[rsbac] Resources and Enhanced Role Compatibility

Jörg Lübbert rsbac@rsbac.org
Mon Oct 28 14:38:01 2002

Hash: SHA1

Amon Ott schrieb:
> RC deliberately has single roles for subjects only. This avoids all the=
> problems with mutual exclusive roles for separation of duty (including =

> uncontrolled flow of information) and keeps the model simpler.

I don't see why two roles could exclude each other if they would only 
add their rights to each other? If the negative role compatibility was 
introduced then this might become a problem, but having negative role 
compatibility would only be the second step I'd go. I personally am fine 
  if there were multiple roles adding their rights to a main role.

> My paper for the NordSec conference next week discusses this in a compa=
> to RBAC and DTE models. It will be published on rsbac.org after the 
> conference. I already got people saying that RC model is too complex, s=
o I 
> will be very slow in adding more options.

What would you think about adding a completely new module called ERBAC 
which is based on the RC module? This way the powerful RC module stays 
the way it is without becoming more complex and the other module can 
become even more complex and even more fine grained than RC currently 
is? One could add my idea of negative/positive role comp there + the 
idea about inherited rights to types.

I'm looking forward to read your paper :)

> Again, it would make the model even more complex. Are you thinking of a=
> hierarchy, where rights to master types are inherited to subtypes as we=

I wasn't thinking that complicated in that case. Your idea btw sounds 
pretty good (would be something for ERBAC?), but just like my idea very 
hard to implement (and understand). I was just thinking of groups in 
rsbac_menu so that administration and searching through the various 
types becomes more easy (one could maybe do the same for the roles, too).

- - Jörg
Version: GnuPG v1.0.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org