Role-BasedAccessControl Proceedingsof15thNationalComputerSecurityConference,1992 NationalInstituteofStandardsandTechnology DavidFerraioloandRichardKuhn Gaithersburg,Maryland20899 Reprintedfrom thatrelianceondacastheprincipalmethodofaccesscontrolisunfoundedandinappropriateformanycommercialandciviliangovernmentorganizations.thepapeitaryapplications,discretionaryaccesscontrols(dac)areoftenperceivedasmeeting thesecurityprocessingneedsofindustryandciviliangovernment.thispaperargues WhileMandatoryAccessControls(MAC)areappropriateformultilevelsecuremil- Abstract describesatypeofnon-discretionaryaccesscontrol-role-basedaccesscontrol(rbac) 1Introduction TheU.S.governmenthasbeeninvolvedindevelopingsecuritytechnologyforcomputerand communicationssystemsforsometime.althoughadvanceshavebeengreat,itisgenerally perceivedthatthecurrentstateofsecuritytechnologyhas,tosomeextentfailedtoaddress -thatismorecentraltothesecureprocessingneedsofnon-militarysystemsthendac. theneedsofall.[1],[2]thisisespeciallytrueoforganizationsoutsidethedepartmentof Defense(DoD).[3] outofresearchanddevelopmenteortsonthepartofthedodoveraperiodoftwenty plusyears.todaythebestknownu.s.computersecuritystandardisthetrustedcomputer exclusivelyderived,engineeredandrationalizedbasedondodsecuritypolicy,createdto SystemEvaluationCriteria(TCSEC[4]).Itcontainssecurityfeaturesandassurances, information.theresultisacollectionofsecurityproductsthatdonotfullyaddresssecurity meetonemajorsecurityobjective-preventingtheunauthorizedobservationofclassied Thecurrentsetofsecuritycriteria,criteriainterpretations,andguidelineshasgrown securitymechanismshavebeenpartiallysuccessfulinpromotingsecuritysolutionsoutside issuesastheypertaintounclassiedsensitiveprocessingenvironments.althoughexisting ofamoreappropriatesetofcontrols. ofthedod[2],inmanyinstancesthesecontrolsarelessthenperfect,andareusedinlieu 1
(DAC)andMandatoryAccessControls(MAC).SincetheTCSEC'sappearanceinDecember (RBAC),thatcanbemoreappropriateandcentraltothesecureprocessingneedswithin of1983,dacrequirementshavebeenperceivedasbeingtechnicallycorrectforcommercial andciviliangovernmentsecurityneeds,aswellasforsingle-levelmilitarysystems.macis premiseofthispaperisthatthereexistsacontrol,referredtoasrole-basedaccesscontrol usedformulti-levelsecuremilitarysystems,butitsuseinotherapplicationsisrare.the TheTCSECspeciestwotypesofaccesscontrols:DiscretionaryAccessControls needsofcommercialandciviliangovernmentorganizations.itisapparentthatsignicant Recently,considerableattentionhasbeenpaidtoresearchingandaddressingthesecurity industryandciviliangovernmentthanthatofdac,althoughtheneedfordacwillcontinue andbroadsweepingsecurityrequirementsexistoutsidethedepartmentofdefense.[2], toexist. 2AspectsofSecurityPolicies impact.likedodagencies,civiliangovernmentandcommercialrmsareverymuchconcernedwithprotectingthecondentialityofinformation.thisincludestheprotectionoclosure,ortheftofcorporateresourcescoulddisruptanorganization'soperationsandhave immediate,seriousnancial,legal,humansafety,personalprivacyandpubliccondence datanetworksaremajorconcernsthroughoutallsectors.thecorruption,unauthorizeddis- [5],[6]Civiliangovernmentandcorporationsalsorelyheavilyoninformationprocessing ments.theintegrity,availability,andcondentialityofkeysoftwaresystems,databases,and systemstomeettheirindividualoperational,nancial,andinformationtechnologyrequirevelopmenttechniques.butmanyoftheseorganizationshaveevengreaterconcernforintegrity.[1curitythancondentiality.integrityisparticularlyrelevanttosuchapplicationsasfunds transfer,clinicalmedicine,environmentalresearch,airtraccontrol,andavionics.theimportanceofintegrityconcernsindefensesystemshasalsobeenstudiedinrecentyears.