Quiz Entry - updated: 2026.07.14
What is the difference between static and dynamic roles in role-based access control?
Static roles are fixed by job (Administrator vs User). Dynamic roles are acquired in context (a user who's strongly authenticated gets more rights than one who's weakly authenticated).
| Static roles | Dynamic roles | |
|---|---|---|
| Definition | Fixed assignment from organisational role | Acquired at runtime based on context |
| Triggered by | Account creation, HR records | Authentication strength, location, time, attributes |
| Example | "Tom is an Engineer" — always | "A user with FIDO2-key auth gets transfer rights; a user with only password+SMS gets read-only" |
Where dynamic roles are powerful:
- Step-up authentication: read your balance with just a password; transfer money requires 2FA; change beneficiaries requires 2FA + waiting period.
- Geo-fencing: in-office access to a finance app; from home, view-only.
- Time-based: developer can deploy during business hours; after hours, requires a second approver.
Why this matters operationally: dynamic roles let you implement least privilege along the time/context axis, not just along the user axis. The same person has different rights at different moments — which is more secure than always granting their maximum needed rights.
Tip: This is essentially what modern "zero trust" architectures do — every request is re-evaluated against current context, not just against a static identity claim.