The paper researches and evaluates the importance of role-based access control policies. The basic principles of RBAC are discussed. The paper proves standardization of RBAC elements and the use of SecureUML language to be the critical components of RBAC efficiency and cost-effectiveness. RBAC has a potential to become an effective measure of IT security in organizations.
Table of Contents
Role-based access control: What is it? 4
RBAC policies, standardization, and SecureUML language 4
Importance of Role-Based Access Control
Throughout the evolution of Information Technologies, Discretionary access control and Mandatory access control had been the two basic types of techniques used by IT professionals to develop and describe various access policies (Cenys, Normantas & Radvilavicius, 2009). However, the beginning of the new millennium was marked with the rapid development of new, more sophisticated access frameworks. Role-based access control (RBAC) became a new form of access policy, more convenient, flexible, and usable compared with traditional DAC and MAC. Today, standardization of the core elements and the SecureUML language can be used to enhance the efficiency of RBAC policies and protect the data processed, stored and transmitted via information systems.
Role-Based Access Control: What Is It?
Access is defined as individual ability to access and use an IT resource (NIST, 1995). Access control is an effective way to monitor and restrict this individual ability (NIST, 1995). With role-based access control, the type of access is based on the roles and responsibilities of each individual within the organization; the process of defining these roles requires a thorough analysis of how organization operates (NIST, 1995). Access rights are categorized and grouped by role name, and the use of all IT resources is restricted to individuals who assume this role (NIST, 1995). RBAC is believed to be an effective measure of enterprise-specific security and a reliable means to streamline the security management process (NIST, 1995).
RBAC Policies, Standardization and SecureUML Language
RBAC is just another form of access policy used by organizations to restrict the access and use of specific IT resources. The RBAC involves the use of UNIX groups and privilege groupings in database management systems (Ferraiolo et al., 2001). More important, however, are the elements which can make this system of access control efficient and cost-effective. Here, standardization of the basic RBAC elements and the use of SecureUML language can enhance the quality of RBAC access policies in organizations. Standardization of RBAC features is an excellent solution for IT professionals, who seek to package RBAC features through the selection of the most important functional components (Ferraiolo et al., 2001). Not all RBAC features are universally workable in all organizational environments, and vendors may be willing to choose the most important and functional features and package them in ways that meet the IT needs of organizations. Standardization lays the foundation for creating uniform acquisition specifications and making more justified purchasing decisions (Ferraiolo et al., 2001). Ultimately, standardization is the necessary precondition for developing better interoperability and portability of RBAC solutions across organizations and vendors (Ferraiolo et al., 2001).
Standardization alone cannot suffice to make the RBAC policies workable in the long run. Cenys, Normantas and Radvilavicius (2009) suggest that the SecureUML language be used to design RBAC policies for specific systems. SecureUML is based on RBAC and can become the source of significant RBAC improvements in organizations that use this type of access policy (Cenys, Normantas & Radvilavicius, 2009). The use of this language, as well as RBAC policies in general, can enable users to fulfill a wide range of technical operations. RBAC can provide system administrators with an opportunity to grant individuals with access to specific IT resources, based on the role they fulfill and the place they occupy in the organizational hierarchy. The use of RBAC policies has a potential to improve the efficiency of IT operations and decisions in organizations and to become an essential component of numerous organizational, business, and government security policies.
Role-based access control is a form of IT policy used to restrict access to specific IT resources, based on the roles each individual fulfills within the organization. I believe that RBAC is a step ahead in the development of more effective access policies. Standardization of RBAC elements could provide IT professionals and vendors with greater flexibility in RBAC policy decisions and help them to choose only the most important RBAC components for each specific resource. I think that RBAC has a potential to become a universal access policy, because it fits well in the existing organization security policies and standards. However, organizations must have a better awareness of what RBAC is, how it works, what benefits it offers, and how it will improve the efficiency of the limited organizational IT resources.
Cenys, A., Normantas, A. & Radvilavicius, L. (2009). Designing role-based access control
policies with UML. Journal of Engineering Science and Technology Review, 2, 1, 48-50.
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, R.D. & Chandramouli, R. (2001). Proposed
NIST standard for role-based access control. ACM Transactions on Information and System Security, 4, 3, 224-274.
NIST. (1995). An introduction to role-based access control. NIST/ ITL Bulletin, December,
retrieved from http://csrc.nist.gov/groups/SNS/rbac/documents/design_implementation/Intro_role_based_access.htm