[7], privateorganizations.anorganizationalmeaningofsecuritycannotbepresupposed.each Withinindustryandciviliangovernment,integritydealswithbroaderissuesofse- personneldata,marketingplans,productannouncements,formulas,manufacturingandde- [8]Awidegamutofsecuritypoliciesandneedsexistwithinciviliangovernmentand traditionalmacanddaccontrols. organizationhasuniquesecurityrequirements,manyofwhicharediculttomeetusing mechanismthatpermitssystemuserstoallowordisallowotherusersaccesstoobjects undertheircontrol: groupstowhichtheybelong.thecontrolsarediscretionaryinthesensethat Ameansofrestrictingaccesstoobjectsbasedontheidentityofsubjectsand/or AsdenedintheTCSECandcommonlyimplemented,DACisanaccesscontrol 2
revokeaccesstoanyoftheobjectsundertheircontrolwithouttheintercessionofasystem asubjectwithacertainaccesspermissioniscapableofpassingthatpermission administrator. belefttothediscretionoftheindividualusers.adacmechanismallowsuserstograntor (perhapsindirectly)ontoanyothersubject(unlessrestrainedbymandatory accesscontrol).[4] areallowedaccess.fortheseorganizations,thecorporationoragencyistheactual\owner" ofsystemobjectsaswellastheprogramsthatprocessit.controlisoftenbasedonemployee Inmanyorganizations,theendusersdonot\own"theinformationforwhichthey DAC,asthenameimplies,permitsthegrantingandrevokingofaccessprivilegesto includedoctor,nurse,clinician,andpharmacist.rolesinabankincludeteller,loanocer, aspartofanorganization.thisincludesthespecicationofduties,responsibilities,and qualications.forexample,therolesanindividualassociatedwithahospitalcanassume functionsratherthandataownership. andaccountant.rolescanalsoapplytomilitarysystems;forexample,targetanalyst, situationanalyst,andtracanalystarecommonrolesintacticalsystems.arolebased accesscontrol(rbac)policybasesaccesscontroldecisionsonthefunctionsauserisallowed Accesscontroldecisionsareoftendeterminedbytherolesindividualuserstakeon toperformwithinanorganization.theuserscannotpassaccesspermissionsontoother forprivacyassociatedwiththediagnosisofailments,treatmentofdisease,andtheadministeringofmedicinewithahospital.tosupportsuchpolicies,acapabilitytocentrallycontrol andmaintainaccessrightsisrequired.thesecurityadministratorisresponsibleforenforcing policyandrepresentstheorganization. Securityobjectivesoftensupportahigherlevelorganizationalpolicy,suchasmain- usersattheirdiscretion.thisisafundamentaldierencebetweenrbacanddac. tainingandenforcingtheethicsassociatedwithajudge'schambers,orthelawsandrespect notpossesstheauthoritytopassthattransactionontoanurse. Forexample,adoctorcanbeprovidedwiththetransactiontoprescribemedicine,butdoes policiesarenon-discretionaryinthesensethattheyareunavoidablyimposedonallusers. arederivedfromexistinglaws,ethics,regulations,orgenerallyacceptedpractices.these somuchinaccordancewithdiscretionarydecisionsonthepartofasystemadministrator, butratherincompliancewithorganization-specicprotectionguidelines.thesepolicies Thedeterminationofmembershipandtheallocationoftransactionstoaroleisnot securityrequirements.asdenedinthetcsec,macis Ameansofrestrictingaccesstoobjectsbasedonthesensitivity(asrepresentedby (i.e.clearance)ofsubjectstoaccessinformationofsuchsensitivity.[4] alabel)oftheinformationcontainedintheobjectsandtheformalauthorization RBACisinfactaformofmandatoryaccesscontrol,butitisnotbasedonmultilevel withaccesstofunctionsandinformationthanstrictlywithaccesstoinformation. Rolebasedaccesscontrol,inmanyapplications(e.g.[9],[10],[11]isconcernedmore 3
