Home > Access control Concepts, Information Security, Uncategorized > Understanding Permissions in NIST RBAC

Understanding Permissions in NIST RBAC

NIST RBAC[1] defines  permission in a particular way which is very tricky but very interesting. If OBS is set of objects, and OPS is the set of operation, then NIST defines permission set (PRMS) as  PRMS = 2^(OPS X OBS). For example, if we have OPS={read, write} and OBS = {o1,o2}, then there are 2^(2×2) = 16 permission. Insane! right?

Lets see all the possible permissions:

p0 = {}

p1 = {read o1}

p2 = {write o2}

p3={read o1 and  write o2}.

p5…. p15.




Initially it seems if we have p1, p2, then we don’t need to define p3. Just combining p1 and p2 makes p3. But interestingly this is not the case. Let me explain why.



For example, consider, a bank teller cannot just deposit money (permission p1) in a bank account or withdraw money from a bank account (permission p2). But he can transfer money (permission p3)  from one account to another which is combination of both p1 and p2 permission. We can think of transferring money as two permission of withdrawing money from one account(p2) and deposit to another account(p1). But while doing transferring, the teller cannot exercise permission p2 and p1 as he wishes. If the teller were given both permission p1 and p2 instead of p3, he could exercise p1 as many times he likes and p2 as many times as he likes. Thus exercise of permission p1 and p2 cannot be regulated as we do in transferring money between account.


NIST solves this problem  by combining these permissions by the notion of PRMS = 2^(OPS X OBS). In this notion having permission p3 = (p1 and p2) is different than having both permission p1 and p2.


Now, lets see what happens

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: