Validating the RBAC ANSI 2012 Standard Using B

  • Nghi Huynh
  • Marc Frappier
  • Amel Mammar
  • Régine Laleau
  • Jules Desharnais
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8477)


We validate the RBAC ANSI 2012 standard using the B method. Numerous problems are identified: logical errors, inconsistencies, ambiguities, typing errors, missing preconditions, invariant violation, inappropriate specification notation. A clean version of the standard written in the B notation is proposed. We argue that the ad hoc mathematical notation used in the standard is inappropriate and we propose that a more methodological and tool-supported approach must definitely be used for writing standards, in order to avoid the issues identified in the paper. Human reviewing is insufficient to produce error-free international standards.


Role-Based Access Control B method invariant preservation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ANSI. Role Based Access Control, INCITS 359-2004 (2004)Google Scholar
  2. 2.
    ANSI. Role Based Access Control, INCITS 359-2012 (2012)Google Scholar
  3. 3.
    Huynh, N., et al.: B Specification of the RBAC 2012 Standard (2014),
  4. 4.
    Ferraiolo, D., Kuhn, R., Sandhu, R.: RBAC Standard Rationale: Comments on “A Critique of the ANSI Standard on Role-Based Access Control”. IEEE Security Privacy 5(6), 51–53 (2007)CrossRefGoogle Scholar
  5. 5.
    Kozen, D.: A completeness theorem for Kleene algebras and the algebra of regular events. Information and Computation 110, 366–390 (1994)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Li, N., Byun, J.W., Bertino, E.: A critique of the ANSI Standard on Role-Based Access Control. Technical Report TR 2005-29, Purdue University (2005)Google Scholar
  7. 7.
    Li, N., Byun, J.W., Bertino, E.: A Critique of the ANSI Standard on Role-Based Access Control. IEEE Security Privacy 5(6), 41–49 (2007)CrossRefGoogle Scholar
  8. 8.
    O’ Connor, A.C., Loomis, R.J.: Economic Analysis of Role-Based Access Control. RTI International (2010)Google Scholar
  9. 9.
    Power, D., Slaymaker, M., Simpson, A.: On Formalizing and Normalizing Role-Based Access Control Systems. The Computer Journal 52(3), 305–325 (2009)CrossRefGoogle Scholar
  10. 10.
    Rissanen, E.: eXtensible Access Control Markup Language (XACML) Version 3.0. OASIS (2010)Google Scholar
  11. 11.
    Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role-based access control: Towards a unified standard. In: 5th ACM Workshop on Role-based Access Control, RBAC 2000, pp. 47–63. ACM (2000)Google Scholar
  12. 12.
    Schmidt, G., Ströhlein, T.: Relations and Graphs: Discrete Mathematics for Computer Scientists. EATCS Monographs on Theoretical Computer Science. Springer (1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Nghi Huynh
    • 1
    • 2
  • Marc Frappier
    • 1
  • Amel Mammar
    • 3
  • Régine Laleau
    • 2
  • Jules Desharnais
    • 4
  1. 1.Université de SherbrookeQuébecCanada
  2. 2.Université Paris-Est Créteil Val de MarneFrance
  3. 3.Institut Mines-TélécomTélécom SudParisFrance
  4. 4.Université LavalQuébecCanada

Personalised recommendations