In their proposed RBAC standard, Ferraiolo et al. [FERRO 1] have described a set of functional interfaces for the implementation of RBAC. These interfaces not only are expressed syntactically but have defined semantics, albeit at a higher level. The key benefit of adopting a standard interface across various RBAC implementations is the decoupling of applications using RBAC security controls from the components providing and managing those controls. One should not, however, expect a perfect portability of applications across RBAC implementations. For one thing, the policies may differ in the semantics of roles and their authoritative scope. Standard interfaces are also useful in implementing RBAC administrative tools such as graphical interfaces. This enables portability of such tools across RBAC policies and can be easily reusable as independent components.

The proposed specification addresses RBAC functionality from three perspectives:

• q Administrative functions These concern the instantiation of various element sets of USERS, ROLES, OPS (operations), and OBS (objects) and the management of relationships across these elements (e.g., assignment of users to roles).

• q Supporting system functions These concern the processing entailed by an RBAC implementation in supporting various constructs such as sessions and in enforcing the underlying RBAC policy via access decision making.

• q Review functions These functions facilitate the review of an RBAC policy state as it evolves through the administrative functions. An example would be reviewing which entities have been assigned to a particular role.

We review the proposed functions for core RBAC, hierarchical...