RABAC: Role-Centric Attribute-Based Access Control

  • Xin Jin
  • Ravi Sandhu
  • Ram Krishnan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7531)


Role-based access control (RBAC) is a commercially dominant model, standardized by the National Institute of Standards and Technology (NIST). Although RBAC provides compelling benefits for security management it has several known deficiencies such as role explosion, wherein multiple closely related roles are required (e.g., attending-doctor role is separately defined for each patient). Numerous extensions to RBAC have been proposed to overcome these shortcomings. Recently NIST announced an initiative to unify and standardize these extensions by integrating roles with attributes, and identified three approaches: use attributes to dynamically assign users to roles, treat roles as just another attribute, and constrain the permissions of a role via attributes. The first two approaches have been previously studied. This paper presents a formal model for the third approach for the first time in the literature. We propose the novel role-centric attribute-based access control (RABAC) model which extends the NIST RBAC model with permission filtering policies. Unlike prior proposals addressing the role-explosion problem, RABAC does not fundamentally modify the role concept and integrates seamlessly with the NIST RBAC model. We also define an XACML profile for RABAC based on the existing XACML profile for RBAC.


NIST-RBAC attribute XACML access control 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    OASIS, Extensible access control markup language (XACML), v2.0 (2005).Google Scholar
  2. 2.
    Sun’s XACML implementation,
  3. 3.
    Abdallah, A.E., Khayat, E.J.: A Formal Model for Parameterized Role-Based Access Control. In: Formal Aspects in Security and Trust (2004)Google Scholar
  4. 4.
    Al-Kahtani, M.A., Sandhu, R.: A model for attribute-based user-role assignment. In: ACSAC (2002)Google Scholar
  5. 5.
    Anderson, A.: XACML profile for role based access control (RBAC). Technical Report Draft 1, OASIS (February 2004)Google Scholar
  6. 6.
    Bao, Y., Song, J., Wang, D., Shen, D., Yu, G.: A Role and Context Based Access Control Model with UML. In: ICYCS (2008)Google Scholar
  7. 7.
    Chadwick, D.W., Otenko, A., Ball, E.: Implementing Role Based Access Controls Using X.509 Attribute Certificates. IEEE Internet Computing (2003)Google Scholar
  8. 8.
    Chakraborty, S., Ray, I.: TrustBAC: integrating trust relationships into the RBAC model for access control in open systems. In: SACMAT (2006)Google Scholar
  9. 9.
    Cirio, L., Cruz, I.F., Tamassia, R.: A Role and Attribute Based Access Control System Using Semantic Web Technologies. In: Meersman, R., Tari, Z. (eds.) OTM-WS 2007, Part II. LNCS, vol. 4806, pp. 1256–1266. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Covington, M.J., Long, W., Srinivasan, S., Dev, A.K., Ahamad, M., Abowd, G.D.: Securing context-aware applications using environment roles. In: SACMAT (2001)Google Scholar
  11. 11.
    Covington, M.J., Sastry, M.R.: A Contextual Attribute-Based Access Control Model. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM 2006 Workshops. LNCS, vol. 4278, pp. 1996–2006. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Richard Kuhn, D., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. on Infor. and Sys. Sec. (2001)Google Scholar
  13. 13.
    Fischer, J., Marino, D., Majumdar, R., Millstein, T.: Fine-Grained Access Control with Object-Sensitive Roles. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 173–194. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Fong, P.W.L.: Relationship-based access control: protection model and policy language. In: CODASPY (2011) Google Scholar
  15. 15.
    Fuchs, L., Pernul, G., Sandhu, R.S.: Roles in information security-A survey and classification of the research area. Computers & Security (2011)Google Scholar
  16. 16.
    Gallagher, M.P., O’Connor, A.C., Kropp, B.: The economic impact of role-based access control. In: Planning report 02-1, NIST, (March 2002)Google Scholar
  17. 17.
    Ge, M., Osborn, S.L.: A design for parameterized roles. In: DBSec (2004)Google Scholar
  18. 18.
    Giuri, L., Iglio, P.: Role templates for content-based access control. In: Proc. of the Second ACM Workshop on RBAC. ACM (1997)Google Scholar
  19. 19.
    Huang, J., Nicol, D., Bobba, R., Huh, J.H.: A Framework Integrating Attribute-based Policies into RBAC. In: SACMAT (2012)Google Scholar
  20. 20.
    Jin, X., Krishnan, R., Sandhu, R.: A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC. In: DBSec (2012)Google Scholar
  21. 21.
    Kalam, A.A.E., Benferhat, S., Miege, A., Baida, R.E., Cuppens, F., Saurel, C., Balbiani, P., Deswarte, Y., Trouessin, G.: Organization based access control. In: POLICY (2003)Google Scholar
  22. 22.
    Karp, A.H., Haury, H., Davis, M.H.: From ABAC to ZBAC: the evolution of access control models, In: Tech. Report, HP Labs (2009)Google Scholar
  23. 23.
    Richard Kuhn, D., Coyne, E.J., Weil, T.R.: Adding Attributes to Role-Based Access Control. IEEE Computer 43(6), 79–81 (2010)CrossRefGoogle Scholar
  24. 24.
    Kumar, A., Karnik, N., Chafle, G.: Context sensitivity in role-based access control. SIGOPS Oper. Syst. Rev. 36(3), 53–66 (2002)CrossRefGoogle Scholar
  25. 25.
    Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. on Info. and Sys. Sec. (1999)Google Scholar
  26. 26.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  27. 27.
    Xu, M., Wijesekera, D., Zhang, X., Cooray, D.: Towards Session-Aware RBAC Administration and Enforcement with XACML. In: POLICY (2009)Google Scholar
  28. 28.
    Yong, J., Bertino, E., Toleman, M., Roberts, D.: Extended RBAC with role attributes. In: 10th Pacific Asia Conf. on Info. Sys. (2006)Google Scholar
  29. 29.
    Zhang, Z., Zhang, X., Sandhu, R.: ROBAC: Scalable role and organization based access control models. In: IEEE TrustCol (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Xin Jin
    • 1
  • Ravi Sandhu
    • 1
  • Ram Krishnan
    • 2
  1. 1.Institute for Cyber Security & Department of Computer ScienceUniversity of Texas at San AntonioUSA
  2. 2.Institute for Cyber Security & Dept. of Elect. and Computer Engg.University of Texas at San AntonioUSA

Personalised recommendations