Role-Based Authorization Constraints Specification

Gail-Joon Ahn, Ravi Sandhu

Research output: Contribution to journalArticlepeer-review

345 Scopus citations


Constraints are an important aspect of role-based access control (RBAC) and are often regarded as one of the principal motivations behind RBAC. Although the importance of constraints in RBAC has been recognized for a long time, they have not received much attention. In this article, we introduce an intuitive formal language for specifying role-based authorization constraints named RCL 2000 including its basic elements, syntax, and semantics. We give soundness and completeness proofs for RCL 2000 relative to a restricted form of first-order predicate logic. Also, we show how previously identified role-based authorization constraints such as separation of duty (SOD) can be expressed in our language. Moreover, we show there are other significant SOD properties that have not been previously identified in the literature. Our work shows that there are many alternate formulations of even the simplest SOD properties, with varying degree of flexibility and assurance. Our language provides us a rigorous foundation for systematic study of role-based authorization constraints.

Original languageEnglish (US)
Pages (from-to)207-226
Number of pages20
JournalACM Transactions on Information and System Security
Issue number4
StatePublished - Nov 1 2000
Externally publishedYes


  • Access control models
  • authorization constraints
  • constraints specification
  • Languages
  • role-based access control
  • Security

ASJC Scopus subject areas

  • Computer Science(all)
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'Role-Based Authorization Constraints Specification'. Together they form a unique fingerprint.

Cite this