Role-Based Access Control (RBAC) is an oft-used term in Identity and Access Management for organizations whose leadership wants to manage and assign all access privileges across the network in a structured way. As the name implies, this structure is determined by employees’ job roles and responsibilities. These organizations face several pitfalls when manually assigning and revoking access rights. One method IT service teams might use to assign rights is creating a copy of a colleague’s account, known as a “template user”. However, this practice can be risky because new employees may be provided unwarranted access to business applications and systems.
RBAC (also known as access governance) is a method for setting up authorization management within an organization. With this method, authorizations are not assigned on an individual basis but are instead based on RBAC roles. Recorded in the RBAC matrix, the roles are designated according to an employee’s department, position, location, cost center, and other potential factors within the organization. For a more detailed explanation, you can refer to our whitepaper, “How does Role-Based Access Control Work.”
RBAC, at its core, is a method of access security based on a person’s role within a business. Through RBAC, an employee’s position determines the permissions they are granted and ensures that lower-level employees are not able to access sensitive information or perform high-level tasks. The employee’s job determines the necessary systems they have access to. RBAC enforces security by restricting employees’ access to only the resources and data necessary for their role – no additional or irrelevant information is made available. In this way, RBAC acts like traditional notions of “security clearance”.
In the role-based access control, several factors determine roles, including authorization, responsibility, and job competency. Organizational leaders decide if someone is an end user, an administrator, or an outside third party, such as a contractor. In addition, access to computer resources can be limited to specific tasks, such as the ability to view, create, or modify files.
Organizations that utilize RBAC are better able to secure their sensitive data and critical applications.
What are some benefits of RBAC?
Benefits of RBAC for restricting unnecessary network access based on people’s roles within an organization include:
- Increased efficiency. RBAC can reduce paperwork and other processes related to employees changing positions and those that are newly hired. RBAC also can help organizations add and change roles, implementing these changes across network platforms, operating systems, and applications. Automating such cuts down on error when user permissions or changes to permissions are assigned.
- Compliance control. RBAC allows for better control of compliance by managing appropriate data access and usage. Compliance control can include determining or limiting who has access to what and when based on their role in the organization.
- Visibility into information. RBAC allows administrators and those with proper credentials to view information and ensure that only authorized users have permission to access certain areas of the system, only having what they need for their jobs.
- Stops data leaks. As with ensuring only those within the system can be there, RBAC reduces the potential for breaches or information leaks.
How is RBAC structured?
As in all structured environments, RBAC contains some basic rules. First, a user must be assigned a particular role to conduct a specific action. Second, a user must possess authorization to hold a specific role. Third, authorization allows a user to perform certain functions within the information system. The function must be allowed to occur through the role of the user. Users may not perform functions other than those that they are authorized for.
Access is controlled through roles that users are given – essentially, a set of permissions. Based on pre-defined configurations, a user’s role determines what permissions the employee is granted. The roles depend on criteria such as department, function, location, and cost center associated with an employee.
How do you create an RBAC table?
For most employees, access rights on the organizational level (logging in, word processing, e-mail) and the departmental level (access to the departmental shares and applications) may immediately be assigned. To do so, determine the top 50 combinations of departments and functions for active employees. The HR system usually is an excellent source for determining these combinations to help create a role model. For example, a hospital has a surgery department that includes the functional role of “nurse.” The organizational roles are created based on the function, department, and location found in the HR system. These are “nurse” and “surgery nurse,” respectively. After “nurse” and “surgery” are defined, a nurse in the surgery department automatically is identified as “nurse + surgery” and assigned to the stacked roles.
This method can quickly populate more than 80 percent of the RBAC table. A benefit of this approach is that newly hired employees can start working on their first day with the majority of their role’s permissions. Other assignments of specific rights can be applied on an application and system level later. A subsequent step is to translate these organizational roles into application or system roles, making up the remaining 20 percent of the RBAC table. In this case, assignment of system roles is handled by an employee’s relevant manager – known as “detailed authorizations.”
Managers are responsible for the access rights of the employees they manage. The relevant manager is prompted by e-mail or other notification to specify the access rights and applications for each employee concerned. The RBAC software subsequently records the manager’s choices to populate the empty sections of the RBAC table further to achieve a fully populated table. The manager handles all the translations of roles within his or her department.
Where does responsibility for RBAC originate?
Responsibility for the provision of RBAC network access lies within IT. Some provisions can be automated through identity management software, the advantage of which is the speed in which it’s done. Tools4ever can create initial RBAC standards quickly compared to other solutions, and customers can achieve Segregation of Duties (SOD) by refusing certain access rights in cases of forbidden combinations of roles and departments.
It is possible to collect records via department, location, and function in a descending manner – down to the individual employee. The top layer (organization and location) includes access rights that apply to all employees. Some organizations only populate the RBAC table to the department and function level with other details handled on an ad hoc basis, through a workflow.
By continuously consulting data, managers receive the most up-to-date information for populating dashboards with function, department, location, and cost center for each employee.
Is RBAC implementation complex?
RBAC implementations are not necessarily complicated. This remains especially true when automating the assignment of access rights on an organizational and departmental level (through the HR system) by focusing on the top 50 combinations of functions and departments.
While the process may seem complicated, utilizing a project roadmap makes success easier than it initially appears. For additional information, click here to watch Tools4ever’s video on RBAC.