Role Based Access Control (RBAC) « Information and Technology Security

Role Based Access Control (RBAC)

July 22, 2008

Assigning access rights directly to users becomes unwieldy resulting in a lack of control and an excessive administrative overhead which holds back organisations.

This post will help you make sense of RBAC where business Roles (not just IT Groups) are used to facilitate access agility in a dynamic business environment.

Definition

Employees are assigned business Roles through which they inherit their privileges e.g. Client Services, Finance Officer, HR Officer, Manager etc.

Business Case

Security Efficiency
- Reduced role/group/permission administration e.g. adding/changing/removing starter/mover/leaver access rights
Security Effectiveness
- Enforcement of Control through Segregation of Duties and Principle of Least Privilege
Business Enablement
- A flexible and agile approach to business change, including merger and acquisition activities and reorganisations

Process

Role Creation – Engage the business to develop a set of roles and access rights
- Top Down: Analysis of organisation structure and operating model
- Bottom Up: Analysis of current access rights, groups and roles
Role Engineering – Compare and consolidate business Roles
- Balance number of roles with appropriateness of access rights
- Establish segregation of duties rules
Role Review – Recertification of accounts and access rights
- Roles (initially and then periodically)
- Exceptions (regularly)

Diagrams

RBAC – No Integration

	Usernames and Passwords are defined in the Application and not a Directory
	Roles/Groups and Permissions are defined in the Application and not a Directory

RBAC - No Integration

RBAC – Synchronisation

	Usernames and Passwords are defined in the Application and not a Directory
	Username and Passwords are never current due to the synchronisation delay
	Roles/Groups and Permissions are defined in the Application and not a Directory

RBAC - Synchronisation

RBAC – Authentication

	Usernames and Passwords are defined in a Directory and not the Application
	Roles/Groups and Permissions are defined in the Application and not a Directory

RBAC - Authentication

RBAC – Authentication & Authorisation

	Usernames and Passwords are defined in a Directory and not the Application
	Roles/Groups are defined in a Directory and not the Application
	Roles/Groups and Permissions in a Directory can be used by multiple Applications

RBAC - Authentication & Authorisation

More Info

NIST RBAC (Standard) - http://csrc.nist.gov/groups/SNS/rbac/
Open Authentication (Architecture) - http://www.openauthentication.org/
BHOLD Solution Suite (Solution) - http://www.bholdcompany.com/
Courion Role Courier (Solution) - http://www.courion.com/

Posted by awrobinson
Filed in Identity Management
Tags: Access Control, authentication, Authorisation, Information Security, RBAC, Role Based Access Control

2 Comments »

2 Responses to “Role Based Access Control (RBAC)”

A Model for Information Security Assurance « Information Security Says:

August 1, 2008 at 4:57 pm
[...] More Info: US National Institute of Standard and Technology (NIST) and blog post on Role Based Access Control [...]

Reply
Top 10 Blog Posts « Information and Technology Security Says:

May 20, 2009 at 11:49 pm
[...] Role Based Access Control (RBAC) [...]

Reply

Information and Technology Security