How does an organization begin to implement role based access control (RBAC)? If your entire enterprise is based on discretionary access control and an implementation of Identity Management begins to take shape you must at some point deal with how to define roles. Apparently this is no simple matter. I ran across a good blog posting on Archie Reeds Secure Identity Management blog here. Archie talks about a panel discussion at Digital ID World this past September. Very interesting. For those looking to implement RBAC (which would likely be anyone doing an Identity Management project) the NIST site might be a place to start:
I'll be looking for all the resources I can get on RBAC over the coming months. It seems that this could be quite a science.