In the modern landscape of IT systems the challenge of administrating a large number of users with respect to their access rights to different computer systems and resources is a well known problem. Based on conventional concepts, keeping the access rights of users to a large number of different computers and it's resources up to date is more and more considered to be a task which can no longer be achieved. The larger and more complex the security environment, the larger the administrative problems become. This results in large administrative overhead and a more and more insecure security environment due to inconsistent security definitions.
As a solution for this problem role-based concepts have been suggested, such as Sandhu et. al.: The NIST model for role-based access control, Symposium on Access Control Models and Technologies archive, Proceedings of the fifth ACM workshop on Role-based access control table of contents, Berlin, Germany, 2000, or more diversified concepts such as the concept described in U.S. Pat. No. 5,911,143.
Difficulties arise when the above mentioned theoretical concepts are put into practice. When implementing a role-based concept within the IT landscape of an existing enterprise it has to be accepted that a certain security infrastructure already exists. This means that there are generally two choices:
a) designing a new security environment from scratch, where the new environment is based on the new concept, or
b) utilizing the existing security environment and transforming it to the new concept.
The first approach means that all information in regard to the requirements for access control is needed, and that a new and “clean” environment is created. To accomplish that a thorough analysis needs to be done as to which kind of access right is really needed for each subject. Even if this might be possible for fairly small systems or new applications, this approach doesn't work in the case of complex and large existing security environments. This is typically the case with large centralized computing environments or a heavily interconnected and interrelated distributed environment, for example an environment with tens of thousands of users having access to thousands of resources. In these cases the workload required to implement the first approach is prohibitive.
The second approach utilizes the existing security environment and implements the new role-based concept on top of that. This is called a role-based administration of the security environment. This works very well if the structure of the existing security environment is appropriate, which means that the existing roles (sometimes also named as groups) are used as an aggregation of existing subjects (more commonly referred to as users). It is the intention of using only this aggregation for access control to computer resources. Experience shows that this is only possible in a few cases where certain areas of computer systems within a larger security environment should be provided with a role-based administration.