principalconcernisprotectingtheintegrityofinformation:\whocanperformwhatactson onbothreadsandwritesareinsupportofthatrule.withinarole-basedsystem,the ofinformationfromahighleveltoalowlevelistheprincipalconcern.assuch,constraints operationalsensitivities)ofobjectswithinthedod.themilitarypolicyiswithrespecttoone typeofcapability:whocanreadwhatinformation.forthesesystemstheunauthorizedow analogoustotheprocessofclearingusers(grantingmembership)andthelabeling(associate Theactofgrantingmembershipandspecifyingtransactionsforaroleisloosely whatinformation." administrator.suchtransactionsincludetheabilityforadoctortoenteradiagnosis,prescribemedication,andaddaentryto(notsimplymodify)arecordoftreatmentsperformed onapatient.theroleofapharmacistincludesthetransactionstodispensebutnotprescribeprescriptiondrugs.membershipinaroleisalsograntedandrevokedbyasystem Arolecanbethoughtofasasetoftransactionsthatauserorsetofuserscanperformwithinthecontextofanorganization.Transactionsareallocatedtorolesbyasystem maintained.atransactioncanbethoughtofasatransformationprocedure[1](aprogram associatedsetofindividualmembers.asaresult,rbacsprovideameansofnamingand orportionofaprogram)plusasetofassociateddataitems.inaddition,eachrolehasan describingmany-to-manyrelationshipsbetweenindividualsandrights.figure1depictsthe relationshipsbetweenindividualusers,roles/groups,transformationprocedures,andsystem objectsṫhetermtransactionisusedinthispaperasaconveniencetorefertoabindingof Rolesaregrouporiented.Foreachrole,asetoftransactionsallocatedtheroleis transformationprocedureanddatastorageaccess.thisisnotunlikeconventionalusageof thetermincommercialsystems.forexample,asavingsdeposittransactionisaprocedure thatupdatesasavingsdatabaseandtransactionle.atransactionmayalsobequitegeneral, transactions,requiringexactlythesamereadandwriteaccesstothesamelesastheteller. here,becausethereadisnotboundtoaparticulardataitem,as\readsavingsle"is. e.g.\readsavingsle".notehowever,that\read"isnotatransactioninthesenseused Thedierenceistheprocessexecutedandthevalueswrittentothetransactionlogle. leandatransactionlogle.anaccountingsupervisormaybeabletoexecutecorrection access,canbeseenbyconsideringtypicalbankingtransactions.tellersmayexecutea savingsdeposittransaction,requiringreadandwriteaccesstospeciceldswithinasavings TheapplicabilityofRBACtocommercialsystemsisapparentfromitswidespread Theimportanceofcontrolovertransactions,asopposedtosimplereadandwrite use.baldwin[9]describesadatabasesystemusingrolestocontrolaccess.nashandpoland theserolebasedsystemshavebeendevelopedbyavarietyoforganizations,withnocom- [10]discusstheapplicationofrolebasedaccesscontroltocryptographicauthenticationdevicescommonlyusedinthebankingindustry.Workingwithindustrygroups,theNationaquirementsforCryptographicModules,"(FederalInformationProcessingStandard140-1) InstituteofStandardsandTechnologyhasdevelopedaproposedstandard,\SecurityRe- [11]thatwillrequiresupportforaccesscontrolandadministrationthroughroles.Todate, 4
User 4 Object 1 trans_a describedinthispaperaddresssecurityprimarilyforapplication-levelsystems,asopposed Figure1:RoleRelationships 1 User 5 3FormalDescriptionofRBAC togeneralpurposeoperatingsystems. monlyagreedupondenitionorrecognitioninformalstandards.rolebasedaccesscontrols trans_b Toclarifythenotionspresentedintheprevioussection,wegiveasimpleformaldescription, intermsofsetsandrelations,ofrolebasedaccesscontrol.noparticularimplementation Object 2 User 6 Eachsubjectmaybeauthorizedtoperformoneormoreroles: mechanismisimplied. Foreachsubject,theactiveroleistheonethatthesubjectiscurrentlyusing: Eachrolemaybeauthorizedtoperformoneormoretransactions: Subjectsmayexecutetransactions.Thepredicateexec(s,t)istrueifsubjectscanexecute transactiontatthecurrenttime,otherwiseitisfalse: AR(s:subject)=ftheactiveroleforsubjectsg RA(s:subject)=fauthorizedfoelsforsubjectsg Threebasicrulesarerequired: 1.Roleassignment:Asubjectcanexecuteatransactiononlyifthesubjecthasselectedor TA(fr:roleg)=ftransactionsauthorizedforrolerg beenassignedarole: exec(s:subject;t:tran)=trueisubjectscanexecutetransactiont. 5 8s:subject;t:tran(exec(s;t))AR(s)6=;) (1)
