THIRD PATENT FOR NIST'S ROLE-BASED ACCESS CONTROL WORK.
NIST work in RBAC began almost 10 years ago. At that time, there were almost no products that used RBAC, and the concept of using roles for access control was not well defined. NIST published a model for RBAC in 1992 and refined the model and published a semiformal description in 1995. Since then, formal descriptions of the model and reference implementations have been developed and published.
In RBAC, access decisions are based on the roles that individual users perform within an organization. Users take on assigned roles (such as doctor, nurse, teller, or manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization. Access rights to operations on objects are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system, the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies.
The use of RBAC can reduce the cost and the errors associated with managing user access to objects. The principal motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Traditionally, managing security has required mapping an organization's security policy to a relatively low-level set of access controls. With RBAC, it is not necessary to translate an organizational view into another view in order to accommodate an access control mechanism. In RBAC, the natural organizational view is the access control mechanism. The web site is http://hissa.nist.gov/rbac/.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||National Institute of Standards and Technology|
|Publication:||Journal of Research of the National Institute of Standards and Technology|
|Article Type:||Brief Article|
|Date:||May 1, 2001|
|Previous Article:||NEW EXCIMER LASER MEASUREMENT SERVICE AVAILABLE.|
|Next Article:||NON-LINEAR OPTICAL CHARACTERIZATION OF GALLIUM NITRIDE AIDS MATERIAL IMPROVEMENT.|