RBAC How are roles different from groups?#

There is a superficial similarity between RBAC roles and traditional groups. As normally implemented, a group is a collection of users, rather than a collection of permissions, and permissions can be associated with both users and the groups to which they belong.

The ability to tie permissions directly to users in a group-based mechanism is regarded as a "loophole" that makes it difficult to control the user-permission relationships.

Strict RBAC#

Strict RBAC requires all access through roles, and permissions are connected only to roles, not directly to users.

Indirection that Separates#

The role, as it is an indirection that separates users from fine grained permissions is more stable than the group concept. This level of indirection also allows more flexibility within the assignment of permissions by the ability to perform functions or RBAC constraints and RBAC Hierarchical.

As an example, changing the ACLs assigned to a Group, would require the assignment be assigned directly (or indirectly) to each user that is a member.

Concept of a Session#

Another aspect of RBAC that distinguishes it from traditional group mechanisms is the concept of a session, which allows dynamic activation of a subset of roles assigned to a user based on their current activity.

Core RBAC#

Core RBAC also allows those systems with a robust group/ACL mechanism that supports the construction of a many-to-many relation among users and permissions.

Groups Are Bad#

Groups Are Bad

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 06-Jun-2013 17:15 by jim