Theidenticationandauthenticationprocess(e.g.login)isnotconsideredatransaction. 2.Roleauthorization:Asubject'sactiverolemustbeauthorizedforthesubject: Allotheruseractivitiesonthesystemareconductedthroughtransactions.Thusallactive usersarerequiredtohavesomeactiverole. With(1)above,thisruleensuresthatuserscantakeononlyrolesforwhichtheyare authorizedforthesubject'sactiverole: authorized. 3.Transactionauthorization:Asubjectcanexecuteatransactiononlyifthetransactionis 8s:subject(AR(s)RA(s)) (2) With(1)and(2),thisruleensuresthatuserscanexecuteonlytransactionsforwhichthey notguaranteeatransactiontobeexecutablejustbecauseitisinta(ar(s)),thesetof thatadditionalrestrictionsmaybeplacedontransactionexecution.thatis,theruledoes transactionspotentiallyexecutablebythesubject'sactiverole.forexample,atraineefora areauthorized.notethat,becausetheconditionalis\onlyif",thisruleallowsthepossibility 8s:subject;t:tran(exec(s;t))t2TA(RA(s))) (3) supervisoryrolemaybeassignedtheroleof\supervisor",buthaverestrictionsappliedto forthesupervisorrole. hisorheruserrolethatlimitaccessibletransactionstoasubsetofthosenormallyallowed transaction. intothetransaction.securityissuesareaddressedbybindingoperationsanddataintoa transactionatdesigntime,suchaswhenprivacyissuesareaddressedinaninsurancequery cedure,plusasetofdataitemsaccessedbythetransformationprocedure.accesscontrolin therulesabovedoesnotrequireanychecksontheuser'srighttoaccessadataobject,oron thetransformationprocedure'srighttoaccessadataitem,sincethedataaccessesarebuilt Intheprecedingdiscussion,atransactionhasbeendenedasatransformationpro- onlytothetransformationprocedure,withoutincludingabindingtoobjects.thiswould requireafourthruletoenforcecontroloverthemodesinwhichuserscanaccessobjects throughtransactionprograms.forexample,afourthrulesuchas Itisalsopossibletoredenethemeaningof\transaction"intheaboverulestorefer couldbedenedusingatransaction(redenedtotransformationprocedure)toobjectaccess functionaccess(r;i;o;x)whichindicatesifitispermissibleforasubjectinrolertoaccess objectoinmodexusingtransactiont,wherexistakenfromsomesetofmodessuchasread, write,append.notethattheclark-wilsonaccesscontroltriplecouldbeimplementedby lettingthemodesxbetheaccessmodesrequiredbytransactiont,andhavingaone-to-one 8s:subject;t:tran;o:object(exec(s;t))access(AR(s);t;o;x)) (4) 6
ClarkandWilsonaccesscontrolasaspecialcase. relationshipbetweensubjectsandroles.rbac,aspresentedinthispaper,thusincludes requiresbindingthetransactionprogramtanddataobjectsthattcanaccess,andonly doctorcouldbeprovidedwithread/writeaccesstoaprescriptionle,whilethehospital pharmacistmighthaveonlyreadaccess.(recallthatuseoftherstthreerulesalone controlsaccesstothetransactions.)thisalternativeapproachusingthefourthrulemight behelpfulinenforcingcondentialityrequirements. Useofthisfourthrulemightbeappropriate,forexample,inahospitalsetting.A formanyrealsystems,andrbacshouldbeapplicabletosuchsystems. onlyinauthorizedwaysbyauthorizedusers.thisseemstobeareasonablesecurityobjective authorizedwayscanbeascomplexasthetransactionthatdidthemodication.forthis reason,thepracticalapproachisfortransactionstobecertiedandtrusted.iftransactions ofways,butoneaspect[8]ofintegrityisarequirementthatdataandprocessesbemodied Ingeneral,theproblemofdeterminingwhetherdatahavebeenmodiedonlyin AnotheruseofRBACistosupportintegrity.Integrityhasbeendenedinavariety mustbetrustedthenaccesscontrolcanbeincorporateddirectlyintoeachtransaction. inclusionofatransactiontoobjectaccesscontrolfunctioninrbacwouldbeusefulin signicantoverheadforalimitedbenetinenforcingintegrityrequirements.therefore, Requiringthesystemtocontrolaccessoftransactionprogramstoobjectsthroughtheaccess 4CentrallyAdministeringSecurityUsingRBAC some,butnotallapplications. functionusedinrule(4)mightthenbeausefulformofredundancy,butitcouldinvolve RBACisexibleinthatitcantakeonorganizationalcharacteristicsintermsofpolicyand structure.oneofrbac'sgreatestvirtuesistheadministrativecapabilitiesitsupports. tendtoremainrelativelyconstantorchangeslowlyovertime.theadministrativetask