lWhen defining an RBAC model, the following conventions
are useful:
lS = Subject = A person or automated agent
lR = Role = Job function or title which defines an
authority level
lP = Permissions = An approval of a mode of access to a
resource
lSE = Session = A mapping involving S, R and/or P
lSA = Subject Assignment
lPA = Permission Assignment
lRH = Partially ordered role Hierarchy. RH can also be
written: ≥
lA subject can have multiple roles.
lA role can have multiple subjects.
lA role can have many permissions.
lA permission can be assigned to many roles.
lA constraint places a restrictive rule on the potential
inheritance of permissions
from opposing roles, thus it can be used to achieve appropriate segregation of duties. For example, the same
person should not be allowed
to both create a login account for someone, and also be allowed to authorize the procedure.
lA subject may have multiple simultaneous sessions with
different permissions.