| Title: 1.3 - What ANSI RBAC is |
| NavPrev: 1.2-what-is-not-rbac.html |
| NavPrevText: 1.2 - What ANSI RBAC is not |
| NavUp: 1-intro-rbac.html |
| NavUpText: 1 - An Introduction to Role-Based Access Control ANSI INCITS 359-2004 |
| NavNext: 1.4-why-rbac-is-important.html |
| NavNextText: 1.4 - Why is ANSI RBAC Important? |
| Notice: Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| . |
| http://www.apache.org/licenses/LICENSE-2.0 |
| . |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| # 1.3 - What ANSI RBAC is |
| |
| There is more to RBAC than using a Role object during policy enforcement. |
| |
| * ANSI INCITS 359-2001, [http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf](http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf) - The ANSI specification describes RBAC and provides functional specifications in Z-notation. |
| |
| <CENTER> |
| ![ANSI RBAC](images/ANSIRBAC-Spec.png) |
| </CENTER> |
| |
| * <b>RBAC0</b> - Users, Roles, Permissions (Objects-Operations), Sessions - Form the Core of ANSI RBAC. Role activation and Permissions mapped to Object->Operation pairing are key facets of the basic ANSI RBAC model. |
| |
| <CENTER> |
| ![The Core](images/RbacCore.png) |
| </CENTER> |
| |
| * <b>RBAC1</b> - Hierarchical Roles - Encourages proper role engineering. Parent roles are Business Roles while child roles map to IT Roles. Role hierarchies should be many-to-many or multi-inheritance. |
| |
| <CENTER> |
| ![Hierarchical RBAC](images/RbacHier.png) |
| </CENTER> |
| |
| * <b>RBAC2</b> - Static Separation of Duties - Used to limit the privilege of users to within normal boundaries. SSD constraints are applied at role assignment time. |
| |
| <CENTER> |
| ![Static Separation of Duties](images/RbacSSD.png) |
| </CENTER> |
| |
| * <b>RBAC3</b> - Dynamic Separation of Duties - Enforces constraints on what functions may used together at any point in time. DSD constraints may be used to enforce strict controls during multi-step approval processes. DSD constraints are applied at role activation time. |
| |
| <CENTER> |
| ![Dynamic Separation of Duties](images/RbacDSD.png) |
| </CENTER> |
| |
| * Well defined APIs that can be shared across projects and application development teams. |
| |
| * Well defined data model. Easily created and replicated across the enterprise. |