The management of complex services associated with enterprise messaging can be difficult. For example, there are multiple users/administrators that need to have different levels of access. Assigning these permissions with sufficient granularity over a multitude of heterogeneous resources (e.g., files, email items, objects in directory, etc.) is a challenging task because the assignment depends on what user needs to perform the associated business function, as well as implementation details of what these business functions need to touch in order to perform the desired action.
These implementation details can change over time. For example, creating a new mailbox requires permissions to create a new user account, to modify several properties, and to access a particular mailbox database.
Additionally, the auditing of resources-level permissions is difficult because the permissions are spread over directories, file systems, mailboxes, etc. Even if there was a way to accurately obtain all ACLs (access control lists) relevant to a particular user, it would still be challenging to explain why a particular permission is needed (e.g., which business function requires the permission). Moreover, with multiple administrators touching permissions it is easy to misconfigure ACLs.
A relatively recent technology, a role-based access control (RBAC) model employs fixed set of roles that relate to job functions. RBAC works by assigning fixed permissions to all resources needed by a user to perform actions related to the role. However, various business processes in different organizations require the ability to modify existing roles and create new ones. The rigid fixed-role RBAC model limits the ability of administrators to evolve operations with the changing organization.