Anonymous_User Absent Member.
Absent Member.

rbac best practices

I would like to know what are the best practices to implement a RBAC
For this simple example, I have an IT Team who have two access.
- A Unix account on a host RES1
- An access to an application RES2.

I create 2 resources RES1 and RES2 and 3 roles.
ROL10 associated to RES1
ROL11 associated to RES2
ROL20 named "Member of IT Team" is the role parent of ROL10 and

In this scenario, it is possible to assign a user to RES1 via ROL10 , a
user to RES2 via ROL11 , a user to both resources via ROL20
The main inconvenient of this model is the number of roles if the model
is appied to all teams in the company.


I create 2 resources RES1 and RES2 and 1 role.
ROL20 named "Member of IT Team" associated to RES1 and RES2

Less roles than scenario 1.

To assign a user to only the RES1, the only way it to assign user to
"In RBAC theory, a user must always be assign via a role not directly to
a permission (resource)".
However, In this scenario, the admin of the resource must be able to
create a requestassocationrole from any existing roles to this

What is the best way to implement a role model ? is there any other
possibilities ?
A role must represent a population (a team for example "member of team
B" ) or a job function ( IT Developer) or a ressource ( USer of
application A) ?

Thanks in advance

acany's Profile:
View this thread:

Labels (1)
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: rbac best practices


It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

- Visit and search the knowledgebase and/or check all
the other support options available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (

Be sure to read the forum FAQ about what to expect in the way of responses:

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your NetIQ Forums Team

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.