Within an organization, roles are relatively stable, while users and permissions are both numerous and may change rapidly.
RBAC0 was defined as the base model, defined through users, roles, and permissions.
RBAC1 includes RBAC0 but incorporates hierarchies as a partial order relationship between roles.
RBAC2 also incorporates RBAC0, but adds constraints.
RBAC1 and RBAC2 are independent of each other, in that a system may implement one without the other.
RBAC3 is a fully-featured RBAC model, incorporating RBAC0, RBAC1, and RBAC2.
RBAC3 is essentially equivalent to the 1992 Ferraiolo and Kuhn model with the exception that RBAC3 allows a partial order hierarchy while the Ferraiolo-Kuhn model defines the hierarchy as a rooted tree.
In object-oriented terms, the 1996 SCFY model can be thought of as incorporating multiple inheritance while Ferraiolo-Kuhn uses single inheritance.
Back to Top There is a superficial similarity between RBAC roles and traditional groups.
Roles with different privileges and responsibilities have long been recognized in business organizations, and commercial computer applications dating back to at least the 1970s implemented limited forms of access constraints based on the user’s role within an organization.