I would like to know what are the best practices to implement a RBAC
For this simple example, I have an IT Team who have two access.
- A Unix account on a host RES1
- An access to an application RES2.

I create 2 resources RES1 and RES2 and 3 roles.
ROL10 associated to RES1
ROL11 associated to RES2
ROL20 named "Member of IT Team" is the role parent of ROL10 and

In this scenario, it is possible to assign a user to RES1 via ROL10 , a
user to RES2 via ROL11 , a user to both resources via ROL20
The main inconvenient of this model is the number of roles if the model
is appied to all teams in the company.


I create 2 resources RES1 and RES2 and 1 role.
ROL20 named "Member of IT Team" associated to RES1 and RES2

Less roles than scenario 1.

To assign a user to only the RES1, the only way it to assign user to
"In RBAC theory, a user must always be assign via a role not directly to
a permission (resource)".
However, In this scenario, the admin of the resource must be able to
create a requestassocationrole from any existing roles to this

What is the best way to implement a role model ? is there any other
possibilities ?
A role must represent a population (a team for example "member of team
B" ) or a job function ( IT Developer) or a ressource ( USer of
application A) ?

Thanks in advance

acany's Profile: https://forums.netiq.com/member.php?userid=453
View this thread: https://forums.netiq.com/showthread.php?t=50525