6

I am familiar with the concept of role-based access control but have heard the terms RBAC0 etc. being thrown around. What do these really mean? I found this quote on a NIST website:

In 1996, Sandhu, Coyne, Feinstein, and Youman introduced a framework for RBAC models that incorporated the RBAC features described above in a modular arrangement. RBAC0 was defined as the base model, defined through users, roles, and permissions. RBAC1 includes RBAC0 but incorporates hierarchies as a partial order relationship between roles. RBAC2 also incorporates RBAC0, but adds constraints. RBAC1 and RBAC2 are independent of each other, in that a system may implement one without the other. RBAC3 is a fully-featured RBAC model, incorporating RBAC0, RBAC1, and RBAC2. RBAC3 is essentially equivalent to the 1992 Ferraiolo and Kuhn model with the exception that RBAC3 allows a partial order hierarchy while the Ferraiolo-Kuhn model defines the hierarchy as a rooted tree. In object-oriented terms, the 1996 SCFY model can be thought of as incorporating multiple inheritance while Ferraiolo-Kuhn uses single inheritance.

But these definitions are a bit confusing and sound close to technobabble.

What really is the significance of these levels? Do they hold value in the industry, or is it just CISSP babble? Is it common for systems to only achieve certain RBAC levels?

jtpereyda
  • 1,430
  • 2
  • 16
  • 26

1 Answers1

11

These are 'levels' for the NIST RBAC Model, as described in: The NIST Model for Role-Based Access Control: Towards a Unified Standard.(pdf)

They respectively refer to:

  • Flat RBAC
  • Hierarchical RBAC
  • Constrained RBAC
  • Symmetric RBAC

Flat RBAC means just the base RBAC model. The NIST Model requires that the roles assigned to a user can be determined, as well as users assigned to a specific role (called user-role review).

Hierarchical RBAC means that the roles are organised into a hierarchical structure (DAG or Tree), where 'higher' roles inherit all permissions from connected 'lower' roles. Hierarchical RBAC is further subdivided in General- and Restricted Hierarchical RBAC.

Constrained RBAC add the enforcement of separation of duties (SoD) to roles. SoD in the NIST RBAC Model can be either static or dynamic.

Symmetric RBAC adds a requirement for permission-role review, similar to the user-role review as described for Flat RBAC.


These 'levels' are of interest to the industry as points of reference. They make comparing implementations easier and it provides a good baseline if you want to proof that your implementation provides the safety/security, that is promised by the theoretical model.

In practice however, many access-control implementations call themselves Role-Based, but do not adhere to the (NIST) RBAC model (at all). The ones that do implement the (NIST) RBAC model often implement Flat and Symmetric, but skip the Hierarchical and/or the SoD Constraints, because they are (a lot) harder to implement.

Umpa
  • 103
  • 3
Jacco
  • 7,402
  • 4
  • 32
  • 53