1.3 - What ANSI RBAC is

There is more to RBAC than using a Role object during policy enforcement.

![ANSI RBAC](images/ANSIRBAC-Spec.png)
  • RBAC0 - Users, Roles, Permissions (Objects-Operations), Sessions - Form the Core of ANSI RBAC. Role activation and Permissions mapped to Object->Operation pairing are key facets of the basic ANSI RBAC model.
![The Core](images/RbacCore.png)
  • RBAC1 - Hierarchical Roles - Encourages proper role engineering. Parent roles are Business Roles while child roles map to IT Roles. Role hierarchies should be many-to-many or multi-inheritance.
![Hierarchical RBAC](images/RbacHier.png)
  • RBAC2 - Static Separation of Duties - Used to limit the privilege of users to within normal boundaries. SSD constraints are applied at role assignment time.
![Static Separation of Duties](images/RbacSSD.png)
  • RBAC3 - Dynamic Separation of Duties - Enforces constraints on what functions may used together at any point in time. DSD constraints may be used to enforce strict controls during multi-step approval processes. DSD constraints are applied at role activation time.
![Dynamic Separation of Duties](images/RbacDSD.png)
  • Well defined APIs that can be shared across projects and application development teams.

  • Well defined data model. Easily created and replicated across the enterprise.