Role-based access control: a multi-dimensional view

Recently there has been considerable interest in role-based access control (RBAC) as an alternative, and supplement, to the traditional discretionary and mandatory access controls (DAC and MAC) embodied in the Orange Book. The roots of RBAC can be traced back to the earliest access control systems. Roles have been used in a number of systems for segregating various aspects of security and system administration. Recent interest in RBAC has been motivated by the use of roles at the application level to control access to application data. This is an important innovation which offers the opportunity to realize benefits in securing an organization´s information assets, similar to the benefits of employing databases instead of files as the data repository. A number of proposals for RBAC have been published in the literature, but there is no consensus on precisely what is meant by RBAC. This paper lays the groundwork for developing this consensus. In our view RBAC is a concept which has several dimensions, all of which may not be present in a given system or product. We envisage each dimension as being linearly ordered with respect to the sophistication of features provided. This leads us to the idea of a multi-dimension model for RBAC. Achieving agreement on what these dimensions are, and how the features in each dimension should be ordered, will take debate and time. Our contribution here is to lay out a vision on how to approach a common understanding of RBAC, and take a first cut at identifying the dimensions of RBAC. A major benefit of such a multidimensional RBAC would be to allow comparison of different products and assess their appropriateness for various system requirements