Why Organizations Need an RBAC Security Model

In this post, we discuss why organizations implement role based access control (RBAC) from an operational perspective. For an overview of the RBAC security model, we recommend starting with Understanding Role Based Access Control (RBAC).

Why do organizations implement the RBAC security model?

(E.g. what problem does it solve, what value does it deliver)?

There are a number of reasons that organizations implement role based access control solutions. As organizations grow, managing access for each worker individually through a manual request and fulfillment process does not scale. It is not cost-effective and it requires too many IT administrators to support. Furthermore, the productivity hit for newly onboarded workers that can wait for weeks to get them fully provisioned in all their applications is another big money loser.

Aside from the costs, there are also security considerations. Manually provisioning user access is fraught with errors and administrators are prone to taking short cuts, such as copying the access of one user and giving it to another similar user. Using an RBAC security model, organizations can speed up provisioning by giving users access to the applications and systems that are needed for their functional role. In addition, the RBAC security model is also able to enforce security policies consistently and directly supports the “Three Pillars of Security”:

1. Least Privilege
   Users are granted no more privileges than are necessary to perform their job duties.
2. Segregation of Duties
   A user cannot perform related tasks where there is the potential for fraud or abuse of privilege. For example, the same user cannot submit and then approve their own expense reimbursement. These tasks would be assigned to mutually exclusive roles.
3. Data Abstraction
   A role can abstract permissions rather than assigning read, write, and execute permissions typically provided by an operating system.

RBAC is not a silver bullet that can solve all of an organization’s access control issues. It is one part of the overall solution that includes more sophisticated forms of access control to manage situations where sequences of operations need to be controlled.

Which department normally initiates RBAC? Why? 

(e.g. HR which owns most of the data and the processes, IT which owns the systems and integrations, potentially finance, which uses HR data, Application Owners (e.g. SAP platform, etc.)

Role based access control is typically initiated in the IT department; however, in some organizations with large ERP platforms, it is the platform owner who initiates an RBAC project. That said, the ability to assign any user to the correct role requires good data, and the data typically originates in the HR system. The challenge is that the data that HR needs to have at a high-quality level is not always the same as what the IT department needs.

RBAC projects should begin with a look under the hood to see what attributes are available for each user and how reliable those attributes are. For example, in some HR systems there may be a unique code for all workers holding a particular position, say Accountant I. In other HR systems, there is a unique code for each worker in a particular position. In the latter case, this makes it difficult to determine which users are in the Accountant I position. In this case, organizations will have to use several attributes (e.g. cost center, manager) to determine the functional role of the user so they can be assigned the right access (or, technical role).

Which departments are typically involved in an RBAC project?

A typical RBAC engagement will span IT operations, IT security, HR, ERP, and in some cases the Finance department as well. Other functional areas may participate depending on the importance of their system and their ability to integrate with the RBAC security model/solution.

Can organizations rely on the role mining capabilities of their RBAC solution, or is more required?

If not, how do they overcome the limitations of role mining?

The short answer to this question is “no”, organizations cannot rely solely on role mining to generate a complete, accurate set of roles. The reason for this is because users who have been at an organization for a period of time generally have acquired much more access than they really need to do their jobs. In addition, information about the user may not be accurate, causing the mining tool to lump users together in business roles that actually perform different functions.

The best solution is to start with a department or group and work with the managers in that area to validate that the access their users has is correct. Identify extra access, remove it, and once the users’ access has been cleaned up, run the role mining tool to identify roles.

To learn how organizations are effectively using role based access control in the real world, watch our on-demand webinar.

Join Idenhaus as we share lessons learned from Role Based Access Control (RBAC) implementations to help you keep your RBAC project on track.

Organizations undertake RBAC projects to provide a better, more scalable method to manage user access; however, they struggle with the analysis and implementation. In this webinar, you will learn how to balance managing the complexity of RBAC and delivering value to the business effectively.

Webinar Highlights:

• High-Level Overview of Role-Based Access Control
• Separating the Hype from Reality in RBAC projects
• Managing RBAC expectations in your organization
• Defining the right RBAC implementation strategy for your organization

Watch on-demand now!

Follow @Idenhaus on Twitter and subscribe to our biweekly newsletter.

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us