34,333
edits
Changes
→Role Based Access Control
== Role Based Access Control ==
Role Based Access Control (RBAC), also known as ''Non discretionary Access Control'', takes more of a real world approach to structuring access control. Access under RBAC is based on a user's job function within the organization to which the computer system belongs.
Essentially, RBAC assigns permissions to particular roles in an organization. Users are then assigned to that particular role. For example, an accountant in a company will be assigned to the ''Accountant'' role, gaining access to all the resources permitted for all accountants on the system. Similarly, a software engineer might be assigned to the ''developer'' role.
Roles differ from ''groups'' in that users while users may belong to multiple groups, a user under RBAC may only be assigned a single role in an organization. Additionally, there is no way to provide individual users additional permissions over and above those available for their role. The accountant described above gets the same permissions as all other accountants, nothing more and nothing less.
== Rule Based Access Control ==
Rule Based Access Control (RBAC) introduces acronym ambiguity by using the same four letter as Role Based Access Control (RBAC).
Under Rules Based Access Control, access is allowed or denied to resource objects based on a set of rules defined by a system administrator. As with ''Discretionary Access Control'', access properties are stored in Access Control Lists (ACL) associated with each resource object.
Examples of Rules Based Access Control include situations such as permitting access for an account or group to a network connection at certain hours of the day or days of the week.
As with MAC, access control cannot be changed by users. All access permissions are controlled solely by the system administrator.