lSubject = user "joe“
lRole = "editor“
lOperation = "publish“
l However, at the BBC we're using it
to handle sophisticated
authorisation for a CMS system which requires ACLs, so we need object matching too
lFrom the Wikipedia article on RBAC:
–"With the concepts of role hierarchy and
constraints, one can control
RBAC to create or simulate lattice-based access control (LBAC). Thus RBAC can be considered a
superset of LBAC.
l I.e. RBAC + ACLs = LBAC
lTo do this I extended the concept of
permission to include
within it a reference to an object, or matches against objects using regexps, globs or
plugin method
lObject = "/home/recipes/*"