Rule-based computing organizes statements into a data model that can be used for deduction, rewriting, and other inferential or transformational tasks. The data model can then be used to represent some problem domain and reason about the objects in that domain and the relations between them.
Rule-based approaches are common to many areas of industry. For example, artificial intelligence researchers frequently use rule-based computing to allow computers to come to conclusions in the presence of incomplete information. These rule-based “expert systems” assist and amplify human efforts in drug research, medical diagnosis, network modeling, and computer vision. Another application of rule-based computing, the business rules approach, formalizes an enterprise's critical business rules into a machine-usable form. These business rules not only provide an unambiguous statement of what a business does with information to decide a proposition, but the formal specification also becomes information for process and rules engines to run. Rules-based approaches can also be used in semantic web applications, software engineering, information architecture, and knowledge-management systems.
One subset of rule-based systems is role-based computing systems. A role-based computing system is a system in which identities and resources are managed by aggregating them into “roles” based on job functions, physical location, legal controls, and other criteria. These roles can be used to model organizational structures, manage assets, or organize data. By arranging roles and the associated rules into graphs or hierarchies, these roles can be used to reason about and manage various resources.
In one application, role-based strategies have been used to form a new security model, Role-Based Access Control (RBAC). RBAC associates special rules, called “permissions,” with roles; each role is granted only the minimum permissions necessary for the performance of the functions associated with that role. Identities are assigned to roles, giving the users and other entities the permissions necessary to accomplish job functions. This presents a flexible approach while still maintaining separation of duties concepts important to real-world security.
RBAC has been formalized mathematically by NIST and accepted as a standard by ANSI. American National Standard 359-2004 is the information technology industry consensus standard for RBAC, and is incorporated herein by reference in its entirety.