In a typical role-based access control (“RBAC”) systems, access to an object within a computer system is provided to the members of groups termed “roles”; all subjects belonging to a given role have the same privileges to access various objects within the system. Individuals are then granted access to objects by being assigned membership in appropriate roles. RBAC is considered useful in many commercial environments because it allows access to the computer system to be conveniently organized along lines corresponding to the actual duties and responsibilities of individuals within organizations. For example, RBAC allows the access provided by roles to conform to a preexisting hierarchy; in a hospital environment, members of the “doctor” role will have broader access to protected objects than would members of “nurse”, who will in turn be given broader access than “health-care provider”. Various types of privilege can be conveniently organized as a function of role assignments. For example, “doctor” membership may allow the user the privilege to read from or write to a pharmacy record, while “pharmacist” may only allow the privilege of reading the record.
An advantage of RBAC is that it allows the access privileges provided to individuals to be very conveniently reconfigured as the individuals change job requirements, simply by deleting one's original assignment to a first role and adding one to the new role.