Role Based Access Control
Subject = user "joe“
Role = "editor“
Operation = "publish“
However, at the BBC we're using it to handle
sophisticated authorisation for a CMS system which
requires ACLs, so we need object matching too
From the Wikipedia article on RBAC:
"With the concepts of role hierarchy and constraints, one can
control RBAC to create or simulate lattice-based access control
(LBAC). Thus RBAC can be considered a superset of LBAC.
I.e. RBAC + ACLs = LBAC
To do this I extended the concept of permission to
include within it a reference to an object, or matches
against objects using regexps, globs or plugin method
Object = "/home/recipes/*"