login required)
On top of these documents, this page on the ACM website contains an archive of links to all the papers given at previous ACM Workshops on Role-Based Access Control (some of which are explicitly linked above). The conferences are now sponsored by the ACM Special Interest Group on Security, Audit and Control (SIGSAC).
Enjoy!
Technorati Tags: RBAC, Roles Based Access Control, XML, X.509, Java, Identity Management, Digital Identity, Enterprise Architecture, University of Salford
December 1st, 2005 at 11:28 pm
Hi Tom,
Great site. I had a few problems finding some of the links you referenced but FYI I found a copy of the “Using UML To Visualize Role-Based Access Control Constraints” at http://www.secs.oakland.edu/~kim2/papers/SACMAT2004.pdf
Have you done or seen any work on models/processes for mapping provisioning requirements?
Cheers,
Sim Alam