Teach Time Encyclopedia - Learn About Our World
Home Page
Teach Time
Featured Topics

United States
by state

CITYology

Academic Disciplines

Historical Timelines

Themed Timelines

Calendars

Reference Tables

Biographies

How-tos



Saturday, September 06, 2008

RBAC

Role-Based Access Control is an alternative to discretionary access control and mandatory access control.

Within an organisation, roles are created for various job functions, and these roles are assigned permissions. Staff are made members of appropriate roles and thus acquire the permissions assigned to those roles.

This leads to greatly simplified administration of permissions. For example, a staff member can be immediately and simply assigned a new role when changing departments, rather than closing all existing access, and creating a new set of access controls. As the staff member's career progresses, then his or her roles are enhanced, and the associated permissions are automatically granted.

In an organisation, there will exist, an ever-evolving policy for access control. RBAC is policy neutral in itself and nicely facilitates the application of the organisation's policy.

With the concepts of role hierarchy and constraints, one can control RBAC to create or simulate Lattice-Based Access Control LBAC. Thus RBAC can be considered a superset of LBAC.

When defining an RBAC model, the following conventions are useful:

U = User = Person or automated agent of some kind.

R = Role = Job function / Title which defines an authority level.

P = Permissions = An approval of a mode of access to a resource.

S = Session = A mapping involving U,R and / P

UA = User Assignment.

PA = Permission Assignment

RH = Partially ordered role Hierarchy

RH can also be written: >

A user can have multiple roles.

A role can have multiple users.

A role can have many permissions.

A permission can be assigned to many roles.

A Constraint places a restrictive rule on the potential inheritance of permissions from opposing roles. For example the same person should not be allowed to both create a log-in account for someone, and also be allowed to authorise the procedure.

Thus, using set theory notation:

PA is a subset of or is equal to P x R and is a many to many permission to role assignment relation.

UA is a subset of or is equal to U x R and is a many to many user to role assignment relation.

RH is a subset of or is equal to R x R

The notation: x > y means that x inherits the permissions of y.

A user may have multiple simultaneous sessions with different permissions.

See also:



Internet Hotel Solutions

Site Sponsors
AC Units
Baltimore Harbor
Boot Camp Grads
Bra Size
Burkittsville
College Hotels
Digital Harbor
Free Cell Phones
Golden Hare Travel
Golf Vacations
Golf Courses
Gourmet
Hair Styles
Hippodrome
iWoman
Lesson Plans
Maryland Hotels
MD Genealogy
Minor League Stuff
Motel Site
Ocean City
OC Real Estate
Old Agers
Office Supplies
Orlando
Pet Friendly Hotel
Room Prices
Savannah, GA
Ski Vacations
South Baltimore
Student Teaching
Travel Sources
University Hotels
Visit Military Bases
Washington, DC

Brought to you by NoChildLeftBehind.com and the Beaches and Towns Network, LLC.