As a SOX auditor, I specialized in security and did
a lot of research into role-based security. I put my thoughts and ideas into a white paper. The basic premise
is that if each user belongs to one and only one business role and all other authority is granted to the
business role, then security audits are primarily done for the roles and not the people in them. This can
significantly reduce the ongoing cost of security audits.
Click here to read my white