Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

A Revised Model for Role-Based Access Control



Wayne Jansen


Role Based Access Control (RBAC) refers to a class of security mechanisms that mediate access to resources through organizational identities called roles. A number of models have been published that formally describe the basic properties of RBAC. This report focuses on an RBAC model originally proposed by Ferraiolo and others at NIST, and formulates a revised model that fixes noted discrepancies, incorporates features from related models, and addresses new properties regarding role hierarchies. Possible future extensions to the revised model and the motivation for them are also discussed. Finally, a subset of the properties defined in the revised model is proposed as the criteria for determining whether an implementation should be classified as an RBAC system.
NIST Interagency/Internal Report (NISTIR) - 6192
Report Number


formal models, RBAC, Role Based Access Control, security mechanisms
Created July 9, 1998, Updated November 10, 2018