A Critique of the ANSI Standard on Role Based Access Control

Ninghui Li, Department of Computer Science, Purdue University, Ji-Won Byun, Department of Computer Science, Purdue University, and Elisa Bertino, Department of Computer Science, Purdue University

7/18/2008
(Original Publish Date: 5/1/2005)

The American National Standard Institute (ANSI) Standard on Role-Based Access Control (RBAC) was approved in 2004 to fulfil “a need among government and industry purchasers of information technology products for a consistent and uniform definition of role based access control (RBAC) features” [1]. The development of the ANSI RBAC standard represents an important milestone and will enhance portability and interoperability of applications and access control policies. The current version of the standard, however, has limitations, design flaws, and technical errors. In this article, we identify critical design problems in the current ANSI RBAC standard and suggest how they can be addressed. We also analyze several critical features of RBAC, such as sessions, hierarchies, and constraints, and discuss how they should be supported in RBAC models. We believe that our analysis will contribute to improvements in the RBAC standard and, more broadly, in the understanding of RBAC.