Role Based Access Control
From MgmtWiki
Full Title or Meme
The ability to use the role of the user to control access to resources.
Context
- Created to try to simplify to process of controlling access by a large number of user to a large number of different access regimes.
- RBAC system administrators control what users can do with specific IT resources, and which areas they have access to. It is simple to implement since there are only three basic principles to keep in mind; roles are based on a “Role Assignment”, “Role Authorization”, and “Permission Authorization”.
- With RBAC the process of assigning employees to roles and the of assigning assets to roles is decoupled so that users can change roles and automatically change the resources that are available to them.
- One important effect of that is that when an employee is terminated, all of their roles are removed which means all of their accesses are terminated.
Problems
- RBAC it is not an automatic process, meaning that it needs to be painstakingly managed and often involves significant manual intervention.
- If a centralized administrative role is defined, there is no easy way to prevent someone signed in as the administrator to assign all of the roles to themselves, which makes the administrator an attractive phishing target.
- As different collections of permissions to different sets of employees and contractors evolve, the number of roles grows without bound. Removing roles is certain to cause some employees to be prevented from accessing resources abruptly.
References
- The Problem with RBAC (2019-0530) an interesting blog post.