Role-Based Access Control (RBAC) is a guiding model for many identity management deployments. The problem is that traditional static RBAC model does not scale. RBAC is fine for few tens of roles. But as the number of connected systems grow, the number of roles grows as well. Organization with thousand employees can easily end up with few of thousands of roles. The difficult problem of managing thousand employees will be transformed to even more difficult problem of managing few thousands of roles.

The reasons are quite understandable but they are far from being obvious:

This is known as role explosion. It is a severe disease of most IDM projects. A project that started with good intention to simplify user management will end up with a role structure that is much more difficult to maintain then it was before the project.

Static RBAC model usually cannot be used to efficiently handle role explosion. There are some solutions, but none of it is a panacea:

Practical enterprise IDM solution will most likely need all of these mechanisms, not just one. Dynamic roles and approvals are the two most critical features when fighting a role explosion with a provisioning system.

External links