Title: 1.3 - What ANSI RBAC is
NavPrev: 1.2-what-is-not-rbac.html
NavPrevText: 1.2 - What ANSI RBAC is not
NavUp: 1-intro-rbac.html
NavUpText: 1 - An Introduction to Role-Based Access Control ANSI INCITS 359-2004
NavNext: 1.4-why-rbac-is-important.html
NavNextText: 1.4 - Why is ANSI RBAC Important?
Notice: Licensed to the Apache Software Foundation (ASF) under one
    or more contributor license agreements.  See the NOTICE file
    distributed with this work for additional information
    regarding copyright ownership.  The ASF licenses this file
    to you under the Apache License, Version 2.0 (the
    "License"); you may not use this file except in compliance
    with the License.  You may obtain a copy of the License at
    .
    http://www.apache.org/licenses/LICENSE-2.0
    .
    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.

# 1.3 - What ANSI RBAC is

There is more to RBAC than using a Role object during policy enforcement.

* ANSI INCITS 359-2001, [http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf](http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf) - The ANSI specification describes RBAC and provides functional specifications in Z-notation.  

<CENTER>
![ANSI RBAC](images/ANSIRBAC-Spec.png)
</CENTER>
    
* <b>RBAC0</b> - Users, Roles, Permissions (Objects-Operations), Sessions - Form the Core of ANSI RBAC.  Role activation and Permissions mapped to Object->Operation pairing are key facets of the basic ANSI RBAC model.

<CENTER>
![The Core](images/RbacCore.png) 
</CENTER>

* <b>RBAC1</b> - Hierarchical Roles - Encourages proper role engineering.  Parent roles are Business Roles while child roles map to IT Roles.  Role hierarchies should be many-to-many or multi-inheritance.

<CENTER>
![Hierarchical RBAC](images/RbacHier.png) 
</CENTER>

* <b>RBAC2</b> - Static Separation of Duties - Used to limit the privilege of users to within normal boundaries.  SSD constraints are applied at role assignment time.

<CENTER>
![Static Separation of Duties](images/RbacSSD.png) 
</CENTER>

* <b>RBAC3</b> - Dynamic Separation of Duties - Enforces constraints on what functions may used together at any point in time.  DSD constraints may be used to enforce strict controls during multi-step approval processes.  DSD constraints are applied at role activation time.

<CENTER>
![Dynamic Separation of Duties](images/RbacDSD.png) 
</CENTER>

* Well defined APIs that can be shared across projects and application development teams.
    
* Well defined data model.  Easily created and replicated across the enterprise.