THIRD PATENT FOR NIST'S ROLE-BASED ACCESS CONTROL WORK.On March 3, 2001, patent #6,202,066 was issued to NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology. for "Implementation of Role/Group Permission Association Using Object Access Type." This is the third patent issued to NIST for work in Role Based Access Control (RBAC RBAC Role-Based Access Control (informatics) RBAC Rule-Based Access Control (informatics) RBAC Recreational Boating Advisory Council (Canada) RBAC Re-Use Business Assistance Center ). The first two are #6,023,765 and #6,088,679. NIST work in RBAC began almost 10 years ago. At that time, there were almost no products that used RBAC, and the concept of using roles for access control was not well defined. NIST published a model for RBAC in 1992 and refined the model and published a semiformal sem·i·for·mal adj. 1. Moderately formal: a semiformal dance. 2. Suitable or appropriate for a moderately formal occasion: semiformal attire. Adj. description in 1995. Since then, formal descriptions of the model and reference implementations have been developed and published. In RBAC, access decisions are based on the roles that individual users perform within an organization. Users take on assigned as·sign tr.v. as·signed, as·sign·ing, as·signs 1. To set apart for a particular purpose; designate: assigned a day for the inspection. 2. roles (such as doctor, nurse, teller TELLER. An officer in a bank or other institution. He is said to take that name from tallier, or one who kept a tally, because it is his duty to keep the accounts between the bank or other institution and its customers, or to make their accounts tally. , or manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization. Access rights to operations on objects are grouped by role name, and the use of resources is restricted to individuals authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: to assume the associated role. For example, within a hospital system, the role of doctor can include operations to perform diagnosis, prescribe pre·scribe v. To give directions, either orally or in writing, for the preparation and administration of a remedy to be used in the treatment of a disease. medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies. The use of RBAC can reduce the cost and the errors associated with managing user access to objects. The principal motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Traditionally, managing security has required mapping an organization's security policy to a relatively low-level set of access controls. With RBAC, it is not necessary to translate an organizational view into another view in order to accommodate an access control mechanism. In RBAC, the natural organizational view is the access control mechanism. The web site is http://hissa.nist.gov/rbac/. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion