A Critique of the ANSI Standard on Role-Based Access Control


In 2004, the American National Standards Institute approved the Role-Based Access Control standard to fulfill "a need among government and industry purchasers of information technology products for a consistent and uniform definition of role based access control (RBAC) features". Such uniform definitions give IT product vendors and customers a common and unambiguous terminology for RBAC features, which can lead to wider adoption of RBAC and increased productivity. However, the current ANSI RBAC Standard has several limitations, design flaws, and technical errors that, it unaddressed, could lead to confusions among IT product vendors and customers and to RBAC implementations with different semantics, thus defeating the standard's purpose.


ANSI standards, access control, database systems, error correction, identity management systems, information technology, standardization, standards develoment, standards organizatuions, standards publication

Date of this Version



IEEE Security & Privacy, Nov.-Dec. 2007, Volume: 5 Issue:6
page(s): 41 - 49