## Understanding Permissions in NIST RBAC

NIST RBAC[1] defines permission in a particular way which is very tricky but very interesting. If OBS is set of objects, and OPS is the set of operation, then NIST defines permission set (PRMS) as PRMS = 2^(OPS X OBS). For example, if we have OPS={read, write} and OBS = {o1,o2}, then there are 2^(2×2) = 16 permission. Insane! right?

Lets see all the possible permissions:

p0 = {}

p1 = {read o1}

p2 = {write o2}

p3={read o1 and write o2}.

p5…. p15.

Initially it seems if we have p1, p2, then we don’t need to define p3. Just combining p1 and p2 makes p3. But interestingly this is not the case. Let me explain why.

For example, consider, a bank teller cannot just deposit money (permission p1) in a bank account or withdraw money from a bank account (permission p2). But he can transfer money (permission p3) from one account to another which is combination of both p1 and p2 permission. We can think of transferring money as two permission of **withdrawing money from one account(p2)** and **deposit to another account(p1)**. But while doing transferring, the teller cannot exercise permission p2 and p1 as he wishes. If the teller were given both permission p1 and p2 instead of p3, he could exercise p1 as many times he likes and p2 as many times as he likes. Thus exercise of permission p1 and p2 cannot be regulated as we do in transferring money between account.

NIST solves this problem by combining these permissions by the notion of **PRMS = 2^(OPS X OBS). **In this notion having permission p3 = (p1 and p2) is different than having both permission p1 and p2.

Now, lets see what happens