http://csrc.nist.gov/rbac/ proposes a "voluntary consensus
standard for role based access control", available at
http://csrc.nist.gov/rbac/rbac-std-ncits.pdf
Have you considered building on the OASIS eXtensible Access
Control Markup Language (XACML)? This was approved as an OASIS
Standard in February of 2003, there are two Open Source
implementations available, and it is receiving generally good
acceptance by the industry. For more information, see
http://www.oasis-open.org/committees/xacml
XACML supports the Core RBAC role and permission models quite
well: multiple roles per user, multiple users per role, multiple
permissions per role, multiple roles per permission, and
simultaneous exercise of permissions of multiple roles. XACML
does not specify the mechanisms for how role attributes are
assigned to users, but supports all the above models. NIST might
find it advantageous to develop Core RBAC as a profile of XACML,
rather than trying to create yet another language.
XACML can also support Hierarchical RBAC ("junior" roles acquire
the user membership of their "senior roles". and "senior" roles
acquire the permissions of their "juniors") using XACML's
mechanism for including one set of policies inside another by
reference. NIST again might find it advantageous to profile
XACML to support Hierarchical RBAC.
I will ask the XACML Co-Chairs, Carlisle Adams (Entrust) and Hal
Lockhart (BEA), to see if we can set up a joint conference call
to discuss ways of working together. Meanwhile, I expect several
XACML members will be reviewing the proposed NIST standard
closely to determine whether there are specific requirements that
XACML is not currently able to handle.
Yours truly,
Anne Anderson
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692