Role Based Access Control

from Wikipedia, the free encyclopedia

Role Based Access Control ( RBAC ; German: Role-based access control ) in multi-user systems or computer networks a method and a design pattern to control access and control to files or services. The RBAC model was described by DF Ferraiolo and DR Kuhn in 1992 and approved in 2004 as ANSI standard 359-2004.

The alternative method of giving a real user direct rights and access to various systems turned out to be confusing and therefore prone to errors due to the increasing number of users. The concept based on user roles is now intended to abstract the rights based on work processes.

RBAC model

With role-based access control, roles are assigned to the users of the computer or network . Users can have several user roles . For example, 1 to n group memberships are linked to a role. Depending on the role assignment of the user (and the associated group membership), the system then grants or blocks access to resources . The reading, writing and execution of files are often controlled by means of RBAC; however, the method is not limited to this.

A group is therefore not necessarily to be equated with a role. The reason for this is that the subdivision of the users depends on the role in which they are accessing the computer, i.e. in which tasks they perform. The English word "Role" is used in IT-related German for webmasters , postmasters , newsmasters , network administrators , system administrators and the like and is intended to make it clear that it is not necessarily different people, but that, for example, one and the same person updates web pages once in the role of webmaster , then in the role of postmaster reading complaints about his open mail relay and next in the role of system administrator installing software. Depending on the role, different access authorizations may be necessary for exercising this function, which also require the assignment of a user to more than one group.

Because of the three-level structure in users, roles and groups, it is possible to control access rights of a user via a role assignment and associated group assignments.

Identity management systems (IDM) are usually implemented to manage these assignments . These allow users to be assigned to 1 to n groups in 1 to n computer systems only by being linked to at least one role. One of the prerequisites for this is the creation of a uniform user role concept. These systems also make it possible to ensure conformity with IT security requirements. For this purpose, the group membership (s) of a user in 1 to n computer systems can be compared with the role definitions in the rules of the IDM system at configurable time intervals. The IDM system can then correct this deviation (non-compliance) if necessary and thus ensure access consistency.


Using RBAC to manage user rights is widely recognized as best practice. This type of access control has been implemented in various systems. Systems such as Microsoft Active Directory , Microsoft SQL Server , SELinux , grsecurity , FreeBSD , Solaris , Oracle RDBMS , PostgreSQL 8.1 , SAP R / 3 , FusionForge and many others use a variant of the RBAC model.

See also

Web links


  1. DF Ferraiolo, DR Kuhn: Role Based Access Control. (PDF; 62 kB) 15th National Computer Security Conference, 1992, accessed on March 13, 2008 .
  2. Roles are not groupsMike Wiesner | Mike Wiesner. June 27, 2017. Retrieved February 7, 2018 .