Within any organization, as previous Packetlabs articles have highlighted, there are roles created for the execution of various job functions. As such, the permissions granted to any given user to perform particular operations are assigned by the specific role or function within the organization. Personnel (i.e. system users) are assigned to particular roles, and through those role duties, acquire the permissions compulsory to perform specific system functions.
Because users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of allocating appropriate roles to the user’s account; this simplifies common operations, such as resetting a password, or, in another instance, creating a new account. The model just described refers to the methodology known as Role-Based Access Control, colloquially known, in short, as RBAC.
Role Based System Security
In the realm of computer systems security, Role-Based Access Control (RBAC) is a process applied to restrict system access to only authorized users. Today, it is used by the majority of large businesses and enterprise organizations. Large businesses are those in excess of 500 employees, as indicated by Statistics Canada. Role-based access control can be implemented to enforce mandatory access control (MAC) or, alternatively, discretionary access control (DAC).
|Mandatory Access Control: A mandatory access control (MAC) policy is a computer systems security approach of assigning access rights based on regulations put in place by the central policy. |
Discretionary Access Control: Discretionary access control (DAC), like mandatory access control (MAC), also governs the ability of subjects to access objects, however, DAC also grants users the ability to make policy decisions and/or assign security attributes.
The Purpose of Role Based Access Controls
The workings of RBAC such as permissions, roles and role relationships make it very easy to perform user assignments. Made simple, a role is a grouping of permissions; from here roles may be assigned to any number of end users, depending on their individual function, within their organization.
In reality, Role Based Access Control can be used to simplify administration of security in large organizations with hundreds of users and thousands of permissions. While Role Based Access Control is different from MAC and DAC access control frameworks, RBAC is often used to administer these policies with relative ease.
Role Based Access Controls: The Three Rules
- Role assignment (Rule #1): A user can exercise permission only if that user has selected or been assigned a role.
- Role authorization (Rule #2): A users’ active role must be authorized for the subject. In combination with Rule #1, this rule ensures that users can take on only roles for which they have authorization.
- Permission authorization (Rule #3): A user can use permission only if the permission has authorization for the user’s active role. In combination with Rule #1 and Rule #2, this rule safeguards that users can only exercise only permissions for which they have authorization.
It is important to note that supplementary restrictions may also be applied, and roles can be combined in a hierarchy where higher-level roles incorporate permissions owned by subordinate roles.
Prevalence, Use and Accessibility
The use of Role Based Access Control to manage user permissions, within a system or web application, is widely accepted as a best practice. For large enterprises, the use of RBAC provides far-reaching benefits including reductions in employee downtime, more efficient provisioning, and a more-capable access control policy administration.
Role Based Access Control is very commonly applied in small and medium-sized organizations. Such organizations typically have modest workflows, a limited number of roles, and a simplistic hierarchy, making it possible to efficiently determine and describe user roles.
In a larger organization, with a diverse IT infrastructure and requirements that span dozens or hundreds of systems and applications, the use of Role Based Access Control to manage multifarious roles and assign sufficient role associations becomes tremendously complex without the hierarchical creation of roles and permission assignments. As a result of this increased complexity, though not a requirement, the careful use of naming conventions is suggested for groups in order to allow one to easily distinguish between roles, permissions and the associated users. In the table below, we’ve outlined a very basic idea of the use of conventions in the RBAC model.
|Role Based Access Control: Common Conventions |
User (U): A person or automated agent
Role (R): Job function or title which defines an authority level
Permissions (P): An approval of a mode of access to a resource
Session (S): A mapping involving S, R and/or P
Referencing the table above, the main associations one can infer upon are as follows:
- A user may have multiple roles.
- A role may have multiple users.
- A role may have many permissions.
- Permission may be assigned to multiple roles.
- An operation may be assigned to multiple permissions.
- Permission may be assigned to multiple operations.
Four Levels of Role-Based Access Control
According to the National Institute of Standards & Technology (NIST), Role Based Access Control (RBAC) can be applied on four core levels. Each of the subsequent levels builds on the properties of the preceding level. Let’s take a look at them:
- Flat Role-Based Access Control is the application of the basic functionality of the RBAC model. All users and permissions are assigned roles. Users obtain the permissions they need by obtaining these roles. There may be as many roles and permissions as the organization requires. As per the above table, a user may be assigned to multiple roles and one role can be assigned to multiple users.
- Hierarchical Role-Based Access Control utilizes the use of a hierarchy within the basic role structure. This hierarchy defines the relationships between roles. Users with senior roles acquire permissions of all junior roles, which are assigned to their subordinates. The degree of complexity within the hierarchy is described by the requirements of the organization.
- Constrained Role-Based Access Control adds segregation of duties (SOD) to a security system. SOD is a popular security practice where a single duty is spread among several employees with the sole intention of prevention of fraud and error.
- Symmetric Role Based Access Control provisions permission-role review as well as user-role review. It permits the identification of the permissions assigned to existing roles. For example, by identifying the permissions of a terminated user, the admin can withdraw the user’s permissions and then reassign that role to another user with the same or a different set of permissions.
Once all the necessary roles and permissions are defined, the Role-Based Access Control model does not require much maintenance and upkeep from an organizations’ IT department. The use of RBAC can help your organization meet IT security requirements with little effort.
If you would like to learn more about Role Based Access Control, please contact us for more information!