content/fortress/user-guide/1.3-what-rbac-is.mdtext - directory-site - Git at Google

 Title: 1.3 - What ANSI RBAC is
 NavPrev: 1.2-what-is-not-rbac.html
 NavPrevText: 1.2 - What ANSI RBAC is not
 NavUp: 1-intro-rbac.html
 NavUpText: 1 - An Introduction to Role-Based Access Control ANSI INCITS 359-2004
 NavNext: 1.4-why-rbac-is-important.html
 NavNextText: 1.4 - Why is ANSI RBAC Important?
 Notice: Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at
     .
     http://www.apache.org/licenses/LICENSE-2.0
     .
     Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.

 # 1.3 - What ANSI RBAC is

 There is more to RBAC than using a Role object during policy enforcement.

 * ANSI INCITS 359-2001, [http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf](http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf) - The ANSI specification describes RBAC and provides functional specifications in Z-notation.

 <CENTER>
 ![ANSI RBAC](images/ANSIRBAC-Spec.png)
 </CENTER>

 * <b>RBAC0</b> - Users, Roles, Permissions (Objects-Operations), Sessions - Form the Core of ANSI RBAC.  Role activation and Permissions mapped to Object->Operation pairing are key facets of the basic ANSI RBAC model.

 <CENTER>
 ![The Core](images/RbacCore.png)
 </CENTER>

 * <b>RBAC1</b> - Hierarchical Roles - Encourages proper role engineering.  Parent roles are Business Roles while child roles map to IT Roles.  Role hierarchies should be many-to-many or multi-inheritance.

 <CENTER>
 ![Hierarchical RBAC](images/RbacHier.png)
 </CENTER>

 * <b>RBAC2</b> - Static Separation of Duties - Used to limit the privilege of users to within normal boundaries.  SSD constraints are applied at role assignment time.

 <CENTER>
 ![Static Separation of Duties](images/RbacSSD.png)
 </CENTER>

 * <b>RBAC3</b> - Dynamic Separation of Duties - Enforces constraints on what functions may used together at any point in time.  DSD constraints may be used to enforce strict controls during multi-step approval processes.  DSD constraints are applied at role activation time.

 <CENTER>
 ![Dynamic Separation of Duties](images/RbacDSD.png)
 </CENTER>

 * Well defined APIs that can be shared across projects and application development teams.

 * Well defined data model.  Easily created and replicated across the enterprise.
	Title: 1.3 - What ANSI RBAC is
	NavPrev: 1.2-what-is-not-rbac.html
	NavPrevText: 1.2 - What ANSI RBAC is not
	NavUp: 1-intro-rbac.html
	NavUpText: 1 - An Introduction to Role-Based Access Control ANSI INCITS 359-2004
	NavNext: 1.4-why-rbac-is-important.html
	NavNextText: 1.4 - Why is ANSI RBAC Important?
	Notice: Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	.
	http://www.apache.org/licenses/LICENSE-2.0
	.
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	# 1.3 - What ANSI RBAC is

	There is more to RBAC than using a Role object during policy enforcement.

	* ANSI INCITS 359-2001, [http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf](http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf) - The ANSI specification describes RBAC and provides functional specifications in Z-notation.

	<CENTER>
	![ANSI RBAC](images/ANSIRBAC-Spec.png)
	</CENTER>

	* <b>RBAC0</b> - Users, Roles, Permissions (Objects-Operations), Sessions - Form the Core of ANSI RBAC. Role activation and Permissions mapped to Object->Operation pairing are key facets of the basic ANSI RBAC model.

	<CENTER>
	![The Core](images/RbacCore.png)
	</CENTER>

	* <b>RBAC1</b> - Hierarchical Roles - Encourages proper role engineering. Parent roles are Business Roles while child roles map to IT Roles. Role hierarchies should be many-to-many or multi-inheritance.

	<CENTER>
	![Hierarchical RBAC](images/RbacHier.png)
	</CENTER>

	* <b>RBAC2</b> - Static Separation of Duties - Used to limit the privilege of users to within normal boundaries. SSD constraints are applied at role assignment time.

	<CENTER>
	![Static Separation of Duties](images/RbacSSD.png)
	</CENTER>

	* <b>RBAC3</b> - Dynamic Separation of Duties - Enforces constraints on what functions may used together at any point in time. DSD constraints may be used to enforce strict controls during multi-step approval processes. DSD constraints are applied at role activation time.

	<CENTER>
	![Dynamic Separation of Duties](images/RbacDSD.png)
	</CENTER>

	* Well defined APIs that can be shared across projects and application development teams.

	* Well defined data model. Easily created and replicated across the enterprise.