Role hierarchy
Encyclopedia
In role based access control
, the role hierarchy defines an inheritance relationship among roles. For example, the role structure for a bank may treat all employees as members of the ‘employee’ role. Above this may be roles ‘department manager’, and ‘accountant’, which inherit all permissions of the ‘employee’ role, while above ‘department manager’ could be ‘savings manager’, ‘loan manager’.
RBAC models generally treat the role hierarchy as either a tree (set theory)
, as in the 1992 RBAC model of Ferraiolo and Kuhn, or a partially ordered set
in the 1996 RBAC framework of Sandhu, Coyne, Feinstein, and Youman. In object oriented programming terms, the tree role hierarchy is single inheritance, while the partial order hierarchy allows multiple inheritance. When treated as a partial order, the role hierarchy example given above could be extended to allow a role such as ‘branch manager’ to inherit all permissions of ‘savings manager’, ‘loan manager’, and ‘accountant’.
Complications can arise when constraints such as separation of duties
exist between roles. If separation of duty was used to prohibit personnel from holding both ‘loan manager’ and ‘accountant’ roles, then ‘branch manager’ could not inherit permissions from both of them. The NIST RBAC model
, which unified the FK and SCFY models, treats the role hierarchy as a partial order, although RBAC products have not gone beyond the tree structured hierarchy.
Role-Based Access Control
In computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...
, the role hierarchy defines an inheritance relationship among roles. For example, the role structure for a bank may treat all employees as members of the ‘employee’ role. Above this may be roles ‘department manager’, and ‘accountant’, which inherit all permissions of the ‘employee’ role, while above ‘department manager’ could be ‘savings manager’, ‘loan manager’.
RBAC models generally treat the role hierarchy as either a tree (set theory)
Tree (set theory)
In set theory, a tree is a partially ordered set In set theory, a tree is a partially ordered set (poset) In set theory, a tree is a partially ordered set (poset) (T, In set theory, a tree is a partially ordered set (poset) (T, ...
, as in the 1992 RBAC model of Ferraiolo and Kuhn, or a partially ordered set
Partially ordered set
In mathematics, especially order theory, a partially ordered set formalizes and generalizes the intuitive concept of an ordering, sequencing, or arrangement of the elements of a set. A poset consists of a set together with a binary relation that indicates that, for certain pairs of elements in the...
in the 1996 RBAC framework of Sandhu, Coyne, Feinstein, and Youman. In object oriented programming terms, the tree role hierarchy is single inheritance, while the partial order hierarchy allows multiple inheritance. When treated as a partial order, the role hierarchy example given above could be extended to allow a role such as ‘branch manager’ to inherit all permissions of ‘savings manager’, ‘loan manager’, and ‘accountant’.
Complications can arise when constraints such as separation of duties
Separation of duties
Separation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error. The concept is alternatively called segregation of duties or, in the political...
exist between roles. If separation of duty was used to prohibit personnel from holding both ‘loan manager’ and ‘accountant’ roles, then ‘branch manager’ could not inherit permissions from both of them. The NIST RBAC model
NIST RBAC model
The NIST RBAC model is a standardized definition of role based access control. Although originally developed by the National Institute of Standards and Technology, the standard was adopted and is copyrighted and distributed as INCITS 359-2004 by the International Committee for Information...
, which unified the FK and SCFY models, treats the role hierarchy as a partial order, although RBAC products have not gone beyond the tree structured hierarchy.