...
No term causes more confusion within the Access Management community than the word "role". Because of this, we will avoid using it where possible in this recipe, opting instead for "privilege-set". There are good definitions for role, but many identity management and access management technologies have used the term for their own purposes, thus adding to the confusion. We could state that "role", as used in the Grouper product, is "role" in the sense of Role-Based Access Control (RBAC),
however, most of us live without RBAC and work with privilege assignments to subjects.
We do like the definition from the Apache SHIRO project with some modifications :
"Roles are effectively a collection of privileges used to simplify the management of privileges and users. So users can be assigned roles instead of being assigned privileges directly, which can get complicated with larger user bases and more complex applications. So, for example, a bank application might have an administrator role or a bank teller role."
...
A Privilege Set is a collection of privileges (see Privilege Assignment) that is shared by all subjects or roles assigned to the set, which generally describes the subjects' affiliation, job function, or responsibility.
A Resource is the part of the system which needs to be protected by authorization, and it represents a noun in a privilege assignment.
A Role is an object assigned to subjects which describes the subjects' affiliation, job function, or responsibility. PrivilegesIt is a convenience for associating a set of privileges to a set of subjects collected into a group object. Roles can inherit privileges from other roles.
A Rule is computation done on attributes by either a resource or a Policy decision point to grant or deny access to a resource.
...