Comparative Study of Access Control Methods in Enterprise Information Systems, Based on RBAC, ABAC, and TBAC policies
Keywords:Users; operations; actions; objects; roles; trust; attribute
Controlling access to a company’s IT systems is a way to ensure that users are the ones who
say they are and have proper access to company data and documents. At a high level, controlling access
to a company’s data and applications is a selective restriction on access to data. It consists of two main
components: authentication and authorization. Authentication is used to confirm that someone is the
claimant, and this is not enough for themselves to ensure data protection. Authorization is additional
levels which determines which user should be allowed access to data or perform an action (operation /
transaction). For their implementation, several authentication and authorization methods have been
created, of which, within this study, we approach, Role Based Access Control (RBAC), Attribute-based
access control (ABAC) and Trust-based access control (TBAC). This study makes a comparative
analysis on the principles underlying RBAC (Role Based Access Control), ABAC (Attribute-based
access control) and TBAC (Trust-based access control) and the ways of application and collaboration
Danilescu, Laura & Danilescu, Marcel. (2010). Control Access to Information by Applying Policies Based on Trust
Hierarchies. International Conference on Computer and Software Modeling, ICCSM 2010, pp. 285-290. Manila: Institute of
Electrical and Electronics Engineers, Inc.
Danilescu, Laura & Danilescu, Marcel. (2010). Organization’s Data Access Control Policies Based On Trust.
Euroeconomica. 2, pp. 113-122. Galati: Universitatea Danubius.
Danilescu, M. (2012). Data Security Management Applying Trust Policies for Small Organizations, Ad Hoc Organizations
and Virtual Organizations. (D. Jurnals, Ed.) The Journal of Accounting and Management, 2(3), pp. 47-64.
Ferraiolo D. & Richard Kuhn. (1992). Role-Based Access Controls. 15th National Computer Security Conference, pp. 554-
Baltimore Md: National Institute of Standards and Technology/National Computer Security Center. Retrieved from
Ferraiolo David; Ramaswamy Chandramouli; Vincent Hu & Rick Kuhn. (2016). A Comparison of Attribute Based Access
Control (ABAC) Standards For Data Serviceapplications. Gaithersburg, MD: NIST Special Publication.
Qasim Mahmood Rajpoot; Christian Damsgaard Jensen & Ram Krishnan. (2015). Integrating Attributes into Role-Based
Access Control. Proceedings Of The 29th Annual IFIP WG 11.3 Working Conference On Data And Applications Security
Andprivacy, pp. 242-249. Fairfax, VA, USA: Springer Verlag. Doi:10.1007/978-3-319-20810-7_17.
Ravi S. Sandhu; Edward J. Coynek; Hal L. Feinsteink & Charles E. Youmank. (26 October, 1996). Role-Based Access
Control Models. IEEE Computer, 29(2), pp. 38-47. Doi:10.1109/2.485845.
Sandhu Ravi; Ferraiolo David & Kuhn Richard. (2000). The NIST Model For Role-Based Access Control: Towards A
Unified Standard. A. F. Machinery (Ed.), RBAC ‘00: Proceedings Of The Fifth ACM Workshop On Role-Based Access
Control, pp. 47–63. Berlin: Association For Computing Machinery, New Yorknyunited States. Retrieved From
Richard Kuhn; Edward Coyne & Timothy Weil. (2010). Adding Attributes To Role-Based Access Control. Computer (IEEE
Computer), 43(6), pp. 49-71. Doi: DOI: 10.1109/MC.2010.155.
Hu Vincent; Ferraiolo David; Kuhn Richard; Schnitzer Adam; Sandlin Kenneth; Miller Robert & Scarfone Karen. (January,
. Guide To Attribute Based Access Control (ABAC) Definition And Considerations. Retrieved 05 26, 2019, From
Computer Security Resource Center: Https://Csrc.Nist.Gov/Publications/Detail/Sp/800-162/Final.
Copyright (c) 2021 Marcel Danilescu
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
You are free to:
- Share — copy and redistribute the material in any medium or format
- Adapt — remix, transform, and build upon the material
- for any purpose, even commercially.
- The licensor cannot revoke these freedoms as long as you follow the license terms.
Under the following terms:
- No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.