NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.
Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.
An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Role Based Access Control (RBAC) refers to a class of security mechanisms that mediate access to resources through organizational identities called roles. A number of models have been published that formally describe the basic properties of RBAC. This report focuses on an RBAC model originally proposed by Ferraiolo and others at NIST, and formulates a revised model that fixes noted discrepancies, incorporates features from related models, and addresses new properties regarding role hierarchies. Possible future extensions to the revised model and the motivation for them are also discussed. Finally, a subset of the properties defined in the revised model is proposed as the criteria for determining whether an implementation should be classified as an RBAC system.
Jansen, W.
(1998),
A Revised Model for Role-Based Access Control, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.6192
(Accessed October 13, 2025)