Role-based Access Control (RBAC)
Why use Role Based Access Control?
Role Based Access Control (RBAC) is best suited for course-grained authorization. This is oftern used for many of the assets in an organization that should be securerd but are not highly sensitive, are not considered a core asset and do not pose a compliance risk. They generally have to be accessed by many people or only by members of a specific department. There may even be highly sensitive assets but those that require access to them can be grouped into roles and do not have strict requirements on where, when, how or why they can access them.
You don’t need the flexibility of Attribute-based Access Control (ABAC), or Policy Based Access Control (PBAC) as it’s also known, role based access will suffice. If, however, authorization requirements become more complex with many conditions and objects, you have to look beyond RBAC and implement dynamic authorization.
What is a role in Role Based Access Control (RBAC)?
An RBAC role is a selection of permissions that determine the access a user is granted based on their duties in an organization. In its simplest form, it can be connected to a role, a department a region, etc. Role based access enables role subsets to be created when, for instance, different people within the same employer roles need to access different information.
The intuitive RBAC Model
The RBAC model is simple and intuitive at a base level. Let’s consider a corporate accounting department in the UK with the roles of Clerks, Accountants, and Account Managers. Three roles, that can access different types and levels of data. Using RBAC Access Control, this would mean:
- UK Clerks – can view level 1 UK data
- UK Accountants – can views and edit level 1 and 2 UK data
- UK Account Managers – can view, edit and approve level 1, 2 and 3 UK data.
Role requirements expand quickly when using RBAC. Continuing with our example, for every country with a corporate accounting department, we will have the same situation. If it’s 20 countries we will have 60 roles.
If the US office is the headquarters they may need access to all country data as well as the US, therefore we need to create new roles:
- US Clerks – can view level 1 data in all countries
- US Accountants – can view and edit level 1 and 2 data in all countries
- US Account Managers – can view, edit and approve level 1,2 and 3 data in all countries
So far so good. If…
If level 1 data includes employee corporate card expenditure. Department Managers will need to sign-off on their employees’ transactions. If there are 20 departments in each country with corporate cards. 20 individual roles per country have to be created to authorize this action.
- Department Manager X – can view and approve department X’s corporate card transactions
- Department Manager Y – can view and approve department Y’s corporate card transactions
That’s 20 x 20 new roles. 400. It’s easy to see how the number of roles can quickly expand and get out of control, resulting in role explosion.
As the number of roles grows exponentially in an organization when using Role-Based Access Control it’s not uncommon to experience Segregation of Duty (SOD) failures resulting in toxic combinations. In such a case, Department Managers, for instance, may be able to approve their own corporate card transactions.
Combining RBAC and ABAC
With many companies utilizing RBAC in some form, combining it with ABAC can provide the optimal solution for database security. Role Based Access Control can handle the course-grained authorization, where roles can be directly linked to data and purpose of use. For more fine-grained requirements, Attribute Based Access Control can be used. When applied, this hybrid solution will provide a much more dynamic approach, based on corporate policies.
- Department Manager X can view and approve department X’s corporate card transactions, except their own, which must be approved by a Senior Manager.
- US Clerks can view level 1 data, during office hours, in all countries except GDPR related content from EU countries.
Key considerations for implementing RBAC
If you are thinking of implementing Role Based Access Control and don’t require a dynamic approach, RBAC is ideal as long as you remain aware that, as authorization complexities grow, you may need to evolve from RBAC to ABAC.
Analyze how much sensitive data you have and map who needs access to it and why. Some people want access to information even though they don’t need it. Many times, people have access to information that they don’t know about. A thorough analysis will enable you to clean up entitlements, start from scratch and get it right.
Involve those concerned
Don’t second guess who needs to access data, speak to the people that are involved, and assign role ownership to staff members. You may be surprised by what data employees need to access in their roles. Always double check with somebody else in the organization before assigning access rights – see Analyze.
Clean up your data as well as the entitlements. You may have sensitive data that you don’t require. Take the opportunity to remove it.
Use familiar roles when naming
You may be the person implementing RBAC but you won’t be the one auditing it, and you may not be updating it or overseeing a transition to ABAC later down the line. Make it intuitive where possible for administrators.
Test the roles to make sure there is no segregation of duty, toxic combinations or compliance issues. Also, to ensure people can get to the data the need to work, collaborate and innovate.
Authorization is a constantly moving target. New data is constantly being created, stored and shared. New roles are also being created and people are moving, joining and leaving the organization. Make sure you review entitlements regularly.
How to choose the right access control solution
No matter where your business critical assets are stored or how complex or distributed your architecture is, we can help you safeguard and securely share them. Our team’s experts can help you to define requirements and tailor Attribute Based Access Control products from our dynamic authorization suite to meet your needs.