Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by: David Ferraiolo (Fed)

Search Title, Abstract, Conference, Citation, Keyword or Author
Displaying 26 - 42 of 42

Decentralized Trust Domain Management in Multiple Grid Environments

November 25, 2007
Chung Tong Hu, Karen A. Scarfone, David F. Ferraiolo
Trust domain management for the global access of a grid is managed under centralized schema for most of the current grid architectures, which are designed based on the concept that there is only one grid for every grid member, therefore requiring central

Access Control Policy Combinations for the Grid Using the Policy Machine

May 14, 2007
Vincent C. Hu, David F. Ferraiolo, Karen A. Scarfone
Many researchers have tackled the architecture and requirements aspects of grid security, concentrating on the authentication or authorization mediation instead of authorization techniques, especially the topic of policy combination. Policy combination is

Role-Based Access Control, Second Edition

December 31, 2006
David F. Ferraiolo, David R. Kuhn, Ramaswamy Chandramouli
[ISBN-13: 978-1-59693-113-8] This newly revised edition of "Role-Based Access Control" offers the latest details on a security model aimed at reducing the cost and complexity of security administration for large networked applications. The second edition

Assessment of Access Control Systems

September 29, 2006
Chung Tong Hu, David F. Ferraiolo, David R. Kuhn
Access control is perhaps the most basic aspect of computer security. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access control. In many systems access control takes the form of a simple password

The Role Control Center: Features and Case Studies

June 4, 2003
David F. Ferraiolo, Gail-Joon Ahn, Ramaswamy Chandramouli, Serban I. Gavrila
Role-based Access Control (RBAC) models have been implemented not only in self-contained resource management products such as DBMSs and Operating Systems but also in a class of products called Enterprise Security Management Systems (ESMS). ESMS products

The Policy Machine for Security Policy Management

July 17, 2001
Chung Tong Hu, Deborah A. Frincke, David F. Ferraiolo
Many different access controls policies and models have been developed to suit a variety of goals: these include Role-Based Access Control, One-directional Information Flow, Chinese Wall, Clark-Wilson, N-person Control, and DAC, in addition to more

The NIST Model for Role-Based Access Control: Towards a Unified Standard

July 26, 2000
R. Sandhu, David F. Ferraiolo, D. Richard Kuhn
This paper describes a unified model for role-based access control (RBAC). RBAC is a proven technology for large-scale authorization. However, lack of a standard model results in uncertainty and confusion about its utility and meaning. The NIST model seeks

Securing Web Servers

September 21, 1999
Peter M. Mell, David F. Ferraiolo
This ITL Bulletin enumerates and describes techniques by which one can secure web servers. It categorizes the techniques into security levels to aid in their cost-effective application.

Specifying and Managing Role-Based Access Control Within a Corporate Intranet

November 7, 1997
David F. Ferraiolo, John Barkley
In order for intranets to reach their full potential, access control and authorization management mechanisms must be in place that can regulate user access to information in a manner that is consistent with the current set of laws, regulations, and

Role Based Access Control for the World Wide Web

October 10, 1997
John Barkley, Anthony V. Cincotta, David F. Ferraiolo, Serban I. Gavrila, David R. Kuhn
One of the most challenging problems in managing large networked systems is the complexity of security administration. This is particularly true for organizations that AWeb (WWW) servers. Today, security administration is costly and prone to error because

Role-Based Access Control (RBAC): Features and Motivations

December 15, 1995
David F. Ferraiolo, Janet A. Cugini, David R. Kuhn
The central notion of Role-Based Access Control (RBAC) is that users do not have discretionary access to enterprise objects. Instead, access permissions are administratively associated with roles, and users are administratively made members of appropriate

Minimum Security Requirements for Multi-User Operating Systems

March 1, 1993
David F. Ferraiolo, N Lynch, Patricia R. Toth
[NOTE: THIS DOCUMENT HAS BEEN SUPERSEDED BY THE FEDERAL CRITERIA.] The Minimum Security Requirements for Multi-User Operating Systems (MSR) document provides basic commercial computer system security requirements applicable to both government and

Assessing Federal and Commercial Information Security Needs (IT)

November 1, 1992
David F. Ferraiolo, D M. Gilbert, N Lynch
In a cooperative effort with government and industry, the National Institute of Standards and Technology (NIST) conducted a study to assess the current and future information technology (IT) security needs of the commercial, civil, and military sectors

Role-Based Access Controls

October 13, 1992
David F. Ferraiolo, David R. Kuhn
While Mandatory Access Controls (MAC) are appropriate for multilevel secure military applications, Discretionary Access Controls (DAC) are often perceived as meeting the security processing needs of industry and civilian government. This paper argues that