The following papers discuss ABAC and tradeoffs in design:ĭ.F. We are investigating both practical and theoretical aspects of ABAC and similar approaches, and we held an Attribute Based Access Control Workshop in 2013. ABAC (Attribute Based Access Control)ĪBAC is a rule-based approach to access control that can be easy to set up but complex to manage. Of particular interest to firms considering RBAC, report calculates savings from reduced employee downtime, more efficient provisioning, and more efficient access control policy administration, beyond the added security provided by RBAC. The report analyzes economic value of RBAC for the enterprise and for the national economy, and provides quantitative economic benefits of RBAC per employee for adopting firms. NIST's RBAC research was estimated to have saved industry $1.1 billion over multiple years, according to Economic Analysis of Role-Based Access Control: Final Report, a December 2010 report from RTI International. As of 2010, the majority of users in enterprises of 500 or more were using RBAC, according to analysis from RTI International. Today, most information technology vendors have incorporated RBAC into their product lines, and the technology is finding applications in areas ranging from health care to defense, in addition to the mainstream commerce systems for which it was designed. In 2000, the Ferraiolo-Kuhn model was integrated with the framework of Sandhu et al. to create a unified model for RBAC, published as the NIST RBAC model (Sandhu, Ferraiolo, and Kuhn, 2000) and adopted as an ANSI/INCITS standard in 2004. Role-Based Access Control, 2nd edition(2007)Ī variety of IT vendors, including IBM, Sybase, Secure Computing, and Siemens began developing products based on this model in 1994. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. With RBAC, security is managed at a level that corresponds closely to the organization's structure. Security administration can be costly and prone to error because administrators usually specify access control lists for each user on the system individually. Researcher or student? see Primary RBAC References and Background and other research papers in the RBAC Library. Implementing RBAC? start with: Role Engineering and RBAC Standards | RBAC Case Studies. New to RBAC? see: Primary RBAC References and Background | RBAC FAQ | RBAC Case Studies.
0 Comments
Leave a Reply. |