Users may be unique, or have extraordinary requirements. It is normally impractical to develop a Privilege model that is so fine-grained and precise that it predicts every Resource that every user should have. As a result, there is always a variance between the user-to-resource assignments predicted by the privilege model and the actual user-to-role assignments, as found on target systems.

Exceptions are added to the Privilege model, to indicate that certain deviations from the predicted user-to-resource assignments are acceptable, and should not be treated as policy violations.

Return to IT Security Concepts