RBAC How are roles different from groups?#
There is a superficial similarity between RBAC roles and traditional groups. As normally implemented, a group is a collection of users, rather than a collection of permissions, and permissions can be associated with both users and the groups to which they belong.
The ability to tie permissions directly to users in a group-based mechanism is regarded as a "loophole" that makes it difficult to control the user-permission relationships.
Strict RBAC requires all access through roles, and permissions are connected only to roles, not directly to users.
Indirection that Separates#
, as it is an indirection that separates users from fine grained permissions
is more stable than the group concept. This level of indirection also allows more flexibility within the assignment of permissions by the ability to perform functions or RBAC constraints
and RBAC Hierarchical
As an example, changing the ACLs assigned to a Group, would require the assignment be assigned directly (or indirectly) to each user that is a member.
Concept of a Session#
Another aspect of RBAC
that distinguishes it from traditional group mechanisms is the concept of a session, which allows dynamic activation of a subset of roles
assigned to a user based on their current activity.
Core RBAC also allows those systems with a robust group/ACL mechanism that supports the construction of a many-to-many relation among users and permissions.
Groups Are Bad
There might be more information for this subject on one of the following: