Overview#

Role is a collection of entitlements that define access rights and definitions.

Roles are used in various Access Control Models.

No common definition of a Role.

Our Entitlement Example shows how we think a Role should be considered.

There is a lot of confusion and differing ideas on Roles when related to IDM. The concept of the role is to provide a level of indirection separating users from fine-grained permissions and assign the permissions to the role and then the role to the various users as desired.

Roles and Entitlements are hard and complex.

A Role is a collection of entitlements (or Privileges) that are created for the various job functions in an organization.

For many of our discussions we will use Role as a collection of Privileges which we may specifically refer to as Entitlements.

Semantic Construct#

A Role is properly viewed as a semantic construct around which Access Control policies are formulated. Some things to keep in mind on roles:

• The particular collection of users and Privileges brought together by a Role is transitory.
• The Role is more stable because an organization's Entitlements or functions usually change less frequently.

Role Rules (Dynamic Role Model)#

Rules extend the static model, established by attaching a user to a Role, by examining user attributes such as:

• department code
• location code
• additional known details, such as mail server location

RBAC How are roles different from groups?#

RBAC How are roles different from groups?

RBAC Defining Roles#

TBD

More Information#

There might be more information for this subject on one of the following:

• AWS IAM
• AWS Security Group
• Entitlement
• Entitlement Example
• G-Suite Super Admin
• GCP Project Owner
• GCP Role
• Glossary Of LDAP And Directory Terminology
• Google Cloud IAM
• INCITS 359
• RBAC
• RBAC Defining Roles
• RBAC How are roles different from groups
• RBAC Session
• RBAC constraints
• RBAC vs ABAC
• Role
• Security Controls For This Wiki
• Verinym
• XACML