Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Role-Based Access Control (RBAC): Features and Motivations



David F. Ferraiolo, Janet A. Cugini, David R. Kuhn


The central notion of Role-Based Access Control (RBAC) is that users do not have discretionary access to enterprise objects. Instead, access permissions are administratively associated with roles, and users are administratively made members of appropriate roles. This idea greatly simplifies management of authorization while providing an opportunity for great flexibility in specifying and enforcing enterprise- specific protection policies. Users can be made members of roles as determined by their responsibilities and qualifications and can be easily reassigned from one role to another without modifying the underlying access structure. Roles can be granted new permissions as new applications and actions are incorporated, and permissions can be revoked from roles as needed. Some users and vendors have recognized the potential benefits of RBAC without a precise definition of what RBAC constitutes. Some RBAC features have been implemented in commercial products without a frame of reference as to the functional makeup and virtues of RBAC. This lack of definition makes it difficult for consumers to compare products and for vendors to get credit for the effectiveness of their products in addressing known security problems. To correct these deficiencies, a number of government sponsored research efforts are underway to define RBAC precisely in terms of its features and the benefits it affords. This research includes: surveys to better understand the security needs of commercial and government users, the development of a formal RBAC model, architecture, prototype, and demonstrations to validate its use and feasibility. As a result of these efforts, RBAC systems are now beginning to emerge. The purpose of this paper is to provide additional insight as to the motivations and functionality that might go behind the official RBAC name.
Proceedings Title
Proceedings of the 11th Annual Computer Security Applications Conference
Conference Dates
December 11-15, 1995
Conference Location
New Orleans, LA
Conference Title
11th Annual Computer Security Applications Conference


access control, RBAC, Role-Based Access Control


Ferraiolo, D. , Cugini, J. and Kuhn, D. (1995), Role-Based Access Control (RBAC): Features and Motivations, Proceedings of the 11th Annual Computer Security Applications Conference, New Orleans, LA, [online], (Accessed April 21, 2024)
Created December 15, 1995, Updated February 19, 2017