Module 5: RBAC (Role Based Access Control)
Access Governance with Role-Based Access Control
Role-Based Access Control (RBAC) provides an overview of the network resources available to an employee based on the role he or she holds in the organization. User Management Resource Administrator (UMRA) can handle Role Based Access Control information in various ways. RBAC implementation, including populating an RBAC matrix, is predominantly an organizational concern; however, populating an RBAC matrix 100% is often not feasible. This will involve a painstaking effort that can take months, if not years. At the start of such an initiative, the matrix will often contain as many entries as there are employees.
To enable a quick and targeted RBAC implementation, UMRA offers various processing options for an empty, partially or completely populated matrix.
Empty RBAC Matrix
If the matrix is empty, in many cases privileges and applications will be copied from a template or existing user. One of the drawbacks of this approach is that there is insufficient control over pollution and employees will eventually end up with far too many network privileges. Nevertheless, the objective is often to use the first method (copy user or template) during the first phase of the UMRA implementation to ensure a fast implementation as the dependency of a Role Based Access Control project can delay IDM implementations for months or years on end. In any case, accounts are created more uniformly, and a starting point is created for collecting the information required to populate the empty matrix.
Partially Populated RBAC Matrix
Although it can be difficult to populate the matrix completely, it is very simple to populate it partially to the department level. In many cases it is also feasible to populate the matrix easily for a large group of employees. An RBAC matrix populated this way already offers a major advantage in the user management process. After all, for new employees it is possible to assign all groups at the organizational level (login, word processing, email) and departmental level (access to departmental shares and applications) directly. This means new employees can start working immediately, and more time is freed up for assigning more specific privileges. If UMRA detects an unpopulated section of the matrix, the manager of the employee in question will automatically receive email notification and will get an UMRA form asking for the specific privileges and applications required for the employee. The manager's choices will be recorded in UMRA, and this information can be used for further definition of empty sections in the matrix.
Completely Populated RBAC Matrix
Although it can be difficult to populate a matrix fully, it will prove to be the ideal tool for assigning and storing the right privileges and applications for every employee. Using the matrix, UMRA can regulate the assignment of privileges and applications to new employees and handle changes occurring when roles and/or job titles of employees change or employees change departments. More complex scenarios are also supported, e.g. cases where an employee works part-time for two different departments or when employees remain active in their previous department, etc. It is also possible to store Role Based Access Control information in UMRA, or to have UMRA retrieve Role Based Access Control information from a customized or default third-party software application.