Dave Kearns writes about a recurring problem: inconsistent definitions of the term 'role'. "We are using RBAC" is something that is often heard, but rarely used in practice. RBAC uses the role that the subject is in to make access control decisions. The subject is mapped to a role, the role contains a set of transactions or methods they have access to. RBAC works well in practice because it maps well to how developers think in terms of thinking about the system as a set of transactions and methods.
Comments