Role Based Access Control (RBAC) is an advanced method for managing user access.
RBAC is best suited for organizations that have a mature Identity Governance and Administration (IGA) solution in place. The underpinnings of RBAC begin with tight integration between an organization’s HRIS system, its IGA solution, and end-user applications. Well-defined user management processes with well-maintained user data are vital pre-requisites to successful implementation because IGA and RBAC are rules-based systems, and those rules will not deliver the expected results if the underlying user data is bad: Garbage data goes in, garbage access comes out!
Best Practices for Role Based Access Control: Developing Business Roles and Technical Roles
Applications often use roles to delegate organizational tasks and/or rights to users, and each application has its own requirements for role management. As such, IGA solutions must be flexible in supporting the role concepts required by each application. The overarching objective is to store and manage as much of the role data centrally for ease of administration, to support audit and compliance, and provide a ‘single pane of glass’ to see what users have access to.
Organizations often struggle to implement RBAC, despite the fact that it makes managing access more understandable for the business and more manageable for IT staff. The typical challenges begin with data quality; however, providing thoughtful oversight to make hard decisions about process, data, standards, and priorities is also a major stumbling block. Without a decision-making body in place to prevent role proliferation and other value-destroying mistakes, most RBAC projects will succumb to the business’ worst instincts. With that in mind, we share some best practices below that should keep your RBAC program on track.
7 Best Practices for Role Based Access Control
1. Develop an RBAC Strategy
Creating a strategy begins with an assessment of where you are (data, process, policy, systems), defines your desired future state (automated provisioning of access through RBAC for a set of apps and systems), and identifies your gaps that must be addressed (data quality, process issues, different authentication/authorization models across systems). Identifying the issues up front allows them to be addressed head-on before the implementation begins. “Measure twice, assign roles once!”
2. Establish a Governance Structure
Organizations that are getting ready for RBAC need to make decisions about project priorities, establish standards, manage and support implementation, establish performance measures, and manage risk. The governance board should tie into the HR function to identify issues with data and process and prioritize remediation efforts.
3. Assign a User Lifecycle Owner
Organizations can find themselves at loggerheads when HR’s priorities do not align with IT’s priorities. When these misalignments occur, there needs to be a person (or persons) who can act as an escalation point to make decisions that are in the best interests of the organization as a whole. Note that the User Lifecycle Owner should participate in both the HR and RBAC governance boards.
4. Role Management
Determine who will own the business roles (e.g. application owner) and the technical roles. There needs to be a defined set of processes and policies around how often roles are re-evaluated, if and when they expire, and who maintains them.
5. Start with a Top–Down Role Analysis
During the RBAC design phase, discussions with business managers should be held in advance of building technical roles in order to document workers’ functional access and validate that each user in the role has the same core access. At this point, any unnecessary exceptions should be cleaned up which will allow the role mining tool to analyze access to identify candidate roles.
6. Conduct a Bottom-Up Role Analysis
Technical Roles are developed through role mining and analysis and are a “bottom-up” process, which means that the tool collects and evaluates the existing data to determine the technical roles for a set of users. Technical Roles are collections of permissions that allow execution of a particular business function to deliver business value.
Ultimately, the best results come from collaborating with business stakeholders to design a set of business roles (Top Down) and then reconciling them with the access reality uncovered by role mining (Bottom Up) in order to understand what access was overlooked or is not necessary.
7. Begin with a Pilot
We recommend selecting a small department or business function as a beta project to minimize implementation risk, deliver a quick win, and demonstrate the effectiveness of the RBAC model.
Business roles represent business tasks or job profiles within the organization, and they are not specific to one IT system, rather, they are an enterprise-wide concept. A worker is assigned to one or more business roles and these business roles are in turn related to technical roles that reflect all of the IT systems needed by that particular job function. In order to realize the promise of the RBAC framework, organizations must keep their attention at the enterprise level and look at the big picture. We cannot automate everything, but we can make significant progress in improving the end user experience while enhancing our security posture at the same time.
The challenge is that the business often insists on RBAC meeting 100 percent of access provisioning needs, which means that it frequently ends up looking past the benefits and pushing the program to diseconomies of scale. The number of roles explodes, they are no longer manageable, and we have squandered the benefits realized under the 80/20 model where we automated what made sense. They key is to focus on balance and hold the line on what delivers value versus what should be managed as an exception.
To learn more, watch our on-demand webinar Best Practices for Role Based Access Control (RBAC).
In this webinar, we share best practices that reduce delivery risk and allow you to deliver more value to the business. Click here to watch Identity Management: Role Based Access Control Best Practices.
Follow @Idenhaus on Twitter and subscribe to our biweekly newsletter.
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us