consistsofgrantingandrevokingmembershiptothesetofspeciednamedroleswithin membershiptoanexistingrole.whenaperson'sfunctionchangeswithintheorganization, theusermembershiptohisexistingrolescanbeeasilydeletedandnewonesgranted.finally, thesystem.whenanewpersonenterstheorganization,theadministratorsimplygrants whenapersonleavestheorganization,allmembershipstoallrolesaredeleted.foran OncethetransactionsofaRoleareestablishedwithinasystem,thesetransactions organizationthatexperiencesalargeturnoverofpersonnel,arole-basedsecuritypolicyis theonlylogicalchoice. canbecomposedoftheroleshealer,intern,anddoctor.figure2depictsanexampleof membershiptotheinternrole,thisimpliestransactionsoftheinternandhealernotthe sucharelationship. denedbyinternandhealer,aswellasthoseofadoctor.ontheotherhand,bygranting Inaddition,rolescanbecomposedofroles.Forexample,aHealerwithinahospital BygrantingmembershiptotheRoleDoctor,itimpliesaccesstoalltransactions 7
Object 1 trans_a User 1 Healer User 2 Object 2 trnas_b User 3 Object 3 trans_c User 4 Intern User 5 Object 4 Figure2:Mult-RoleRelationships trans_d Object 5 trans_e Doctor 8 Object 6 trans_f User 6 User 7 User 8 User 9
Doctor.However,bygrantingmembershiptotheHealerrole,thisonlyallowsaccesstothose jectives.[8]theprincipleofleastprivilegerequiresthatauserbegivennomoreprivilege Theprincipleofleastprivilegehasbeendescribedasimportantformeetingintegrityob- resourcesallowedundertherolehealer. 5PrincipleofLeastPrivilege thannecessarytoperformajob.ensuringleastprivilegerequiresidentifyingwhattheuser's jobis,determiningtheminimumsetofprivilegesrequiredtoperformthatjob,andrestrictingtheusertoadomainwiththoseprivilegesandnothingmore.bydenyingtosubjects ofleastprivilegecurrentlyexistswithinthecontextofthetcsec,requirementsrestrict transactionsthatarenotnecessaryfortheperformanceoftheirduties,thosedeniedprivilegescannotbeusedtocircumventtheorganizationalsecuritypolicy.althoughtheconcept thoseprivilegesofthesystemadministrator.throughtheuseofrbac,enforcedminimum ofduties.separationofdutiesisconsideredvaluableindeterringfraudsincefraudcan 6SeparationofDuties RBACmechanismscanbeusedbyasystemadministratorinenforcingapolicyofseparation occurifanopportunityexistsforcollaborationbetweenvariousjobrelatedcapabilities. privilegesforgeneralsystemuserscanbeeasilyachieved. allowedtoexecutealltransactionswithintheset.themostcommonlyusedexamplesare Separationofdutyrequiresthatforparticularsetsoftransactions,nosingleindividualbe theseparatetransactionsneededtoinitiateapaymentandtoauthorizeapayment.no singleindividualshouldbecapableofexecutingbothtransactions.separationofdutyis animportantconsiderationinrealsystems.[1],[12],[13],[14]thesetsinquestion willvarydependingontheapplication.inrealsituations,onlycertaintransactionsneed toberestrictedunderseparationofdutyrequirements.forexample,wewouldexpecta toadministrator"wouldnotbe. transactionfor\authorizepayment"toberestricted,butatransaction\submitsuggestion individualwhocanserveaspaymentinitiatorcouldalsoserveaspaymentauthorizer.this siderthecaseofinitiatingandauthorizingpayments.astaticpolicycouldrequirethatno wherecompliancewithrequirementscanonlybedeterminedduringsystemoperation.the objectivebehinddynamicseparationofdutyistoallowmoreexibilityinoperations.con- allocationoftransactionstoroles.themoredicultcaseisdynamicseparationofduty tionrequirementscanbedeterminedsimplybytheassignmentofindividualstorolesand Separationofdutycanbeeitherstaticordynamic.Compliancewithstaticsepara- couldbeimplementedbyensuringthatnoonewhocanperformtheinitiatorrolecouldalso performtheauthorizerrole.suchapolicymaybetoorigidforcommercialuse,makingthe exibilitycouldbeallowedbyadynamicpolicythatallowsthesameindividualtotakeon costofsecuritygreaterthanthelossthatmightbeexpectedwithoutthesecurity.more 9
