Role-Based Access Control: A Book Review

Title:
Role-Based
Access
ControlAuthors:
David F. Ferraiolo, D. Richard Kuhn and Ramaswamy
ChandramouliPublisher: Artech
HouseISBN: 1580533701The authors of Role-Based Access Control
are the security experts from the National Institute of Standards
and Technologies (NIST). Throughout the book, they explain
role-based access control (RBAC), its different implementations and
the related issues. The suitability of RBAC to a wide variety of
applications and the fact that it can reduce the complexity and
cost of security administration in large networked environments
explains many studies lately published around this subject.Chapters 1 and 2 briefly present the fundamentals of access
control. They are easy to read, and the concepts are illustrated
through different examples. Although sometimes a little verbose,
the chapters offer brief, syntactical and useful explanations of
different subjects that are necessary for understanding the
remainder of the book.Chapters 3, 4 and 5 explain the RBAC security model. Core
features of RBAC, inheritance relationship and separation of duties
are explained in details. The authors avoid lengthly mathematical
explanations for illustrating the fundamental concepts by instead
offering well explained examples.Chapter 6 details the relationship between RBAC, MAC and DAC
approaches to access control. Chapter 7 provides an overview of the
NIST's proposed RBAC standard. This chapter also summarizes the
major components of APIs for RBAC systems that implement the
standard. The chapter provides a high-level overview of the
proposed RBAC standard. Not many details are provided, however,
thus decreasing the usefulness of this chapter.Chapter 8 delves into the tedious task of role-based
administration by considering that the role administration simply
is another application of RBAC.Chapter 9 explains different concepts behind an enterprise
access control framework (EAF), and an approach for developing an
EAF is illustrated. The chapter details how the XML language
vocabularies, APIs and toolsets can be implemented when using RBAC
as an Enterprise Access Model. It then enforce that model
throughout different applications within the enterprise. The
chapter gives a step-by-step example of how to implement the
framework. Although professionals and students probably will find
this chapter to be useful for developing a good understanding of
possible solutions, I found this chapter also to be useful for
senior security professionals involved in decision-making at the
enterprise level.Chapter 10 discusses the research concepts and associated
prototypes that have been developed to integrate RBAC model
concepts into existing enterprise IT infrastructures. Even though
the chapter concerns research activities, the focus of the chapter
is on practical issues, such as RBAC for UNIX environments and RBAC
in Java.Chapter 11 documents the experience of a real company in its
transition from conventional access control methods to RBAC. This
chapter gives real examples with costs associated, as well as a
detailed study of the benefits of migrating to RBAC.Chapter 12 discusses the RBAC features found in two important
classes of commercial software: relational DBMS products and
enterprise security administration (ESA) products, also called
system management software. The RBAC features of several commercial
products are discussed.Overall, this is a great book. The approach is neat and
systematic, allowing a step-by-step comprehension and an increasing
level of understanding of the RBAC to develop throughout the
reading of the book. The concepts are illustrated by many
real-world examples that are well explained. Perhaps this is why
the book is easy to read and does not seem as dry and stiff as some
other books written on the topic of information security.Role-Based Access Control would be great
reading for students who want to know more about security in
general and RBAC in particular. The first chapters also are a good
read for any student of information security.In addition, the book should be useful for senior security
professionals and enterprise decision makers who want to have a
good understanding of different models, their implementations and
the related issues. Although some chapters are too high level, the
book presents a good overview of all the issues involved in using
and implementing RBAC in an enterprise.