lWhen defining an RBAC model, the following conventions
lS = Subject = A person or automated agent
lR = Role = Job function or title which defines an
lP = Permissions = An approval of a mode of access to a
lSE = Session = A mapping involving S, R and/or P
lSA = Subject Assignment
lPA = Permission Assignment
lRH = Partially ordered role Hierarchy. RH can also be
lA subject can have multiple roles.
lA role can have multiple subjects.
lA role can have many permissions.
lA permission can be assigned to many roles.
lA constraint places a restrictive rule on the potential
inheritance of permissions
from opposing roles, thus it can be used to achieve appropriate segregation of duties. For example, the same
person should not be allowed
to both create a login account for someone, and also be allowed to authorize the procedure.
lA subject may have multiple simultaneous sessions with