The System and Administrative Functional Specification clause [clause 6] in INCITS 359-2004 (R2009) specifies the features that are required of an RBAC system. These features fall into three categories: administrative operations, administrative reviews, and system level functionality.

This standard specifies the implementation of RBAC systems. It describes the packaging of features through the selection of functional components and feature options within a component, beginning with a core set of RBAC features that shall be included in all packages. Other components that may be selected in arriving at a relevant package of features pertain to role hierarchies, static constraints (e.g., Static Separation of Duty or SSD), and dynamic constraints (e.g., Dynamic Separation of Duty or DSD). These are defined in Section 4.

This standard specifies that compliant RBAC products shall include an audit and reporting function. This function is not present in INCITS 359-2004 (R2009), but shall be available in compliant RBAC products.

This standard also specifies interoperability requirements that facilitate the exchange of RBAC system data between two systems. Interoperability is here defined as the ability of two systems to participate in the exchange of RBAC definition data in a non-operational state. To address this, the standard describes options for the interchange of RBAC elements (e.g., roles, permissions, users) and for functional interoperability among RBAC services and applications.

The standard recognizes a distinction between "Business Role" and "IT Role." Business roles are those commonly found in the business environment, e.g., an individual's role in the organization. This role is not necessarily implemented in any information technology (IT) system. Thus, a business role is a job function of an individual within an organization. IT roles are those roles that are implemented in an IT system. These roles may reflect business roles, but may also be unique to the IT system because of the particular permissions present in the system. IT roles may themselves be classified into structural roles and functional roles. This distinction is described in Annex C.

The scope of this standard covers IT roles and not necessarily business roles. This standard is concerned with the implementation and translation of access privileges within IT systems. In recognition of the fact that systems and components may not include all features described in INCITS 359-2004 (R2009), the definitions of components that derive from INCITS 359-2004 (R2009) may be only partially implemented in RBAC products.

The use of this standard is intended for implementations of the RBAC infrastructure. Role definition processes (role engineering) may be addressed in a future standard.

This standard provides a generalized syntax and data model for developing use cases for implementation of interoperable RBAC systems.