In role based access control, the role hierarchy defines an inheritance relationship among roles.
A simple Example#For example, the role structure for a bank may treat all employees as members of the "employee" role. Above this may be roles "department manager", and "accountant", which inherit all permissions of the "employee" role, while above "department manager" could be "savings manager", "loan manager". tree (set theory), as in the 1992 RBAC model of Ferraiolo and Kuhn, or a partially ordered set in the 1996 RBAC framework of Sandhu, Coyne, Feinstein, and Youman.
For Object Oriented Folks#In object oriented programming terms, the tree role hierarchy is single inheritance, while the partial order hierarchy allows multiple inheritance. When treated as a partial order, the role hierarchy example given above could be extended to allow a role such as "branch manager" to inherit all permissions of "savings manager", "loan manager", and "accountant".
Complications Separation of Duty#Complications can arise when constraints such as separation of Duty exist between roles. If separation of Duty was used to prohibit personnel from holding both "loan manager" and "accountant" roles, then "branch manager" could not inherit permissions from both of them.
More Information#There might be more information for this subject on one of the following:
- Dynamic Separation of Duty
- RBAC Defining Roles
- RBAC How are roles different from groups
- Static Separation of Duty