The authors show that a particular set of role-based access control (RBAC) models, known as RBAC96, can be used to define a variety of lattice-based access controls (LBACs), an abstraction and generalization of what is also known as the hierarchical access control model. They show that all of the familiar properties that form the basis for Bell and LaPadulla’s model can be realized using RBAC primitives. They also define additional models based on the real-world requirements to be able to selectively downgrade objects within a mandatory access control (MAC) environment. Their models describe RBAC-implemented total user discretion downgrades, constrained downgrading privileges, and independent and constrained write ranges for downgrade. In addition, they show that more recent models such as Clark-Wilson and Chinese Wall can also be constructed from the RBAC96 primitives. Further, they show that a variety of discretionary access control (DAC) models, with differing amounts of discretionary authority to delegate granting access to and ownership of an object to other users, can also be modeled by RBAC96. They consider two cases of revocation of access and ownership--grant-independent and grant-dependent.

The authors make a convincing case that the ideal RBAC primitives are sufficient to construct a wide spectrum of different security models. It appears that for some of the models, the administration of real-world programming and data elements corresponding to the abstract primitives is more complicated than the original Bell and LaPadulla model would be. The paper nevertheless shows the essential nature of the RBAC primitives described and their ability to describe a number of rich security models. It is recommended reading for all workers dealing with access controls.