Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Planning Report 02-1: The Economic Impact of Role-Based Access Control



Michael P. Gallaher, Alan C. O'Connor, Brian Kropp, Gregory C. Tassey


The National Institute of Standards and Technology (NIST) began working on RBAC in the early 1990s after a study of federal agency security needs identified the need to develop a better method for managing large networked systems and complex access issues (Ferraiolo, Gilbert, and Lynch, 1992). Over the past decade, NIST's RBAC project has made significant contributions to the development and adoption of RBAC through publishing in the professional literature, sponsoring conferences and outreach projects, and supplying infrastructure tools to industry. The objectives of this study was to conduct a microeconomics impact assessment of the (1) benefits of RBAC relative to alternative access control systems, and (2) economic return from the NIST/Information Technology Laboratory (ITL) RBAC project's contributions to the development and adoption of RBAC. Based on interviews with software developers and companies using RBAC-enabled products, we projected that the net present value of RBAC through 2006 will be approximately $671 million. NIST's contributions were estimated to account for 44 percent of the benefits of RBAC, leading to a social rate of return to the NIST/RBAC project of approximately 62 percent.
OTHER - 02-1
Report Number


economic impact assessment, RBAC, Role-Based Access Control


Gallaher, M. , O'Connor, A. , Kropp, B. and Tassey, G. (2002), Planning Report 02-1: The Economic Impact of Role-Based Access Control, OTHER, National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed March 2, 2024)
Created February 28, 2002, Updated October 12, 2021