Role Based Access Control (RBAC) and Single Sign On (SSO) and Role vs Group

I attended a meeting to discuss about Single Sign On. After listening to their discussion for a while, I noticed a problem of the discussion. It sounds like they intended to implemented Role Based Access Control in the Single Sign On system. However, the problem is that they mixed RBAC and SSO during the discussion. So, I gave out my suggestion that they can put RBAC and SSO into separate discussion at this early stage.

The relationship between RBAC and SSO should be like this,

1. When we start discussing about design of RBAC and SSO, we should discuss RBAC first. After RBAC is clearly defined. It wont be difficult to implemented it in SSO system.
2. When we start discussing about SSO implementation, we need to oversee the whole system as a SSO system and think about how RBAC will be implemented in SSO system.

So, we will have a clear and efficient discussion when we have a clear concept about relationship between SSO and RBAC.

Another cause for them to be confused during design is that they mixed concepts about Group and Roles.  There are tons of discussion about difference Group and Roles according to general accepted definitions. Designer will be confused if he mix group and role. For this case, I noticed that they tried to define roles in ActiveDirectory as a hierarchy structure. With this starting point, they were lead to have messy concepts and can not get out of it. However, they immediately have a clear view after I told them that they can think about moving those "group" in AD into a DB2 table as Roles first. Then, they can think about how to implemented their RBAC system. Then, they can move back those roles into AD and only use AD as persistent storage if they really want to do so.