ANSI INCITS-359-2012 pdf download Role Based Access Control
1 S COPE
This standard consists of two main parts – the RBAC Reference Model and the RBAC System and Administrative Functional Specification.
The RBAC Reference Model defines sets of basic RBAC elements (i.e., users, roles, permissions, operations and objects) and relations as types and functions that are included in this standard. The RBAC reference model serves two purposes. First, the reference model defines the scope of RBAC features that are included in the standard. This identifies the minimum set of features included in all RBAC systems, aspects of role hierarchies, aspects of static constraint relations, and aspects of dynamic constraint relations. Second, the reference model provides a precise and consistent language, in terms of element sets and functions for use in defining the functional specification.
The RBAC System and Administrative Functional Specification specifies the features that are required of an RBAC system. These features fall into three categories, administrative operations, administrative reviews, and system level functionality. The administrative operations define functions in terms of an administrative interface and an associated set of semantics that provide the capability to create, delete and maintain RBAC elements and relations (e.g., to create and delete user role assignments). The administrative review features define functions in terms of an administrative interface and an associated set of semantics that provide the capability to perform query operations on RBAC elements and relations. System level functionality defines features for the creation of user sessions to include role activation/deactivation, the enforcement of constraints on role activation, and for calculation of an access decision. Annex A provides a functional specification overview. Informative Annex B provides a rationale for the major RBAC components defined in this document.
A companion to this standard describes the enhancement of RBAC constraints. The present standard recognizes only constraints that are local to an RBAC environment. These constraints deal only with separation of duty and cardinality. These constraints are evaluated within the local RBAC environment, as opposed to being provided from outside the local RBAC environment. The RBAC Policy-Enhanced (RPE) standard [RPE] also specifies constraints evaluated within the local environment. In addition, external constraints or the results of evaluating external constraints are imported into the environment. These constraints may change in real-time.