Information Technology – Role Based Access Control – Policy-Enhanced
|Publication Date:||26 July 2012|
Role Based Access Control (RBAC) has been criticized for the difficulty of setting up an initial role structure and for inflexibility in rapidly changing domains. A pure RBAC solution may provide inadequate support for dynamic attributes, such as time of day, which might need to be considered when determining user permissions. This RBAC Policy-Enhanced standard (to be referenced as RPE) provides a framework and functional specifications to handle the relationship between roles and dynamic constraints. Some of the administrative and user permission review advantages of RBAC are retained while allowing the access control system to work in a rapidly changing environment.
The RPE defines the scope and context for role-role, user-role, and attribute-sensitive dynamic constraints which can be implemented in a run-time environment. This standard defines the functional areas of External Policy Interfaces, the RBAC Engine, and enhanced dynamic constraint mechanisms of the RBAC Policy-Enhanced Reference Model. Additional interfaces have been included to provide visibility into the system for integrity checking (RBAC Implementation and Interoperability Interface) and Audit Monitoring of the RPE access control model. These RPE features extend the dynamic constraints of RBAC (INCITS 359-2012), which primarily emphasize Separation of Duty (SoD) functions.
The RPE allows external policies (rules and data) to implement constraints on the core role components within the base RBAC Reference Model (INCITS 359-2012) and define dynamic constraints which may be applied to users, roles, operations, objects, and permissions. These enhancements are defined through several mechanisms including an RBAC Engine algorithm, supporting system functions for the RBAC Engine, an external security policy interface and the definitions of dynamic constraint primitives and operations. These combined features enable the RPE to define and implement the least privilege conditions (fine-grained authorization) necessary to tailor the base RBAC Reference Model to various attributes and dynamic constraints.
Extending the static constraints of RBAC (INCITS 359-2012), the RPE also defines static constraints, which consist of role-role, permission-permissio
Informative Annex A provides references for this document. Informative Annex B presents the table of RBAC Implementation and Interoperability Standard (RIIS) Management Functions, which are commands for reviewing the status of the RBAC Engine described in this work.