In any given enterprise, there are assets that are desired to be secured for a variety of reasons, for example to limit the number and type of employees that can access the assets, or to restrict the usage of the asset. For example, a conventional computer network may provide security for assets such as electronic files by providing access control settings or permissions, whereby the extent and type of users' access to various assets is set forth. For example, in a company, certain users may have read only privileges for a particular electronic document, other users may have read/write privileges, while still other users may have no access privileges at all.
These access control settings may be managed by means of role-based access controls (RBAC), where a user wishing to access an asset must be a member of a role permitted to access the asset. The use of role-based access controls is to a large extent static, that is, an administrator defines a role by directly mapping users or groups of users to the role, and must edit the role or group definitions to add or remove a user from the role. Due to the static nature of predefined role membership, the ability to quickly adapt to change is somewhat hindered.