Comparative Study of Access Control Methods in Enterprise Information Systems, Based on RBAC, ABAC, and TBAC policies


  • Marcel Danilescu Danubius University of Galati


Users; operations; actions; objects; roles; trust; attribute


Controlling access to a company’s IT systems is a way to ensure that users are the ones who
say they are and have proper access to company data and documents. At a high level, controlling access
to a company’s data and applications is a selective restriction on access to data. It consists of two main
components: authentication and authorization. Authentication is used to confirm that someone is the
claimant, and this is not enough for themselves to ensure data protection. Authorization is additional
levels which determines which user should be allowed access to data or perform an action (operation /
transaction). For their implementation, several authentication and authorization methods have been
created, of which, within this study, we approach, Role Based Access Control (RBAC), Attribute-based
access control (ABAC) and Trust-based access control (TBAC). This study makes a comparative
analysis on the principles underlying RBAC (Role Based Access Control), ABAC (Attribute-based
access control) and TBAC (Trust-based access control) and the ways of application and collaboration
between them.

Author Biography

Marcel Danilescu, Danubius University of Galati

PhD in progress


Danilescu, Laura & Danilescu, Marcel. (2010). Control Access to Information by Applying Policies Based on Trust

Hierarchies. International Conference on Computer and Software Modeling, ICCSM 2010, pp. 285-290. Manila: Institute of

Electrical and Electronics Engineers, Inc.

Danilescu, Laura & Danilescu, Marcel. (2010). Organization’s Data Access Control Policies Based On Trust.

Euroeconomica. 2, pp. 113-122. Galati: Universitatea Danubius.

Danilescu, M. (2012). Data Security Management Applying Trust Policies for Small Organizations, Ad Hoc Organizations

and Virtual Organizations. (D. Jurnals, Ed.) The Journal of Accounting and Management, 2(3), pp. 47-64.

Ferraiolo D. & Richard Kuhn. (1992). Role-Based Access Controls. 15th National Computer Security Conference, pp. 554-

Baltimore Md: National Institute of Standards and Technology/National Computer Security Center. Retrieved from



Ferraiolo David; Ramaswamy Chandramouli; Vincent Hu & Rick Kuhn. (2016). A Comparison of Attribute Based Access

Control (ABAC) Standards For Data Serviceapplications. Gaithersburg, MD: NIST Special Publication.


Qasim Mahmood Rajpoot; Christian Damsgaard Jensen & Ram Krishnan. (2015). Integrating Attributes into Role-Based

Access Control. Proceedings Of The 29th Annual IFIP WG 11.3 Working Conference On Data And Applications Security

Andprivacy, pp. 242-249. Fairfax, VA, USA: Springer Verlag. Doi:10.1007/978-3-319-20810-7_17.

Ravi S. Sandhu; Edward J. Coynek; Hal L. Feinsteink & Charles E. Youmank. (26 October, 1996). Role-Based Access

Control Models. IEEE Computer, 29(2), pp. 38-47. Doi:10.1109/2.485845.

Sandhu Ravi; Ferraiolo David & Kuhn Richard. (2000). The NIST Model For Role-Based Access Control: Towards A

Unified Standard. A. F. Machinery (Ed.), RBAC ‘00: Proceedings Of The Fifth ACM Workshop On Role-Based Access

Control, pp. 47–63. Berlin: Association For Computing Machinery, New Yorknyunited States. Retrieved From


Richard Kuhn; Edward Coyne & Timothy Weil. (2010). Adding Attributes To Role-Based Access Control. Computer (IEEE

Computer), 43(6), pp. 49-71. Doi: DOI: 10.1109/MC.2010.155.

Hu Vincent; Ferraiolo David; Kuhn Richard; Schnitzer Adam; Sandlin Kenneth; Miller Robert & Scarfone Karen. (January,

. Guide To Attribute Based Access Control (ABAC) Definition And Considerations. Retrieved 05 26, 2019, From

Computer Security Resource Center: Https://Csrc.Nist.Gov/Publications/Detail/Sp/800-162/Final.






Performance and Risks in the European Economy