Overview#Role is a collection of permissions that define access rights and definitions.
Roles are used in various Access Control Models.
No real common definition of a Role.
Our Entitlement Example shows how we think a Role should be considered.
There is a lot of confusion and differing ideas on roles when related to IDM. The concept of the role is to provide a level of indirection separating users from fine-grained permissions and assign the permissions to the role and then the role to the various users as desired.
A Role is a collection of permissions that are created for the various job functions in an organization.
Semantic Construct#A role is properly viewed as a semantic construct around which Access Control policies are formulated. Some things to keep in mind on roles:
- The particular collection of users and permissions brought together by a role is transitory.
- The role is more stable because an organization's activities or functions usually change less frequently.
Role Rules (Dynamic Role Model)#Rules extend the static model, established by attaching a user to a Role, by examining user attributes such as:
- department code
- location code
- additional known details, such as mail server location