next up previous
Next: Special Rights Up: Separation of Administration Duty Previous: Admin Roles

Assign Roles

Another set of roles contained in all role definitions is called Assign Roles. It defines, which roles processes running this certain role are allowed to assign as compatible role to roles, as default role to users or as initial or forced role to program files or processes.
$\displaystyle \mathrm{addcomprole}_{tn}(\mathrm{p},\mathrm{r}_1,\mathrm{r}_2)$ $\textstyle \Rightarrow$ $\displaystyle \mathrm{r}_1 \in \mathrm{assignroles}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}))$  
  $\textstyle \wedge$ $\displaystyle \mathrm{r}_2 \in \mathrm{adminroles}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}))$ (25)

Default roles can only be assigned to users, if both the old and the new role are in the set of Assign Roles. This restriction, together with the sets of compatible roles, creates a range of reachable roles, which easily forms a workgroup.

\begin{displaymath}
\mathrm{assigndefrole}_{tn}(\mathrm{p,r,u}) \Rightarrow\
\ma...
...athrm{assignroles}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}))
\end{displaymath} (26)

To set an initial or forced role for a program file or process object, the additional right MODIFY_ATTRIBUTE to the type of the object is needed.

$\displaystyle {\mathrm{assigninitialrole}_{tn}(\mathrm{p,r,f}) \Rightarrow}$
    $\displaystyle r \in \mathrm{assignroles}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}))$  
  $\textstyle \wedge$ $\displaystyle \mathrm{compatible}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}),
\mathrm{efftype}_{tn}(\mathrm{f}), \mathrm{MODIFY\_ATTRIBUTE})$  
      (27)
$\displaystyle {\mathrm{assignforcedrole}_{tn}(\mathrm{p,r,f}) \Rightarrow}$
    $\displaystyle \mathrm{r} \in \mathrm{assignroles}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}))$  
  $\textstyle \wedge$ $\displaystyle \mathrm{compatible}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}),
\mathrm{efftype}_{tn}(\mathrm{f}), \mathrm{MODIFY\_ATTRIBUTE})$  
      (28)
$\displaystyle {\mathrm{assignforcedrole}_{tn}(\mathrm{p}_1,\mathrm{r},\mathrm{p}_2) \Rightarrow}$
    $\displaystyle \mathrm{r} \in \mathrm{assignroles}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}_1))$  
  $\textstyle \wedge$ $\displaystyle \mathrm{compatible}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}_1),
\mathrm{type}_{tn}(\mathrm{p}_2), \mathrm{MODIFY\_ATTRIBUTE})$  

Changes to the Assign Roles set of any role are restricted to roles with Admin Type value Role Admin.


\begin{displaymath}
\mathrm{changeassignroles}_{tn}(\mathrm{p,r}) \Rightarrow\
\...
...(\mathrm{currentrole}_{tn}(\mathrm{p})) =
\mathrm{role\_admin}
\end{displaymath} (29)


next up previous
Next: Special Rights Up: Separation of Administration Duty Previous: Admin Roles
Amon Ott