next up previous
Next: Lifetime Limits Up: Separation of Administration Duty Previous: Assign Roles

Special Rights

Some special rights to types have been defined:
ADMIN:
Administrate this type, i.e., change type name or remove type.
ASSIGN:
Assign this type to objects. Additionally, MODIFY_ATTRIBUTE to the previous type of the object is needed.
ACCESS_CONTROL:
Change type compatibility settings for this type and all requests, which are no special rights.
SUPERVISOR:
Change type compatibility settings for this type for all special rights. If no role has SUPERVISOR right or Admin Type set to Role Admin, the special right settings can no longer be changed.

$\displaystyle {\mathrm{administratetype}_{tn}(\mathrm{p,t}) \Rightarrow}$
    $\displaystyle \mathrm{compatible}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}),\mathrm{t},\mathrm{ADMIN})$ (30)
       
$\displaystyle {\mathrm{assigntype}_{tn}(\mathrm{p,t,o}) \Rightarrow}$
    $\displaystyle \mathrm{compatible}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}),\mathrm{t},\mathrm{ASSIGN})$  
  $\textstyle \wedge$ $\displaystyle \mathrm{compatible}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}),\mathrm{efftype}_{tn}(\mathrm{o}),\mathrm{MODIFY\_ATTRIBUTE})$ (31)
       
$\displaystyle {\mathrm{changetypecomp}_{tn}(\mathrm{p,r,t,a}) \wedge\ \mathrm{a} \not\in \mathrm{specialrights} \Rightarrow}$
    $\displaystyle \mathrm{compatible}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}),\mathrm{t},\mathrm{ACCESS\_CONTROL})$  
  $\textstyle \wedge$ $\displaystyle \mathrm{r} \in\ \mathrm{adminroles(currentrole}_{tn}(\mathrm{p}))$ (32)
       
$\displaystyle {\mathrm{changetypecomp}_{tn}(\mathrm{p,r,t,a}) \wedge\ \mathrm{a} \in \mathrm{specialrights} \Rightarrow}$
    $\displaystyle \mathrm{compatible}_{tn}(\mathrm{currentrole}_{tn}(\mathrm{p}),\mathrm{t},\mathrm{SUPERVISOR})$  
  $\textstyle \wedge$ $\displaystyle \mathrm{r} \in\ \mathrm{adminroles(currentrole}_{tn}(\mathrm{p}))$ (33)

next up previous
Next: Lifetime Limits Up: Separation of Administration Duty Previous: Assign Roles
Amon Ott