The ASCAA Principles for Next-Generation Role-Based Access Control

Role-based access control (RBAC) received serious academic attention in the early 1990’s, although traces of the underlying concepts had been in ad hoc commercial practise since the 1970’s. Through the 1990’s and 2000’s RBAC achieved remarkable success, and today is widely practised as the preferred form of access control. Adoption of the 2004 NIST/ANSI Standard RBAC Model [1] marks a maturity of concept and practice. The essential roots of this standard go back to the RBAC96 model [2]. While numerous enhancements and extensions of RBAC96 and related models have been proposed, the core ideas introduced in RBAC96 have proved to be notably stable and robust. RBAC96 was based on four principles, viz. abstract privileges, separation of administrative functions, least privilege and separation of duties. Advances in RBAC require reconsideration of its founding principles. In this paper we offer five founding principles for next-generation access control including next-generation RBAC, summarized as ASCAA for Abstraction, Separation, Containment, Automation and Accountability. Abstraction (i.e., abstract privileges) and separation (i.e., separation of administrative functions) are essentially retained from RBAC96. A generalized principle called containment is introduced, to subsume least privilege, separation of duties and other constraints, as well as modern techniques such as usage and rate limits [3], [4]. Next two new principles called automation and accountability are introduced. Automation covers automated acquisition of privileges as well as automated revocation. Traditional RBAC typically requires that user-role and permission-role assignment and revocation result from explicit actions of appropriately authorized administrators. Some aspects of automated user-role assignment [5], [6], [7] and user-role revocation [8] have been previously proposed. We elevate the notion of automation to a full-blown principle and specifically propose self-assignment of roles as a new element. Automating assignment and revocation enables agile lightweight systems by eliminating repeated human intervention. Crucially, of course, we want to do this without compromising security. Accountability has recently received considerable attention driven by emerging requirements of secure information sharing and continued recognition of the insider threat. We offer the paradigm of adjustment as a means to achieve accountability. Adjustment acknowledges that not all authorized actions are the same. Sensitive operations require an enhanced level of auditing, notification or authentication. For example, it is common place for websites to require additional authentication and notification for sensitive operations such as change of address. While we believe these five ASCAA principles (Abstraction, Separation, Containment, Automation and Accountability) are relevant to access control systems in general, the discussion in this paper is limited to their application to RBAC.