News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Enterprise Innovation's picture
Enterprise Innovation

Encouraging innovation within the enterprise

More posts | Read bio

October 13, 2009 - 3:01 P.M.

Role based access control, or RBAC 101

6 comments

By Eric Rosenzweig

Role based access control, more commonly referred to as RBAC (r – back), is a functional enhancement to identity management solutions. I call it an enhancement because we're not reinventing the wheel with RBAC, just making identity management better, more efficient. The main components of an identity management solution are still present and used with RBAC, like user ID's, applications, and specific resource entitlements. It's just that RBAC introduces a new layer of structure and association between the ID's and the resource entitlements. The end result of that new layer is that the access requirements are easier to understand for everyone involved, from the business person who requests system access, to the manager who certifies that the access is appropriate, and to the tech support person who configures the access permissions.

So, what's this new layer introduced with RBAC? The roles! Almost every company is using some form of roles. It's just that they're probably not utilizing that information when they're managing identities and access rights. Generally, people are already grouped and identified within their companies by job titles/codes. For example, there could be account managers, account executives, sales managers, operations managers, payroll administrators, etc. The idea is that the users classified as payroll administrators should essentially be performing the same, or very similar, job tasks. Therefore, their system access requirements should also be the same.

Based off of that premise, using RBAC principles, a functional or business role would be created for the payroll administrator. The specific entitlements that a payroll administrator routinely uses would be grouped into Resource or IT roles based upon the system platform or application. This simplifies the access request for the new payroll administrator. Instead of that user having to know that they need x, y, and z from the HR system, a, b, and c from the IBM mainframe, and belong to 3 different Active Directory groups, all they have to do is request the "Payroll Administrator" role. That's it from the end user's perspective, easy. Behind the User Interface, the Payroll Administrator role is mapped to one or more Resource roles which have combined all of those fine grained entitlement details into easy to handle groupings. Provisioning of that access request can still be executed the way your current identity management solution handles it. Like I said, the components of your existing identity management solution are still needed, and can still be used.

In addition to the increased ease that RBAC provides to the end user selecting access, it also greatly simplifies access certification or governance. Your company should already be doing periodic reviews of user access to ensure that people have the access they need, not the access they've collected over the years or through job transfers. Unfortunately, the person or group responsible for that review, often times, is looking at highly technical entitlement descriptions. They don't understand what they are reviewing, especially if they are outside the technology department. Here's where using RBAC also tremendously helps that person out, by asking them to certify what they recognize and are qualified to review. They should be able to understand, and signoff on the fact, that John Doe is a Payroll Administrator and also a member of the Payroll Administrator functional role. Once again, that's it, no need for the reviewer to understand, or worse yet, blindly signoff on, what something like "boe_proll_p_read" means, anymore.

As you can see, the benefits of using RBAC within your organization are a much more efficient end user experience, greater consistency in the access that the users have, and the ability to quickly and accurately certify that the access your users have is correct. All of that adds up to less time wasted trying to get an employee the access needed to do their job and less risk of an employee having too much, or incorrect access.

How have you seen RBAC described or used? Have you found other major benefits to having RBAC used within your organization?

 

Eric Rosenzweig is a Consultantwith Solstice Consulting, based out of Chicago. Eric has over 7 years of experience delivering IT solutions. He specializes in information security, identity management, and RBAC.

What People Are Saying

Add new comment

RBAC Realities

Submitted by Coby Royer on October 22, 2009 - 7:23 P.M.

Great blog post. RBAC is important but it's not easy. Even after role engineering and a good RBAC deployment, this is complicated by changing organizations, mergers/acquisitions, and Swiss Army Knife apps with lots of functions that span roles. I've seen some interesting attempts in the field--in one case, file server access had roles named folder_rwx, folder_r, etc with the permissions you can guess from the names. The challenge is to bring this "up a level" and think about the nature of a role in terms of business function and not access control minutiae. And use a system that also provides RULE based access control when roles fall short.

Reply | Report this comment

Not as easy as it sounds

Submitted by Robbie Forkish on October 15, 2009 - 12:39 P.M.

Thanks for a great post on an important topic.

Customers I've spoken to report how difficult RBAC is to deploy, and much more difficult it is to maintain, especially in dynamic organizations. Bruce Schneier stated in a recent article (http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1365957_mem1,00.html) that "In the end, a perfect access control system just isn't possible; organizations are simply too chaotic for it to work."

A team of researchers from Dartmouth performed a field study on this topic which I report on in my blog article http://www.cloud-compliance.com/blog/bid/27064/Field-Study-Entitlements-Privileges-and-Information-Risk. One of the points they make: as more organizations take on a matrix structure, it becomes less evident who reports to whom and who is responsible for permitting and terminating data access.

RBAC provides many benefits if properly implemented, but it's not for everyone and the effort required to deploy and maintain RBAC is significant and must be included in the business case justification.

Reply | Report this comment

RBAC not so easily defined in small companies

Submitted by scn095 on October 14, 2009 - 3:34 P.M.

Roles are not as easily defined in small companies as they are in large companies.

For example, both of the people in our Accounting department do A.P. as well as A.R., but one of them also assists in locking of loan interest rates while the other also orders some (but not all) appraisal reports.
Neither of them need the same level of access to the resources that the primary people in those roles have.

We would have almost as many roles as we do employees.
Obviously implementations of RBAC in small organizations exist, but setup isn't as cut-and-dry as this article seems to imply.

Reply | Report this comment

RBAC can be really hard to

Submitted by Anonymous on October 14, 2009 - 10:40 A.M.

RBAC can be really hard to deploy unless you've already got a near-perfect handle on exactly what your users do. Everyone thinks they do, but few actually do...

Reply | Report this comment

RBAC

Submitted by Salvatore D'Agostino on October 14, 2009 - 7:45 A.M.

One place where it has been used extensively for years is in physical access control where the concept of door groups has helped with authorization administration. RBAC is a key to the convergence of logical and physical security. Also look to the NIST web site, http://csrc.nist.gov/groups/SNS/rbac for some excellent information on the topic. RBAC is the only real way to deal with scale and federation and as these become more a part of the everyday IT fabric so will the use of roles. Thanks for raising the visibility.

Reply | Report this comment

Good straightforward

Submitted by DB on October 13, 2009 - 5:02 P.M.

Good straightforward explanation of the benefits of RBAC. It's amazing how much time and effort the proper implementation of RBAC saves an organization, and also how baffling it is when an organization doesn't use an RBAC solution they have.

I'm also curious to know from people: what are the best RBAC solutions you've used?

Reply | Report this comment

Related Posts

Beware of your (cubicle) neighbor
CIO: Clunky security biggest bugaboo in 2010
IObit accused of stealing from Malwarebytes
Google Chrome add-in for IE: Speed demon or big, fat security hole?

Today's Top Stories

Google's Chrome OS hits BitTorrent
Free Web apps to help organize your holidays
Global warming research exposed after hack
iPhone owners demand to see Apple source code
Some Nook e-readers won't make it for the holidays
Mike Elgan: Four things you need to know about Apple
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.