• Report

2010 Economic analysis of role-based access control. Final report


O'Connor, A., & Loomis, R. (2010). 2010 Economic analysis of role-based access control. Final report. (Prepared for National Institute of Standards and Technology). Research Triangle Park, NC: RTI International.


This study is a retrospective economic impact analysis of role-based access control (RBAC), one of the principal approaches for managing users’ access to information technology resources.

For most organizations, networks, data, applications, and hardware and software systems are shared resources that users access to perform their duties. With access, however, comes the risk of intentional or unintentional misuse of or changes to systems and data, thereby threatening the integrity, confidentiality, and availability of an organization’s information and its infrastructure.

IT managers wrestle with aligning engineered technology resources to business processes that are fluid and dynamic. Further, information privacy and internal-controls regulations have been enacted that specify access control policy characteristics with which systems must comply. And because organizations change faster than systems and face exogenous shocks like privacy regulations, legacy design issues generate friction between business operations and their counterparts in IT.

RBAC is arguably the most important innovation in identity and access management since discretionary and mandatory access control (Anderson, 2001; Bertino and Sandhu, 2005). It is the principle of controlling access entirely through “roles” created in the system that align to job functions (such as bank teller), assigning permissions to those roles, and then assigning those roles to employees, rather than using access control lists (ACLs) that assign permissions directly to users on an as-needed basis. A 2002 study completed by RTI International forecasted that RBAC could save U.S. organizations hundreds of millions of dollars per year (Gallaher, O’Connor, and Kropp, 2002).