RBAC roles are assigned to ARBAC roles through role ranges (a starting child node and an ending parent node). This range determines the set of roles that a user in the Admin Role can assign users. Given a complex RBAC role hierarchy or many roles not part of a hierarchy, this would require many ARBAC roles to be created. Is this correct?
Furthermore, when a new RBAC role is created, it will not belong to any ARBAC role (unless it happens to be inside of a role range). A new ARBAC role might need to be created for every new RBAC role. So, if we want to delegate role creation to a particular user(s), they would also need to have permissions to then create ARBAC roles and assign users to those roles?
