The administration of services in organizations is becoming increasingly resource intensive and complicated due to the many services deployed in and across the enterprise. Role-based access control (RBAC) is an alternative methodology that assigns employees to roles that relate to job functions. Users acquire permissions through the role, and hence, are not assigned the permissions directly. While users and permissions may change frequently, roles are comparatively stable, and thus, simplify administration.
Delegation can provide one efficient approach for managing the administration load. For example, consider that an administrator wants to delegate part of the functionality of an existing administrative role, where a role defines the tasks and code that can be run by a user assigned the role. The administrator modifies the role, but thereafter, over a period of time and perhaps several role modifications it is difficult to know whether the role has a smaller or larger set of permissions. Thus, permission auditing is problematic.
In an access control list regime this modification is performed by adding access control entries, which are difficult to audit. In RBAC, modification can be accomplished by adding and removing actions. However, ensuring some consistency and order between roles is not possible.
In another scenario, an organization administrator wants to completely delegate server management in Europe to a European administrator. Moreover, the organization administrator also wants the European administrator to be able to further delegate this functionality, but still be limited to European servers and not exceed functionality granted initially. A problem is to selectively delegate functionality over a particular scope with or without delegation capabilities.