Next: Special Rights
Up: Separation of Administration Duty
Previous: Admin Roles
Another set of roles contained in all role definitions is called
Assign Roles.
It defines, which roles processes running this certain role are allowed to
assign as compatible role to roles, as default role to users or as initial
or forced role to program files or processes.
- assignroles(r:role):set of roles := set of assignable roles for
role r
- addcomprole(p:process, r:role, r:role) := process p adds
role r to the set of compatible roles of role r at time n
- assigndefrole(p:process, r:role, u:user) := process p assigns
default role r to user u at time n
- assigninitialrole(p:process, r:role, f:file) := process p assigns
initial role r to program file f at time n
- assignforcedrole(p:process, r:role, f:file) := process p assigns
forced role r to program file f at time n
- assignforcedrole(p:process, r:role, p:process) := process p assigns
forced role r to process p at time n
Default roles can only be assigned to users, if both the old and the new role are in
the set of Assign Roles. This restriction, together with the sets of
compatible roles, creates a range of
reachable roles, which easily forms a workgroup.
|
(26) |
To set an initial or forced role for a program file or process object, the
additional right MODIFY_ATTRIBUTE to the type of the object is needed.
Changes to the Assign Roles set of any role are restricted to
roles with Admin Type value Role Admin.
- changeassignroles(p:process, r:role) := process p changes the set of
assign roles of role r at time n
|
(29) |
Next: Special Rights
Up: Separation of Administration Duty
Previous: Admin Roles
Amon Ott