Adopting Roles.

Roles may be used to obtain both extensions and reductions of privileges[1]. Reductions are typically performed in accord with a ``least privilege'' policy in which principals have only the privileges they need to accomplish a given task. Examples include:

• An administrator may want to have the powers of ordinary users most of the time, except when performing installation or user account creation.

• Users invoking untrusted software might want to reduce their powers before doing so.

• Users wishing to delegate only some of their privileges to others.

A principal A may adopt role R and act with the identity (A as R) when transiently obtaining or reducing powers. The privileges associated with a role work in the same way as those associated with principals. For example, a Manager role might have privileges:

group: CEOAnnouncementRecipients
group: companyBudgetReviewers
capability: MakeAppointmentOffer
-grantedBy Company
capability: ChargeCompanyCreditCard
-grantedBy Company

A principal plays a role by associating itself with one of its roles for a particular period of time. Thus, these privilege attributes must become associated with the principal. In SDM, this is accomplished by querying the RoleIdentity for its privileges.