!!! Overview
[{$pagename}] is a collection of [entitlements] that define access rights and definitions.

[{$pagename}]s are used in various [Access Control Models].

No common definition of a [{$pagename}].

Our [Entitlement Example] shows how we think a [{$pagename}] should be considered.

There is a lot of confusion and differing ideas on [{$pagename}]s when related to [IDM]. The concept of the role is to provide a level of indirection separating users from fine-grained [permissions] and assign the [permissions] to the role and then the role to the various users as desired.

[Roles] and [Entitlements] are hard and complex.

A [{$pagename}] is a collection of [entitlements] (or [Privileges]) that are created for the various job functions in an organization.

For many of our discussions we will use [{$pagename}] as a collection of [Privileges] which we may specifically refer to as [Entitlements].

!! Semantic Construct
A [{$pagename}] is properly viewed as a semantic construct around which [Access Control] policies are formulated. Some things to keep in mind on roles:
* The particular collection of users and [Privileges] brought together by a [{$pagename}] is transitory. 
* The [{$pagename}] is more stable because an organization's [Entitlements] or functions usually change less frequently.

!! Role Rules (Dynamic Role Model)
Rules extend the static model, established by attaching a user to a Role, by examining user attributes such as:
* department code 
* location code
* additional known details, such as mail server location

!!![RBAC How are roles different from groups]?
[RBAC How are roles different from groups]?

!!![RBAC Defining Roles|RBAC Defining Roles]
TBD

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]