Scott D. Stoller, Ping Yang, C. R. Ramakrishnan, and Mikhail I. Gofman.

Administrative RBAC (ARBAC) policies specify how Role-Based Access
Control (RBAC) policies may be changed by each administrator. It is
often difficult to fully understand the effect of an ARBAC policy by
simple inspection, because sequences of changes by different
administrators may interact in unexpected ways. ARBAC policy
analysis algorithms can help by answering questions, such as
user-role reachability, which asks whether a given user can be
assigned to given roles by given administrators. This problem is
intractable in general. This paper identifies classes of policies of
practical interest, develops analysis algorithms for them, and
analyzes their parameterized complexity, showing that the algorithms
may have high complexity with respect to some parameter *k*
characterizing the hardness of the input (such that *k* is often
small in practice) but have polynomial complexity in terms of the
overall input size when the value of *k* is fixed.

Case Study: RBAC and ARBAC Policies for a University

Case Study: RBAC and ARBAC Policies for a Samll Health Care Facility