Security Testing and Evaluation Labs

NIST: Role-Based Access Control PP

At the same time, it is often the case that a user is granted more access to resources than is needed because of limited control over the type of access that can be associated with users and resources. Users may need to list directories and modify existing files, for example, without creating new files, or they may need to append records to a file without modifying existing records. Any increase in the flexibility of controlling access to resources within a computer system also strengthens the application of the least privilege principle, that users should only be granted the privileges needed for their jobs.

Role-based access control is intended to improve both aspects of system management: convenience and flexibility. More convenient management reduces the likelihood of mistakes of commission and omission in granting privileges to users, and greater access control flexibility reduces the need to grant too much access to too many users.

Role-based access control allows the system administrator to define roles based on job functions within an organization. The administrator assigns privileges to those roles, which may require finely grained operations to organization resources. Users are granted membership in the roles based on their job responsibilities. As the user's job responsibilities change, which may be frequent, user membership in roles can be granted and revoked easily. As the organization inevitably changes, which generally is less frequent, roles can be modified easily through role hierarchies. Role hierarchies allow new roles to inherit most of their definition from existing roles. As the job changes, privileges are changed for the individual roles, which are relatively few, not for individual users, who may number in the hundreds or thousands.

Role-based access control can implement sophisticated security policies that are difficult to implement otherwise. For example, separation of duties can be implemented with role-based access control, where, for example, routine administrative functions can be limited to one role and more powerful administrative functions can be reserved for an entirely different role. This of course is impossible in systems where there is a pre-defined and immutable superuser, and anyone occasionally needing access to more privileges than granted to ordinary users must necessarily be granted the highest level of privileges. Separation of duties can be either automatically enforced or procedurally supported depending on the implementation. More advanced implementations would also provide for dynamic separation of duties, when membership in two exclusive roles would be allowed, but not their activation at the same time.

The Role-Based Access Control Protection Profile (PP) is meant to define a minimal set of requirements. More advanced functionality can be specified in the security target (ST). Meeting the requirements in this protection profile would significantly enhance the security of many operating systems, database management systems, systems management tools, and other applications.

The RBAC PP uses the Common Criteria (CC) requirement components to model role-based access control as described in the CS3 profile from the Federal Criteria (FC). Unlike the FC CS3 profile, the CC RBAC PP specifies a minimal set of security functions and assurances for general purpose multi-user operating systems, database management systems, systems management tools, and other applications in sensitive environments. The CC RBAC PP is intended for environments in which access to programs, transactions, and information can be restricted according to the assigned organizational role(s) of users for the purpose of convenient and flexible administration.

RBAC compliant products are expected to be used in sensitive commercial and oovernmental environments.