Hierarchical RBAC, expands Core RBAC with the ability to define inheritance relations between roles.

In role based access control, the role hierarchy defines an inheritance relationship among roles.

A simple Example#

For example, the role structure for a bank may treat all employees as members of the "employee" role. Above this may be roles "department manager", and "accountant", which inherit all permissions of the "employee" role, while above "department manager" could be "savings manager", "loan manager".

Role Hierarchy Models#

RBAC models generally treat the role hierarchy as either a tree (set theory), as in the 1992 RBAC model of Ferraiolo and Kuhn, or a partially ordered set in the 1996 RBAC framework of Sandhu, Coyne, Feinstein, and Youman.

NIST describes in the NIST RBAC model, which unified the FK and SCFY models, treats the role hierarchy as a partial order, although RBAC products have not gone beyond the tree structured hierarchy.

For Object Oriented Folks#

In object oriented programming terms, the tree role hierarchy is single inheritance, while the partial order hierarchy allows multiple inheritance. When treated as a partial order, the role hierarchy example given above could be extended to allow a role such as "branch manager" to inherit all permissions of "savings manager", "loan manager", and "accountant".

Complications Separation of Duty#

Complications can arise when constraints such as separation of Duty exist between roles. If separation of Duty was used to prohibit personnel from holding both "loan manager" and "accountant" roles, then "branch manager" could not inherit permissions from both of them.

More Information#

There might be more information for this subject on one of the following: - Gold bars Switzerland

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-9) was last changed on 02-Jul-2015 10:48 by MikeSmith