Several types of business policies may be associated with Roles and with Resources:

  • Authorization Rules. For example, whose authority is required to attach a new Resource to a Role?
  • Resource Exclusion Rules / separation of duties policies (the two terms are basically synonymous). In particular, what sets of resources must never be concurrently assigned to the same user?
  • Prerequisite Rules. In particular, which Resources must a user already have before he can be assigned a specific new Resource?
  • User selection Rules for a Role. For example, users whose department ID is X and whose location is Y should get role Z.

Return to IT Security Concepts