Role-Based Access Control (RBAC) is an oft-used term in identity and access management for organizations whose leadership wants to assign and manage all access privileges across the network in a structured way. As the name implies, this structure is determined by employees’ job roles and responsibilities. These organizations face several pitfalls when manually provisioning access rights. One method IT service teams might use to assign rights is creating a copy of a colleague’s account, known as a “template user”. However, this practice can be risky because new employees may be provided unwarranted access to business applications and systems.
RBAC is a method for setting up authorization management within an organization, which is also known as “access governance” (AG). With this AG method, authorizations are not assigned on an individual basis but are instead based on roles. Recorded in an AG matrix, the roles are designated according to an employee’s department, position, location, cost center, and other potential factors within the organization. These attributes determine each user’s authorizations to IT resources—hence, “role-based access control”.
RBAC, at its core, is a method of access security based on a person’s role within a business. Through RBAC, an employee’s position determines the permissions they are granted and ensures that lower-level employees are not able to access sensitive information or perform high-level tasks. The employee’s job determines the necessary systems they have access to. RBAC enforces security by restricting employees’ access to only the resources and data necessary for their role—no additional or irrelevant information is made available. In this way, RBAC acts like traditional notions of “security clearance”.
Organizations that utilize RBAC are better able to secure their sensitive data and critical applications.
What are the Benefits of RBAC?
Benefits of RBAC for restricting unnecessary network access based on people’s roles within an organization include:
- Increased Efficiency: RBAC can reduce paperwork and other processes related to employees changing positions and those that are newly hired. RBAC also can help organizations add and change roles, implementing these changes across network platforms, operating systems, and applications. Automating these processes cuts down on delays and data errors when user permissions are initially assigned or changed.
- Compliance Control: RBAC allows for better control of compliance efforts by managing appropriate data access and usage. Compliance efforts already require determining or limiting who has access to what and when based on their role in the organization. By using a defined matrix and automated processes, RBAC keeps identity and access management consistently in-line with compliance needs.
- Insight & Visibility: RBAC allows administrators and those with proper credentials to view information and ensure that only authorized users have permission to access certain areas of the system, only having what they need for their jobs.
- Data Leak Prevention: As with ensuring only those within the system can be there, RBAC reduces the potential for breaches or information leaks.
How is RBAC Structured?
As in all structured environments, RBAC contains some basic rules. First, a user must be assigned a particular role to conduct a specific action. Second, the specified roles must correlate to defined access rights for associated IT resources. Third, these authorizations allows a user to perform certain functions within these resources (e.g., “Read/Write” permissions). Users may not perform functions other than those that they are authorized for.
Access is controlled through roles that users are given. In practice, each role acts as a set of permissions. Based on pre-defined configurations, a user’s role determines what permissions the employee is granted. The roles depend on criteria such as department, function, location, and other relevant attributes associated with an employee’s job responsibilities.
How do You Create an RBAC Table?
For most employees, access rights on the organizational level (logging in, word processing, e-mail) and the departmental level (access to the departmental shares and applications) may immediately be assigned. To do so, determine the top 50 combinations of departments and functions for active employees. The HR system usually is an excellent source for determining these combinations to help create a role model.
For example, a hospital has a surgery department that includes the functional role of “nurse”. The organizational roles for this hospital are created based on the function and department, found in the HR system. These are “nurse” and “surgery nurse,” respectively. After “nurse” and “surgery” are defined, a nurse in the surgery department automatically is identified as “nurse + surgery” within the matrix. The employee then gets assigned both the permissions for nurses (regardless of department) and the permissions for all roles within the surgery department.
This method can quickly populate more than 80 percent of the RBAC table. A benefit of this approach is that newly hired employees can start working on their first day with the majority of their role’s permissions. Other assignments of specific rights can be applied on an application and system level later, ideally via a self-service platform. A subsequent step is to translate these organizational roles into application or system roles, making up the remaining 20 percent of the RBAC table. In this case, assignment of application and system roles is handled by an employee’s relevant manager or by submitting an access request that must be approved.
Managers are responsible for the access rights of the employees they manage. The relevant manager is prompted by e-mail or other notification to specify the access rights and applications for each employee concerned. The RBAC software subsequently records the manager’s choices to populate the empty sections of the RBAC table further to achieve a fully populated table. The manager handles all the translations of roles within his or her department.
Who’s Responsible for RBAC?
Responsibility for the provisioning network access according to RBAC traditionally lies within IT. Some provisions can be automated through identity management software, the advantage of which is the speed and consistency with which it’s done. Tools4ever can create initial RBAC matrices via a process known as “role mining” that quickly determines an organization’s roles and existing access rights. Role-mining followed by reviews and fine-tuned configuration helps organizations achieve better Segregation of Duties (SOD) by accounting for certain forbidden access rights that arise from combinations of roles and departments that are known to threaten compliance efforts.
It is possible to collect records via department, location, and function in a descending manner—down to the individual employee. The top layer (organization and location) includes access rights that apply to all employees. Some organizations only populate the RBAC table to the department and function level with other details handled on an ad hoc basis via self-service processes. These processes provide managers with the means to easily assign permissions to a given user or group preemptively or for user’s to request access themselves. The request routes directly to the appropriate manager or “resource owner” who must approve the access before it is granted.
By continuously consulting data, managers receive the most up-to-date information for populating dashboards with function, department, location, and increasingly granular attributes for each employee.
How Complex is RBAC Implementation?
RBAC implementations are not necessarily complicated. This remains especially true when automating the assignment of access rights on an organizational and departmental level (through the HR system) by focusing on the most common combinations of functions and departments. When necessary different physical locations may be added easily as well.
While the process may seem complicated, utilizing a project roadmap makes success easier than it initially appears. For additional information, click here to watch Tools4ever’s video on RBAC.