IAM Myth: RBAC Is Static
Role-based access control (RBAC) is static. Everybody knows that! There are fixed user-role assignments, there are fixed role-privilege sets. Nothing changes in RBAC, unless it is changed by system administrator. RBAC does not work any more.
Right … and Wrong
The statement above is technically correct - as long as we are talking about traditional RBAC from early 2000s. That kind of RBAC is indeed still in use, mostly by older or simpler applications.
However, as for identity management systems and IGA platforms this is not entirely true. Identity management moved from static RBAC long time ago. The basic "role-based" principle is still there, there are roles and privileges and all that stuff. However, it is not static. Not any more. It has evolved. There was plenty time for that, during last two decades.
Dynamic RBAC
Pretty much every self-respecting IGA platform has a way to automatically assign (and unassign) roles to users. Some provide only a very simple mechanism, others have many sophisticated methods to do it, yet it is there: roles are assigned to users dynamically. State-of-the-art IGA platforms go even further, they determine privileges granted by a role dynamically. For example midPoint policy-driven RBAC model has several ways the privileges of a role can be influenced by policy and context. One way or another, dynamic RBAC is here to stay - and it is a surprisingly good fit for 21st century IGA.