Role-based access control (RBAC) is a commercially dominant model,standardized by the National Institute of Standards and Technology(NIST). Although RBAC provides compelling benefits for security managementit has several known deficiencies such as role explosion, whereinmultiple closely related roles are required (e.g., attending-doctorrole is separately defined for each patient). Numerous extensionsto RBAC have been proposed to overcome these shortcomings. RecentlyNIST announced an initiative to unify and standardize these extensionsby integrating roles with attributes, and identified three approaches:use attributes to dynamically assign users to roles, treat rolesas just another attribute, and constrain the permissions of a rolevia attributes. The first two approaches have been previously studied.This paper presents a formal model for the third approach for thefirst time in the literature. We propose the novel role-centric attribute-basedaccess control (RABAC) model which extends the NIST RBAC model withpermission filtering policies. Unlike prior proposals addressingthe role-explosion problem, RABAC does not fundamentally modify therole concept and integrates seamlessly with the NIST RBAC model.We also define an XACML profile for RABAC based on the existing XACMLprofile for RBAC.
Jin, X., Sandhu, R., & Krishnan, R. (2012). RABAC: Role-Centric Attribute-Based Access Control (pp. 84–96). https://doi.org/10.1007/978-3-642-33704-8_8