The RBAC standard doesn't refer to operations, but only deals with users, roles, and permissions. I suppose that the operations you're referring to are part of the specific implementation you're using. They probably are the way resources are implemented in your solution.
A permission is what is needed to execute/access an resource. Permissions are assigned to roles, and resources require a set of permissions.
Let's take, for example, the case of a simple till management system. There are many users (the store's employees), and many roles, including cashier operator
. That role gives the users one permission, scan items
. Such permission is required by the operation item.scan()
, and also by the operation item.cancel()
.