This article serves as an introduction to understanding role-based access control and how it can benefit your organization. To learn more about how role-based access control improves business performance, register for our upcoming webinar on Thursday, April 4, 2019: How to Effectively Use Role-Based Access Control in the Real World.
Understanding role-based access control: What is RBAC?
From an operational perspective, role-based access control is simply looking at access not by asking the question “What does the individual do themselves?”, but rather “What role are they playing for the organization?” In other words, what activities is that person doing on a day-to-day basis and what access do they need in order to do those functions? The goal is to have an access management framework that adjusts access as people move around the organization. They join the organization, they move within departments, and then they leave the organization. What roles can help you do is better manage access when those transitions occur, because part of the problem businesses have is that transitional process sometimes can take days and sometimes up to weeks to be completed to where that person can be fully productive using all of the technology and tools that the organization has acquired over time. What happens with a role is, once that role is properly defined and a person chooses to leave or move out of that role into a new one, the new role dynamically gives them everything they need to do their job on a day-to-day basis.
That’s the holy grail. That’s where everybody wants to be. When someone new is hired into a defined business role, most of the resources they need to do their job will already be allocated to them from network access to single sign-on. And that’s the objective of a role; it’s to say, “I know you’re coming in today as an accountant, therefore you’re going to get these ten things already assigned and provisioned to you so that you can start your job immediately.” That’s basically what role-based access control does for an organization.
How are roles different from groups?
A lot of people get roles and groups confused. Primarily because they are both used to classify things together; however, groups are organized around managing identities (objects and subjects) and roles are organized around managing access (permissions). Typically, groups are used in directories to control access to file shares and systems and so forth. At a basic level, a group is a collection of users with a given set of permissions that have been assigned to that group. They are good for managing email distribution lists, but they don’t specifically define how or what you need access to do your job. For example, I may have the role of an accountant, but I might be a member of a group called “Company Party Distribution List for Friday Happy Hour”. Groups are used to organize users who need the same access together, whereas roles are used to determine what the identity can and cannot do in your IT environment.
One additional differentiator is that groups do not explicitly identify what access is granted by being a member of the group. It takes a thorough analysis to discern what access the group actually grants the user. Roles, on the other hand, are created based upon the permissions and rights they grant, whether directly or indirectly. Therefore, roles explicitly identify the permissions that are being granted so there are accountability and traceability of role request, approval, and granted permission.
A role is a collection of permissions, and a user inherits those permissions when they are assigned that role. Roles can also be enhanced/associated with attributes and be evaluated and granted/revoked according to policy. Another important characteristic is that true RBAC models can provide the concept of mutually exclusive roles, enforcing Segregation of Duties and other security policies. In contrast, groups are additive where a user’s access is simply the sum of the groups they are a member of.
What are some of the benefits of role-based access control?
The biggest one is the reduced time and effort that it takes to allocate resources. It makes the process significantly easier to automate and allocate resources because you’re not waiting for the person to show up and manually request access. The user’s job function determines what access they will need and the system will automatically assign the user to the proper roles; granting them the right access for their job.
One of the biggest benefits is the time to start, if you will. From the time an employee starts to the time they actually can be productive and working. The total time to onboard a user can be reduced many times when using a role-based access model. The other benefit is that it gives the organization the ability to view, and audit, and trace not only the role, but if you have the right procedures in place and policies, you can also audit the process much more efficiently because instead of having to audit each individual necessarily, you can actually audit the role. You may only have to do a role attestation every six months, or once a year, depending on how the permissions for that role are managed by your policies. Roles carry on beyond the employee and are easier to audit.
The other thing is that once it’s in place, it’s easier to help organizations see and view where their resources are being allocated so that they can reorganize faster. Major reorganizations take time, as everybody knows, but for the most part, roles can actually help you transition resources from one organization to another fairly quickly in a merger/acquisition situation.
What are the common challenges that organizations face when implementing role-based access control for the first time?
Most people don’t want to admit this, but the first one is data quality. Organizations tend to find that they haven’t done a very good job of maintaining high-quality data around their resources, primarily their users in terms of the attributes that the HR systems stores for a worker. Oftentimes, this is because the data that is important to HR is not the same data that is important to the IT organization. Where HR can tolerate latency and inconsistency, security systems cannot. Without accurate user data, organizations must spend a significant amount of effort doing what’s called a “data cleanup” or “data reconciliation process” to improve the data that drives role assignment and thus, access.
Once you’ve addressed data quality issues, connectivity into corporate systems can be challenging as well. As organizations try to automate their provisioning processes, they often learn that their vendors may not have exposed the add, update, disable, enable features of a user account in their application, so the integration with some of the applications can be a challenge.
Lastly, there is organizational resistance to the actual implementation of new policies and procedures. The process changes that impact how people work on a daily basis can create challenges because people often like to maintain access control within their team rather than ceding it to a central, role-based system.
What is one piece of advice you would give to someone who is in the operational role implementing role-based access control for the first time?
One piece of advice: don’t try to make everything fit into a role. Put another way, roles are not a silver bullet to solve all your access management problems. Role-based access control is a scalable framework for managing access that requires a significant amount of up-front analysis and configuration. That investment must also drive business value. Ideally, roles are used to manage access to high-volume applications (lots of users), sensitive applications (user access audits), or business functions that have a high rate of turnover (lots of provisioning and de-provisioning). Attempting to manage access to every application or system without regard to the cost vs. benefit will lead to role explosion and an unmanageable solution. It’s okay to allow certain applications to remain manual provisioned.
For further reading on understanding role based access control:
- Part 1: Defining Roles for IAM – Begin at the Top!
- Part 2: Defining Roles for IAM – From the Bottom Up
- Which RBAC Approach Is Better: Top-Down or Bottom-Up?
If you’re interested in understanding role based access control, don’t miss our upcoming webinar on Thursday, April 4, 2019: How to Effectively Use Role-Based Access Control in the Real World.
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us