Abstract

Since the Role-Based Access Control (RBAC) model was first introduced, it evolved into probably the most discussed and researched access control model in academia [1]. In an earlier literature study, we collected: (a) a set of core features of the RBAC model, according to the ANSI/INCITS 359:2004 RBAC standard [2], (b) implicit assumptions, (c) a set of strengths, and (d) a set of phenomena which may limit these strengths in practice, therefore, representing possible weaknesses. This previous study revealed that RBAC can be used to control access to information in:

• support applications, with operating system specific roles,
• stand-alone business applications, with application-specific roles,
• enterprise-wide applications, with roles shared among several applications, and
• cross-enterprise applications, with roles shared among several organizations.

However, little is known about the extent these features, assumptions, strengths and phenomena are recognized by practitioners and important in practice. To acquire insights about these four elements and complement our initial set of strengths and phenomena, a survey was designed by the Information Systems Group from the University of Twente and Novay (http://www.novay.nl/) and launched online between June and July 2011.

Links

• https://research.utwente.nl/en/publications/report-on-the-survey-of-role-based-access-control-rbac-in-practic

Citation

Fernandez, N.C., Franqueira, V.N.L., Wieringa, R., 2012. Report on the Survey of Role-Based Access Control (RBAC) in practice (Technical Report No. TR-CTIT-12-06), CTIT Technical Report Series. Centre for Telematics and Information Technology University of Twente, Enschede.