Role-Based Access Control: A Book Review

A good overview of implementing RBAC in the enterprise for students as well as corporate-level decision makers.

Title: Role-Based Access ControlAuthors: David F. Ferraiolo, D. Richard Kuhn and Ramaswamy ChandramouliPublisher: Artech HouseISBN: 1580533701

The authors of Role-Based Access Control are the security experts from the National Institute of Standards and Technologies (NIST). Throughout the book, they explain role-based access control (RBAC), its different implementations and the related issues. The suitability of RBAC to a wide variety of applications and the fact that it can reduce the complexity and cost of security administration in large networked environments explains many studies lately published around this subject.

Chapters 1 and 2 briefly present the fundamentals of access control. They are easy to read, and the concepts are illustrated through different examples. Although sometimes a little verbose, the chapters offer brief, syntactical and useful explanations of different subjects that are necessary for understanding the remainder of the book.

Chapters 3, 4 and 5 explain the RBAC security model. Core features of RBAC, inheritance relationship and separation of duties are explained in details. The authors avoid lengthly mathematical explanations for illustrating the fundamental concepts by instead offering well explained examples.

Chapter 6 details the relationship between RBAC, MAC and DAC approaches to access control. Chapter 7 provides an overview of the NIST's proposed RBAC standard. This chapter also summarizes the major components of APIs for RBAC systems that implement the standard. The chapter provides a high-level overview of the proposed RBAC standard. Not many details are provided, however, thus decreasing the usefulness of this chapter.

Chapter 8 delves into the tedious task of role-based administration by considering that the role administration simply is another application of RBAC.

Chapter 9 explains different concepts behind an enterprise access control framework (EAF), and an approach for developing an EAF is illustrated. The chapter details how the XML language vocabularies, APIs and toolsets can be implemented when using RBAC as an Enterprise Access Model. It then enforce that model throughout different applications within the enterprise. The chapter gives a step-by-step example of how to implement the framework. Although professionals and students probably will find this chapter to be useful for developing a good understanding of possible solutions, I found this chapter also to be useful for senior security professionals involved in decision-making at the enterprise level.

Chapter 10 discusses the research concepts and associated prototypes that have been developed to integrate RBAC model concepts into existing enterprise IT infrastructures. Even though the chapter concerns research activities, the focus of the chapter is on practical issues, such as RBAC for UNIX environments and RBAC in Java.

Chapter 11 documents the experience of a real company in its transition from conventional access control methods to RBAC. This chapter gives real examples with costs associated, as well as a detailed study of the benefits of migrating to RBAC.

Chapter 12 discusses the RBAC features found in two important classes of commercial software: relational DBMS products and enterprise security administration (ESA) products, also called system management software. The RBAC features of several commercial products are discussed.

Overall, this is a great book. The approach is neat and systematic, allowing a step-by-step comprehension and an increasing level of understanding of the RBAC to develop throughout the reading of the book. The concepts are illustrated by many real-world examples that are well explained. Perhaps this is why the book is easy to read and does not seem as dry and stiff as some other books written on the topic of information security.

Role-Based Access Control would be great reading for students who want to know more about security in general and RBAC in particular. The first chapters also are a good read for any student of information security.

In addition, the book should be useful for senior security professionals and enterprise decision makers who want to have a good understanding of different models, their implementations and the related issues. Although some chapters are too high level, the book presents a good overview of all the issues involved in using and implementing RBAC in an enterprise.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Seminal book by some of the founders of this space

Ron Rymon's picture

Highly recommended for anyone that wants to understand role-based access control and role management. The so-called NIST RBAC remains the simplest and most general form of RBAC - big evidence to its ingenuity. Many "more sophisticated" models were offered, but none as effective.

We now need more work on how to effectively create robust role models for complex environments.