Enterprises use access control systems to grant data users the capability to access assets, which may be software, hardware, firmware, or combinations thereof. Access to assets includes the ability to create files, read files in specific directories or in certain systems, the ability to read and write the files, and the ability to create, read, write, and delete the files. Role-based access control systems grant access to assets based on assigned user roles. For example, a manager of many employees uses a role-based access control system to assign one user role (e.g., billing user) out of many user roles to one of their employees or users. The assigned user role enables the employee to access a specific asset to modify a variety of billing records. By assigning one of many roles to the employee/user, the manager does not have to evaluate individual access to each of numerous billing records in the associated asset when granting access to each employee. However, existing role-based systems may allow a manager to assign any user role to the manager's employees. For example, a billing manager can assign a billing user role to an employee to access a sales department asset even though the sales manager who supervises the sales department asset does not want the employee to be able to access the sales department asset to modify billing records.
In contrast to role-based access control systems, discretionary access control systems enable a manager who has exclusive responsibility for an asset to be the only manager who can grant users access to that asset. For example, a billing website manager may be the only manager that can grant access to the billing website to any user. However, discretionary access control systems still present certain problems. For example, the discretionary access control system enables the billing website manager to grant access to the billing website to a user who works in a sales department even though the sales manager who supervises the user does not want the user to be able to access the billing website. The above-described access control systems may not satisfy the needs of an organization that needs to enforce responsibility for ensuring that security procedures are followed or to enable auditors to verify that security procedures are followed.