Role-based access control and the access control matrix

The Access Matrix is a useful model for understanding the behaviour and properties of access control systems. While the matrix is rarely implemented, access control in real systems is usually based on access control mechanisms, such as access control lists or capabilities, that have clear relationships with the matrix model. In recent times a great deal of interest has been shown in Role Based Access Control (RBAC) models. However, the relationship between RBAC models and the Access Matrix is not clear. In this paper we present a model of RBAC based on the Access Matrix which makes the relationships between the two explicit. In the process of constructing this model, some fundamental similarities between certain capability models and RBAC are revealed. In particular, we outline a proof that RBAC and the ACM are equivalent with respect to the policies they can represent. From this we conclude that, in a similar way to access lists and capabilities, RBAC is a derivation of the Access Matrix model.