Role-Based Access Control (RBAC)
Security is about “defense-in-depth”—multiple layers of security to protect today’s enterprise. A layer that is receiving a lot of attention these days is role-based access control (RBAC). Just as firewall systems enable organizations to defend the perimeter, RBAC solutions enable organizations to protect their sensitive assets at the core. It is this need that requires security professionals to be knowledgeable about RBAC as well as solutions that businesses can consider in this area.
As more mission-critical applications move online, businesses are challenged to provide access based on the user’s function within the organization. Businesses need to control access to applications and ensure that only authorized users get access to confidential information. Role-based access control (RBAC) is an efficient means of allowing disclosures to authorized users while preventing disclosures to unauthorized users.
Businesses must make reasonable efforts to use, disclose and request only the minimum amount of information needed to accomplish the intended purpose of the use, disclosure or request—especially where sensitive or otherwise confidential business or customer information is required.
When it comes to confidential business information, organizations must only disclose the minimum necessary information to accomplish an intended purpose. This disclosure must be based on job function. The business must determine who in the organization requires access to confidential information to do their job and exactly what type of information they may require. Specifically, the business must identify:
- Those people or classes of people, as appropriate, in its workforce who need access to confidential information to carry out their duties.
- For each person or class of people, the category or categories of confidential information to which access is required and any conditions appropriate to such access.
Businesses should evaluate their ability to configure their record systems to allow access only to certain fields and the practicality of organizing systems to allow this capacity.
Authentication and Access Control
Security is the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.
Authentication is about who the user is. It is the ability to prove or validate the identity of a user or a transaction. Access control, also referred to as authorization, refers to what the user can do, what the user can access. The objective of access control is to implement technical policies and procedures for electronic information systems that maintain business information to ensure access is only allowed to those people or software programs that have been granted access rights.
Access control enables businesses to restrict individual access to resources, allowing access only by privileged entities with a business need to access it.
Types of Access Control
There are different types of access control mechanisms. These include:
- Role-based access control (RBAC).
- Discretionary access control (DAC).
- Mandatory access control (MAC), also referred to as rule-based access control.
- Context-based access control.
Access-control solutions implemented by a business may be a combination of RBAC, DAC or MAC.
Role-based access control is also referred to as non-discretionary access control. Here a centrally administered set of controls determines how subjects and objects interact. It is the active entity that requests access to an object or the data within an object. The subject may be a program, a user or a process. The subject accesses information to accomplish a task. The object is a passive entity that contains information. An object may be a computer, a database, a field in a database table, a file or a directory
Discretionary access control (DAC) is used to control access by restricting a subject’s access to an object. It is generally used to limit a user’s access to a file. In this type of access control, it is the owner of the file who controls other users’ access to the file.
Rule-based access control is a type of mandatory control since the administrator defines the rules, and these rules cannot be changed by users. This model is very strict and is based on a security label system. Users may be given a security clearance, such as secret, top secret or confidential, and data is classified as secret, top secret or confidential. The classification is stored in the security labels of the resources. Security labels are attached to all objects including files, directories or devices.
Context-based access control is based on the context of a transaction—not on the attributes of the initiator. The “external” factors might include time of day, location of the user or strength of user authentication.
Role-Based Access Control (RBAC)
Role-based access control (RBAC) is an alternative to traditional access-control models (e.g., discretionary or non-discretionary access-control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization’s structure and business activities. With RBAC, rather than attempting to map an organization’s security policy to a relatively low-level set of technical controls (typically, access-control lists), each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role. In RBAC, a user is associated with a role, and roles are associated with permissions. A user has permission only if the user has an authorized role that is associated with that permission. An example of a role-based access control would be a backup operator.
How Does It Work?
With RBAC, security is managed at a level that corresponds closely to the organization’s structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by people in particular jobs and assigning members of the workforce to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier.
RBAC Solution Requirements
Any RBAC product solution must support requirements such as:
- Scalability: Whenever the RBAC solution is deployed, it must be capable of scaling well.
- Inheritance: There may also be sub-classes associated with general roles. Inheritance is another aspect of an RBAC solution where this may be a requirement from general classes to sub-classes of roles. If a change is made to the authorization granted to a general class, all sub-classes automatically receive that change.
- Multiple roles: The RBAC solution must allow one user to be assigned multiple roles simultaneously to be able to use the access rights for all of their roles.
- Types of access: Once access is provided to a specific resource, the RBAC solution must support a variety of activities that can be controlled to that resource. Examples of delineation of activities include viewing, creating, editing, signing, releasing, amending, copying and archiving resources.
- Auditing and logging: A business must be able to monitor users’ activities and track access to specific resources.
- Systems administration: Large and distributed covered entities may require more than one systems administrator. The RBAC solution must be capable of supporting multiple employees designated as administrators. Each administrator may be acting as a security manager