OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Proposed standard for RBAC

  • 1.  Proposed standard for RBAC

    Posted 04-15-2003 14:30
    http://csrc.nist.gov/rbac/ proposes a "voluntary consensus
    standard for role based access control", available at
    http://csrc.nist.gov/rbac/rbac-std-ncits.pdf
    
    Have you considered building on the OASIS eXtensible Access
    Control Markup Language (XACML)?  This was approved as an OASIS
    Standard in February of 2003, there are two Open Source
    implementations available, and it is receiving generally good
    acceptance by the industry.  For more information, see
    http://www.oasis-open.org/committees/xacml
    
    XACML supports the Core RBAC role and permission models quite
    well: multiple roles per user, multiple users per role, multiple
    permissions per role, multiple roles per permission, and
    simultaneous exercise of permissions of multiple roles.  XACML
    does not specify the mechanisms for how role attributes are
    assigned to users, but supports all the above models.  NIST might
    find it advantageous to develop Core RBAC as a profile of XACML,
    rather than trying to create yet another language.
    
    XACML can also support Hierarchical RBAC ("junior" roles acquire
    the user membership of their "senior roles". and "senior" roles
    acquire the permissions of their "juniors") using XACML's
    mechanism for including one set of policies inside another by
    reference.  NIST again might find it advantageous to profile
    XACML to support Hierarchical RBAC.
    
    I will ask the XACML Co-Chairs, Carlisle Adams (Entrust) and Hal
    Lockhart (BEA), to see if we can set up a joint conference call
    to discuss ways of working together.  Meanwhile, I expect several
    XACML members will be reviewing the proposed NIST standard
    closely to determine whether there are specific requirements that
    XACML is not currently able to handle.
    
    Yours truly,
    Anne Anderson
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692