OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

soa-rm-ra message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [soa-rm-ra] roles and the social structure

As far as the RBAC/ABAC question, there are lots of cases in human orgs where the specific attributes of someone filling a role come after the role designation itself. You expect that a security officer be able to deal with security related issues, even if a specific issue had not been conceived of beforehand.

There are also cases where the role designation is an after the fact summarization of the specifics. 

My intention for the skill/qualification was to support the ability pov. I think that there are cases where qualification is of the essence: you cannot legally be a truck driver if you have not passed the driving test. (I guess the actual condition is more closely defined but the general idea is there.)

So, I am in favor of finding a way of expressing the correct conditions; and if the 'requires' relationship is too strong then we can modify that.


On Jun 23, 2008, at 1:01 PM, Ken Laskey wrote:

I've had need to chew on Figure 14 and the surrounding text in the RA PR1, and was somewhat uncomfortable with the seemingly central role of Role.  My concern was whether this leaned to the RBAC version of access control, where there are concerns about scalability and a resulting (at least local) leaning towards ABAC.  Also, to what extent is this relevant to the general question of authorization.

Figure 14 states that a Social Structure defines a Role and that Role has certain Rights, Responsibilities, and Authority (RRA).  (We won't get into what Action means here.)  It also says the Role requires Qualification which requires Skill.  

Now to begin, while the Role is certainly defined in the context of a Social Structure, whether someone designated to fill that role has any qualifications or skill is not a mandatory consideration.  President Lincoln removed numerous generals from commanding the Union army because while they were designated for the role and could exercise rights relevant to their responsibility and authority, they did not demonstrate the qualifications or skill for the job.

Conversely, it is often recommended that if you want a job (especially promotion to a position), demonstrate you have the qualifications and skill. and an observant management will give you the role.  Moreover, there are numerous examples where demonstrated qualifications and skill results in someone being associated with a role whether or not they have been officially given the role.

So while I agree that the Role is defined by the Social Structure, I would look at Qualification and Skill as being indicative of the ability to fulfill a Role.  Thus, the definition of the Role is much more a collection of Social Structure-recognized attributes, and Role is often a convenient name for the aggregation of these attributes and the RRA that follows.  

This line of thought then allows me to have consistency with a attribute-based approach.  As already noted in the text, the Responsibility, Authority, and Rights can be bestowed without bestowing the named Role.

Any problems with this? 


Ken Laskey
MITRE Corporation, M/S H305     phone:  703-983-7934
7515 Colshire Drive                        fax:        703-983-1379
McLean VA 22102-7508


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]