I've had need to chew on Figure 14 and the surrounding text in the RA PR1, and was somewhat uncomfortable with the seemingly central role of Role. My concern was whether this leaned to the RBAC version of access control, where there are concerns about scalability and a resulting (at least local) leaning towards ABAC. Also, to what extent is this relevant to the general question of authorization.
Figure 14 states that a Social Structure defines a Role and that Role has certain Rights, Responsibilities, and Authority (RRA). (We won't get into what Action means here.) It also says the Role requires Qualification which requires Skill.
Now to begin, while the Role is certainly defined in the context of a Social Structure, whether someone designated to fill that role has any qualifications or skill is not a mandatory consideration. President Lincoln removed numerous generals from commanding the Union army because while they were designated for the role and could exercise rights relevant to their responsibility and authority, they did not demonstrate the qualifications or skill for the job.
Conversely, it is often recommended that if you want a job (especially promotion to a position), demonstrate you have the qualifications and skill. and an observant management will give you the role. Moreover, there are numerous examples where demonstrated qualifications and skill results in someone being associated with a role whether or not they have been officially given the role.
So while I agree that the Role is defined by the Social Structure, I would look at Qualification and Skill as being indicative of the ability to fulfill a Role. Thus, the definition of the Role is much more a collection of Social Structure-recognized attributes, and Role is often a convenient name for the aggregation of these attributes and the RRA that follows.
This line of thought then allows me to have consistency with a attribute-based approach. As already noted in the text, the Responsibility, Authority, and Rights can be bestowed without bestowing the named Role.
Any problems with this?
Ken
------------------------------------------------------------------------------------------
Ken Laskey
MITRE Corporation, M/S H305 phone: 703-983-7934
7515 Colshire Drive fax: 703-983-1379
McLean VA 22102-7508