Do groups exist in role based access control systems?

1
votes

I understand that in a role based access control system (RBAC), roles within an organization are represented by roles. Each role then contains different tasks (access permissions) to do things within the application. Each user in the organization is then assigned one or more roles depending on what his job responsibilities are.

What I don't understand is whether groups exist in in RBAC. I am currently designing a system where users can be assigned one or more roles. Users can then be placed into 1 or more groups (for example, programmers, people on floor 12, people who wear metallica t-shirts, people who are part of the chess club, etc), but the groups do not contain any roles or access permissions.

Do groups even exist in RBAC? If so, should groups contain permissions and roles which are inherited by members of the group?

1
language-agnosticrbac

1 Answers

0
votes

Well, I cannot tell about the theory aspect too much but I can say that at least with RBAC implementations that I know this abstract 'group' can be achieved using inheritance between roles. Meaning, you could have role prj_A_developers (which lets say can be allowed to 'comit' files, change issues in the task management system, etc), prj_A_testing (lets say, which could change issues to certain status (QA passed/rejected/reopened/etc), etc...). Now you could have prj_A_admin which is a role that would be a parent of prj_A_testing and prj_A_developers. User's assigned this role will inherit all of this role's child elements - be they other roles, direct 'tasks', etc.

The inheritance is somewhat in the opposite direction is you're used to object oriented programming 'inheritance' concept but I think its clear nevertheless.

I think that using this inheritance you can achieve this 'group' concept.