Most businesses that are serious about identity management and logical access control have adopted Role-Based Access Control (RBAC) as a model to govern who has access to what.

In its most simple form, RBAC is extremely simple: an individual should be assigned permissions not based on who he is, but based on which role he plays. The role-based access control model has been extensively researched (including by me) and the mechanics of the approach are fairly well understood.

However, paying attention to how a technology is used is just as important as having that same technology available in the first place. In other words, the psychological factors surrounding the adoption and use of an access control model deserves as much attention as the model itself. I wish I had realized this when I was doing my PhD research.



Shrdlu wrote a post that can reveals that she "gets it":

"When you assume a role, you're putting in a layer of separation between
yourself as an individual and the entity you're interacting with."

This observation is extremely true.

As
soon as that separation between "Jane" and "Receptionist at my doctor's
office" is made explicit, Jane (who is normally presumed to be a very
friendly lady) may turn into someone on wheels.

The ability
to hide behind a facade is well-known, judges do it by robing and/or
wigging, military and policy do it by donning uniforms, and there are
many more examples of separating person from role.

RBAC, or any other access control model for that matter, do not explicitly acknowledge that.

"So as the use of roles increases, and as the distance increases between
you and your user (geographically, organizationally and
sociologically), the less likely it becomes that your system security
will rest in the hands of individuals.  The perimeter isn't just wider;
it's diffused to the point where it really is gone.
"

Go read the post. Even better, subscribe to the rss feed.