Role-Based Access Control for the Large Hadron Collider at CERN

  • Ilia Yastrebov 1. European Organization for Nuclear Research Switzerland, 1211 Geneva 23, and 2. Joint Institure for Nuclear Research Russia, 141980 Dubna, 6 Jolio-Curie E-mail:


Large Hadron Collider (LHC) is the largest scientific instrument ever created. It was built with the intention of testing the most extreme conditions of the matter. Taking into account the significant dangers of LHC operations, European Organization for Nuclear Research (CERN) has developed multi-pronged approach for machine safety, including access control system. This system is based on rolebased access control (RBAC) concept. It was designed to protect from accidental and unauthorized access to the LHC and injector equipment. This paper introduces the new model of the role-based access control developed at CERN and gives detailed mathematical description of it. We propose a new technique called dynamic authorization that allows deploying RBAC gradually in the large systems. Moreover, we show how the protection for the very large distributed equipment control system may be implemented in efficient way. This paper also describes motivation of the project, requirements and overview of the main components: authentication and authorization.


[1] CERN: Why the LHC. (2008), Accessed 1 August 2009.

[2] Wikipedia: Large Hadron Collider. (2008), Accessed 1 August 2009.

[3] CERN: What is LHCb. CERN FAQ LHC: the guide. CERN Communication Group. (2008). Accessed 9 December 2008.

[4] Wenninger J.: Operational challenges of the LHC. (2007), Accessed 1 August 2009

[5] Wikipedia: Role Based Access Control,, Accessed 1 August 2009

[6] Petrov A., Schumann C., Gysin S.: User Authentication for Role-Based Access Control. Proceedings of ICALEPCS 2007

[7] Ferraiolo D.F., Kuhn D.R.: Role Based Access Control. 15th National Computer Security Conference, Baltimore, USA, (1992)

[8] Sandhu R., Coyne E. J., Feinstein H. L., Youman C. E.: Role-Based Access Control Models. IEEE Computer 29 (2): 38-47, (1996)

[9] Sandhu R., Ferraiolo D.F., Kuhn D.R.: The NIST Model for Role Based Access Control: Toward a Unified Standard, 5th ACM Workshop Role-Based Access Control, 47-63, (2000)

[10] Ferraiolo D.F., Cugini J.A., D. Kuhn D.R.: Role-Based Access Control (RBAC): Features and Motivations. Proceedings of 11th Annual Computer Security Application Conference, New Orleans, LA, 241-248, (1995)

[11] Gysin S., Kostro K., Kruk G., Lamont M., Lueders S., SliwinskiW., Charrue P.: Role-Based Access for the Accelerator Control System in the LHC Area - Requirements, EDMS Id 769302, (2006)

[12] Charrue P. et al.: Role Based Access Control for the Accelerator Control System in the LHC Era - Design. EDMS Id 805654, (2007)

[13] Kostro K., Baggiolini V., Calderini F., Chevrier F., Jensen S., Swoboda R., Trofimov N.: Controls Middleware - the New Generation, EPAC, Paris, France, p. 2028. (2002)

[14] Kostro K., Gajewski W., Gysin S.: Role-Based Authorization in Equipment Access at CERN. Proceedings of ICALEPCS, (2007)
How to Cite
YASTREBOV, Ilia. Role-Based Access Control for the Large Hadron Collider at CERN. INTERNATIONAL JOURNAL OF COMPUTERS COMMUNICATIONS & CONTROL, [S.l.], v. 5, n. 3, p. 398-409, sep. 2010. ISSN 1841-9844. Available at: <>. Date accessed: 16 july 2020. doi:


Software development, role-based access control, information security, equipment protection