Role Based Access Control is a method of access controls where principals get access to resources through membership of permitted roles.
Questions tagged [rbac]
54 questions
74
votes
1 answer
What is the difference between RBAC and DAC/ACL?
What are the benefits of each, and when should I choose one over the other? Are there situations where these should be merged?
Do you have examples of common usages?
And what about MAC, where does that fit in?
AviD
- 72,138
- 22
- 136
- 218
40
votes
2 answers
Role Based Authorization vs. Claim Based Authorization
What is the difference between "role based authorization" and "claim based authorization"? Under which circumstances would it be appropriate to implement each of these authorization models?
user960567
- 2,461
- 4
- 16
- 16
25
votes
4 answers
Role Based Access Control + Data Ownership based permissions
Is there a common system or pattern that combines the permissions given by a role in a RBAC-system with permissions in relation to data ownership?
For example:
Bob is a doctor and has the role with the privilege 'view patient details'
but only…
Jacco
- 7,402
- 4
- 32
- 53
18
votes
2 answers
MAC vs DAC vs RBAC
Someone can suggest me a real situation in which is better to use MAC (Mandatory Access Control) instead of DAC (Discretionary Access Control) or RBAC (Role Based Access Control)? And in which DAC is better than the others? And in which RBAC is the…
mcfan
- 643
- 2
- 6
- 7
13
votes
1 answer
Separating "function" from "scope" in RBAC
I'm trying to formulate an RBAC permission model which allows separation between permissions and the scopes on which those permissions are applied. I have been unable to find a standard model which describes this.
Here's an example:
A Permission…
metacubed
- 231
- 1
- 5
13
votes
2 answers
Best practices for implementation of role-based access control in healthcare applications
Amongst the open source EMRs, which ones may be good to learn from? Any references I can go to as a starting point?
Ming K
- 243
- 2
- 8
11
votes
4 answers
RBAC model: user in two roles access dilemma
I am implementing the Role-Based Access Control (RBAC) model security system and I have a dilemma: one User1 is in Role1 and is in Role2. Role1 allows access to the Resource1 and Role2 denies access to the same one. It is a well known problem. Could…
garik
- 1,222
- 15
- 24
9
votes
1 answer
What datastructure would/have you used to store ACLs within a hybrid ACL/RBAC system?
In our system, every resource has an access control list (ACLs), which list entries (ACEs) that have a specific kind of access to that resource. The ACE can be for end-entities (eg: users like "Mr Q") or group entities (eg: "North Atlantic"); the…
Cat Nap
- 101
- 3
8
votes
1 answer
What is the difference between claims, attributes, and roles?
Many questions have already been asked about Claims-based authentication and the differences with other approaches:
Role-based vs Claims-based
Explain claims-based authentication
Now, my favorite answer is one given on stackoverflow: Using…
Michael
- 5,393
- 2
- 32
- 57
6
votes
4 answers
encryption vs access control comparison
I have a very basic and simple question about two security concepts.
Both encryption and access control are used for privacy and to prevent unauthorized users from accessing some object (eg. files, processes, etc.).
What is the difference in…
b24
- 161
- 1
- 3
6
votes
1 answer
Is it correct to consider Task Based Access Control as a type of RBAC?
I'm studying for CISSP certification and one of the video lectures I viewed (CBT Nuggets) really confused me. Here are some excerpts from the lecture:
"Role Based Access Control doesn't
always use the role for the basis for
how it's going to…
Mike B
- 3,336
- 4
- 29
- 39
6
votes
3 answers
Security Architecture - Settings to drive UI and Privileges (Rights) - Role-Based, per User-Account
How do large companies implement their security requirements which are centralized and used to drive things people can do (allowed to call a certain web-service, submit an order, etc.) as well as to drive UI (disable buttons, menu options,…
Leon
- 163
- 4
6
votes
1 answer
RBAC0 RBAC1 RBAC2 RBAC3 -- What do they mean?
I am familiar with the concept of role-based access control but have heard the terms RBAC0 etc. being thrown around. What do these really mean? I found this quote on a NIST website:
In 1996, Sandhu, Coyne, Feinstein, and Youman introduced a…
jtpereyda
- 1,430
- 2
- 16
- 26
6
votes
3 answers
Role-Based Access Control Disadvantages
According to NIST, RBAC models are the most widely used schemes among enterprises of 500 or more. What happens if the size of the enterprises are much larger in number of individuals involved. In other words, what are the main disadvantages of RBAC…
user505
- 61
- 1
- 1
- 2
5
votes
3 answers
(custom software) Security rules on each record when using user-groups per application
I'm working with custom software here, so don't worry about Microsoft whatever, Open anything, or something else. Let’s stick to theory of how this should go together.
Let’s say I have a user system/database.
The database has a table of users, and…
Incognito
- 5,204
- 5
- 27
- 31