Role Assignment ------------------------- Once an application is deployed, identities must be granted permissions to be authorized to perform operations and access resources. Assigning permissions one at a time to users is unmanageable and prone to error. Role based access control arose primarily from this requirement to associate permissions within roles and assign roles to identities rather than permissions directly. This way, identities that have roles assigned to them, are granted the permissions associated with their assigned roles.
There are several benefits to RBAC which I won't go into in this section but consider the impact of a change in the application which alters a role by adding a new permission. Most administrators, I am sure, would prefer to add a new permission to a role and have that trickle down to users, rather than modifying each user in the system to have this new permission. Role assignment during and after deployment is required for identities to fulfill their designated functions within applications and systems. Role assignment can be done on a per principal basis and should be allowed. However doing so for every assignment would not be very tractible especially within the scale of an enterprise. Role assignment to groups must be possible to make management feasible at medium to large scales. Role assignment is a task required of application and system administrators. Role assignment begins as part of an application's deployment yet it continues indefinately as an operational overhead while identities are created, destroyed, regrouped and allowed to access the application at with various roles. Alex
