Key points are not available for this paper at this time.
Role-based access control (RBAC) is a promising alternative to traditional discretionary access control (DAC) and mandatory access control (MAC). The central idea of RBAC is that permissions are associated with roles, and users are made members of appropriate roles thereby acquiring the roles permissions. RBAC is policy neutral in that the precise policy being enforced is a consequence of howvarious components of RBAC -- such as role hierarchies, constraints and administration of user-role and role-permission assignment -- are configured. This raises the important question as to whether RBAC is sufficiently powerful to simulate DAC and MAC. Simulation of MAC in RBAC has been demonstrated earlier by Nyanchama and Osborn and by Sandhu. In this paper we demonstrate how to simulate several variations of DAC in RBAC, using the wellknown RBAC96 model of Sandhu et al. In combination with earlier work we conclude that RBAC encompasses both MAC and DAC.
Sandhu et al. (Thu,) studied this question.