However, at most efforts concerning RBAC constraints focused primarily on Separation of Duty constraints. With the increasing interest in RBAC in general and constraint based RBAC in particular, research pertaining to other types of RBAC constraints also gained in importance.
Types of Constraints#
Static constraints #Static constraints refer to constraints that can be evaluated directly at design time or upon assignment of a role within an RBAC model (e.g. Static Separation of Duty).
Dynamic constraints #Dynamic constraints can only be checked at run-time according to the actual values of specific attributes, or with respect to characteristics of the current session (e.g. Dynamic Separation of Duty, or time constraints)
Endogenous constraints#Endogenous constraints are constraints that relate to intrinsic properties of an RBAC model, and inherently affect the structure and construction of a concrete instance of an RBAC model.
Moreover, it also influences the definition of the respective role-hierarchy since it further prohibits that two distinct roles to which these permissions are assigned can have a common senior role. Otherwise a common senior could acquire both (mutual exclusive) permissions and thereby violate the corresponding SSD constraint. Similar effects can be observed for cardinality constraints for instance.
Exogenous constraints#Exogenous constraints are constraints that apply to attributes that do not belong to the core elements of an RBAC model, but are defined as side conditions for certain operations or decisions of an access control service.
An example can be time constraints that restrict role activation to a specific time interval, or allow access operations for a particular resource only on a specific weekday.