Overview#
Role is a collection of entitlements that define access rights and definitions.Roles are used in various Access Control Models.
No common definition of a Role.
Our Entitlement Example shows how we think a Role should be considered.
There is a lot of confusion and differing ideas on Roles when related to IDM. The concept of the role is to provide a level of indirection separating users from fine-grained permissions and assign the permissions to the role and then the role to the various users as desired.
Roles and Entitlements are hard and complex.
A Role is a collection of entitlements (or Privileges) that are created for the various job functions in an organization.
For many of our discussions we will use Role as a collection of Privileges which we may specifically refer to as Entitlements.
Semantic Construct#
A Role is properly viewed as a semantic construct around which Access Control policies are formulated. Some things to keep in mind on roles:- The particular collection of users and Privileges brought together by a Role is transitory.
- The Role is more stable because an organization's Entitlements or functions usually change less frequently.
Role Rules (Dynamic Role Model)#
Rules extend the static model, established by attaching a user to a Role, by examining user attributes such as:- department code
- location code
- additional known details, such as mail server location
RBAC How are roles different from groups?#
RBAC How are roles different from groups?RBAC Defining Roles#
TBDMore Information#
There might be more information for this subject on one of the following:- AWS IAM
- AWS Security Group
- Entitlement
- Entitlement Example
- G-Suite Super Admin
- GCP Project Owner
- GCP Role
- Glossary Of LDAP And Directory Terminology
- Google Cloud IAM
- INCITS 359
- RBAC
- RBAC Defining Roles
- RBAC How are roles different from groups
- RBAC Session
- RBAC constraints
- RBAC vs ABAC
- Role
- Security Controls For This Wiki
- Verinym
- XACML
