A role-based system is one in which identities and resources are managed by aggregating them into groups, or roles, based on job functions, physical location, legal controls, and other criteria. Role-based systems can be used to simplify access control as well as for administrative convenience. Role-based systems were developed from three general concepts: first, the use of groups in UNIX and similar operating systems; second, privilege grouping in database management systems; and third, separation of duties concepts.
As previously noted, the first concept from which role-based systems were developed is the group identifier in UNIX and similar operating systems. In those systems, some files and hardware capabilities are associated with a certain group. Adding a user to a group grants that user access to the files and hardware capabilities identified with that group. Revoking the user's membership in that group also revokes the user's access the group-shared files and functions.
The second concept from which role-based systems were developed, privilege grouping, works similarly. Instead of access to files, however, the database aggregates data-access permissions such as “CREATE TABLE,” “SELECT [data],” and “INSERT [data].” By consolidating some of these permissions together into profiles, the procedure for granting and revoking access to read and change the data in the database is simplified.
The third concept from which role-based systems developed is the concept of separation of duties introduced in theoretical papers about security. Separation of duties is considered valuable in deterring fraud, since fraud can occur if an opportunity exists for one actor to fulfill multiple job-related functions. Separation of duties requires that for particular sets of transactions, no single individual is allowed to execute all transactions within the set. For example, financial controls in business settings often require that the person who signs a check be different than the payee on the check and that neither of those parties be associated with the audit of the checking account.
Separation of duties can be either static or dynamic. Compliance with static separation requirements can be determined simply by the proper allocation of transactions to roles followed by assignment of individuals to those roles. Compliance with the separation of duties concept is evaluated in advance, at the time of role creation and assignment. Dynamic separation of duties is more complicated. Procedures for dynamic separation of duties are required when compliance with requirements can only be determined during system operation. This allows for more flexibility in operations at the cost of higher complexity. Consider again the example of the financial controls of a business. A static policy could require that no individual who can write a check would ever be able to receive a check, and vice versa. This policy would be too rigid for real-world use. An alternative dynamic policy would allow a person to both write and receive checks, so long as that person was never allowed to sign any checks to herself or audit checks that she had received.
Role-Based Access Control (RBAC) brings together these three concepts to form a new security model. RBAC associates permissions and privileges (hereinafter collectively “permissions”) with roles; each role is granted only the minimum permissions necessary for the performance of the functions associated with that role. Identities are assigned to roles, giving the people or objects associated with those identities the permissions necessary to accomplish job functions. This presents a flexible approach while still maintaining separation of duties concepts important to real-world security.
RBAC has been formalized mathematically by NIST and accepted as a standard by ANSI. American National Standard 359-2004 is the information technology industry consensus standard for RBAC, and is incorporated herein by reference in its entirety. A role can be regarded as a set of operations that an identity or set of identities can perform within the context of an organization. For each role, a set of operations allocated to the role is maintained. An operation is a transformation procedure plus a set of associated data items. In addition, each role has an associated set of individual members. As a result, RBAC provides a means of naming and describing many-to-many relationships between individuals and rights. An individual may at any moment be able to act in several roles. When an individual has multiple role assignments, that individual has the potential aggregated permissions of all roles to which that person belongs, subject always to separation of duties constraints. Therefore, the permission contours for each actor in a system can be unique without imposing excessive administrative overhead. Further, separation of duties can be enforced and audited on both a static and dynamic basis.
In addition to access control systems, role-based systems may be used as a convenient grouping or categorization tool within organizations. People, equipment, buildings, documents, and other concrete or abstract objects are can be put into groups for more effective management.