BKROLBAC.RVW 20051106 "Role-Based Access Control", David F. Ferraiolo/D. Richard Kuhn/Ramaswamy Chandramouli, 2003, 1-58053-370-1 %A David F. Ferraiolo %A D. Richard Kuhn %A Ramaswamy Chandramouli %C 685 Canton St., Norwood, MA 02062 %D 2003 %G 1-58053-370-1 %I Artech House/Horizon %O 617-769-9750 800-225-9977 fax: 6177696334 artech@artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1580533701/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580533701/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580533701/robsladesin03-20 %O Audience a Tech 2 Writing 1 (see revfaq.htm for explanation) %P 316 p. %T "Role-Based Access Control" The original papers on role-based access control (RBAC) saw it as an extension of mandatory access control (MAC): a given role in an organization would have a given requirement for clearance, and therefore a particular person in a role would have access to material labelled at a specific sensitivity. In the preface, the authors state that they are following current interest in RBAC as a means of identity management, with little distinction made between the use of discretionary or mandatory access control policies. The intended audiences are security professionals, software developers, and instructors and students in security courses. Chapter one outlines the basics of access control, moves to a history of access control and RBAC, and ends with a justification for the use of RBAC in the enterprise. More details of access control concepts are provided in chapter two, along with some repetitions of the models in chapter one. The basics of role-based access control are outlined in chapter three. Chapter four examines role hierarchies and the inheritance of privilege. Separation of duties (somewhat oversimplified in the equation to the "two man rule") addresses the issue of conflation of roles, although chapter five is rather weak in terms of practical implementation. Chapter six looks at the use of RBAC with both mandatory (MAC) and discretionary (DAC) access control. The NIST (US National Institute of Standards and Technology) RBAC standard is explained in chapter seven. Chapter eight examines the intriguing idea of using role-based adminstration to manage the assignments and permissions of RBAC itself. (This material is highly formal, and would require dedicated study by those attempting to implement it.) Enterprise access frameworks (EAFs) are proposed in chapter nine, reaching back to mandatory access control for a kind of automated assignment of permissions direct from corporate policy. (Much of this text is taken up with XML code.) The relation of RBAC to various popular technologies is suggested in chapter ten. A short case study of the transition of a company to RBAC is provided in chapter eleven. Chapter twelve deals with RBAC facilities in a number of commercial products. The writing is frequently uneven and repetitious, but the concepts are generally clear enough. The book also uses lots of acronyms, and isn't always careful about providing an explanation for them. In regard to the stated audiences, most security professionals will find much of interest and value in the first half of the book, and it would act as a useful text in a number of security courses. Software developers might not find as much to their advantage. The second half of the book is questionable. For those involved in the formal and theoretical study of role-based access control, this work will have much merit, but that is a select audience, and the demands on the reader will be significant. copyright Robert M. Slade, 2005 BKROLBAC.RVW 20051106