Roles define static collections of privileges that define broad user access rights and definitions. Rules extend this static model, established by attaching a user to a Role, by examining user attributes such as department code or location code, and specifying additional details, such as mail server location, based on these user-specific variables.

A single level of indirection separating users from fine-grained privileges may not be sufficient to address complex user management. As a result, it often makes sense to define two types of Roles: Business Roles and Infrastructure Roles.

Return to IT Security Concepts