Role-based access control (RBAC) is a technology that is attracting a great deal of attention, particularly for commercial applications, because of its potential for reducing the complexity and cost of security administration in large networked applications. Under RBAC, security administration is greatly simplified by using roles, hierarchies, and constraints to organize privileges. RBAC reduces costs within an organization, because it takes into account that employees change much more frequently than the duties within positions. Under RBAC, if, for example, an employee moves within an organization, only his or her role assignment is changed. Accordingly, it is unnecessary to revoke his or her existing privileges and assign a completely new set of privileges. RBAC can be configured to support a wide variety of access control policies, including traditional discretionary access control (DAC) and mandatory access control (MAC), as well as organization-specific policies. Recently, RBAC has also been found to be a natural access control facility for workflow management systems. The concept and design of RBAC make it perfectly suited to a wide variety of application and system software environments, for both stand-alone and distributed deployments. It provides a safe and effective way to manage access to an organization’s information, while reducing administration costs and minimizing errors.
Over the past decade, interest in RBAC has increased dramatically, with most major information technology (IT) vendors offering a product that incorporates some form of role-based access. The profusion of new RBAC products offers many advantages for security administrators and software developers, but sorting out the capabilities of different products can be challenging. Until now, RBAC research has been documented in hundreds of research papers, but not consolidated in book form. This book explains RBAC and its administrative and cost advantages and implementation issues and the migration from conventional access control methods to RBAC.