1.3 - What ANSI RBAC is

There is more to RBAC than using a Role object during policy enforcement.

• ANSI INCITS 359-2001, https://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf - The ANSI specification describes RBAC and provides functional specifications in Z-notation.

• RBAC0 - Users, Roles, Permissions (Objects-Operations), Sessions - Form the Core of ANSI RBAC. Role activation and Permissions mapped to Object->Operation pairing are key facets of the basic ANSI RBAC model.

• RBAC1 - Hierarchical Roles - Encourages proper role engineering. Parent roles are Business Roles while child roles map to IT Roles. Role hierarchies should be many-to-many or multi-inheritance.

• RBAC2 - Static Separation of Duties - Used to limit the privilege of users to within normal boundaries. SSD constraints are applied at role assignment time.

• RBAC3 - Dynamic Separation of Duties - Enforces constraints on what functions may used together at any point in time. DSD constraints may be used to enforce strict controls during multi-step approval processes. DSD constraints are applied at role activation time.

• Well defined APIs that can be shared across projects and application development teams.

• Well defined data model. Easily created and replicated across the enterprise.