thatheorshehadinitiated.thestaticpolicycouldbeimplementedbycheckingonlyroles bothinitiatorandauthorizerroles,withtheexceptionthatnoonecouldauthorizepayments ofusers;forthedynamiccase,thesystemmustusebothroleanduseridincheckingaccess totransactions. system.theclark-wilson[1]schemeincludestherequirementthatthesystemmaintainthe aper-userbasis,usingtheuseridfromtheaccesscontroltriple.asdiscussedabove,user separationofdutyrequirementexpressedintheaccesscontroltriples.enforcementison functionscanbeconvenientlyseparatedbyrole,sincemanyusersinanorganizationtypically performthesamefunctionandhavethesameaccessrightsontpsanddata.allocating accessrightsaccordingtoroleisalsohelpfulindeningseparationofdutyinawaythatcan Separationofdutyisnecessarilydeterminedbyconditionsexternaltothecomputer oragencyistheactual\owner"ofsystemobjects,anddiscretionaryaccesscontrolmay 7SummaryandConclusions beenforcedbythesystem. Inmanyorganizationsinindustryandciviliangovernment,theendusersdonot\own" theinformationforwhichtheyareallowedaccess.fortheseorganizations,thecorporation notbeappropriate.role-basedaccesscontrol(rbac)isanondiscretionaryaccesscontrol mechanismwhichallowsandpromotesthecentraladministrationofanorganizationalspecic ofanorganization.arolespeciesasetoftransactionsthatauserorsetofuserscan securitypolicy. performwithinthecontextofanorganization.rbacprovideameansofnamingand describingrelationshipsbetweenindividualsandrights,providingamethodofmeetingthe secureprocessingneedsofmanycommercialandciviliangovernmentorganizations. Accesscontroldecisionsareoftenbasedontherolesindividualuserstakeonaspart ofaccesscontrolsbasedonuserroles. encompassingrbac.assuch,evaluationandtestingprogramsforthesesystemshavenot beenestablishedastheyhaveforsystemsconformingtothetrustedcomputersecurity commercialsystemstoday,butthereisnocommonlyaccepteddenitionorformalstandards EvaluationCriteria.ThispaperproposedadenitionofTherequirementsandaccesscontrol rulesforrbacproposedinthispapercouldbeusedasthebasisforacommondenition Variousformsofrolebasedaccesscontrolhavebeendescribedandsomeareusedin 8References 1D.D.ClarkandD.R.Wilson.AComparisonofCommercialandMilitaryComputer SecurityPolicies.InIEEESymposiumonComputerSecurityandPrivacy,April1987. (draft).computersystemslaboratory,nist,january271992. 2ComputersatRisk.NationalResearchCouncil,NationalAcademyPress,1991. 3MinimumSecurityFunctionalityRequirementsforMulti-UserOperatingSystems 10
ofdefense,1985. Technology,1987. DataIntegrity.SP500-168.Natl.Inst.ofStds.andTechnology,1989. IntegrityPolicyinComputerInformationSystems.SP500-160.Natl.Inst.ofStds.and 4TrustedComputerSecurityEvaluationCriteria,DOD5200.28-STD.Department 5Z.G.RuthbergandW.T.Polk,Editors.ReportoftheInvitationalWorkshopon 6S.W.KatzkeandZ.G.Ruthberg,Editors.ReportoftheInvitationalWorkshopon inlargedatabases.inieeesymposiumoncomputersecurityandprivacy,1990. September1991. EmbeddedSystems.InstituteforDefenseAnalyses,HQ89-034883/1,October1989. 10K.R.PolandM.J.Nash.SomeConundrumsConcerningSeparationofDuty.In 8IntegrityinAutomatedInformationSystems.NationalComputerSecurity,Center, 9R.W.Baldwin.NamingandGroupingPrivilegestoSimplifySecurityManagement 7J.E.Roskos,S.R.Welke,J.M.Boone,andT.Mayeld.IntegrityinTacticaland Standard140-1,NationalInstituteofStandardsandTechnology,1992. Technology.InProceedingsof11thNationalComputerSecurityConference,October1988. IEEESymposiumonComputerSecurityandPrivacy,1990. AerospaceComputerSecurityApplicationsConference,December1988. 12W.R.Shockley.ImplementingtheClark/WilsonIntegrityPolicyUsingCurrent 11SecurityRequirementsforCryptographicModules.FederalInformationProcessing ComputerSecurityandPrivacy,May1989. 13R.Sandhu.TransactionControlExpressionsforSeparationofDuties.InFourth 14S.WisemanP.Terry.A'New'SecurityPolicyModel.InIEEESymposiumon 11