Definition of Policy
Several types of business policies may be associated with Roles
and with Resources:
- Authorization Rules. For example, whose authority is required
to attach a new Resource to a Role?
- Resource Exclusion Rules / separation of duties policies (the two
terms are basically synonymous). In particular, what sets of
resources must never be concurrently assigned to the same user?
- Prerequisite Rules. In particular, which Resources must a user
already have before he can be assigned a specific new Resource?
- User selection Rules for a Role. For example, users whose
department ID is X and whose location is Y should get role Z.