Role hierarchies are a natural means of structuring an organization's line of authorities. Support for hierarchical roles therefore is a key aspect of any role-based access-control implementation. Mathematically, a role hierarchy defines a partial ordering relationship among roles ( ROLES ROLES) denoted by the symbol ?. Each pair of related roles (i.e., r ₁, r ₂ ? ROLES) such that r ₁ ? r ₂ is characterized by the following properties:

• q r ₁ is referred to as a senior role with respect to r ₂.

• q r ₂ is referred to as a junior role with respect to r ₁.

• qr ₁ acquires the permissions of r ₂ in addition to its own permissions. This implies that the permission set assigned to r ₂ is a subset of that assigned to r ₁.

• qr ₂ acquires user membership of r ₁ in addition to its own base of users. This means users with the senior role r ₁ are automatically a subset of users in the junior role r ₂.

Figure 8.3 illustrates the containment relationships corresponding to two hierarchical roles r ₁ and its junior role r ₂. Note the containment property with respect to users and permissions results in the senior user membership being part of the junior user membership, while the junior permissions are part of the senior...