Technology RBAC

ID-Certify and Role Based Access Control

What is RBAC?

In the context of a single system, role-based access control (RBAC) means granting privileges to data and functions by roles. RBAC is a proven mechanism to effectively manage privileges on single systems, as it allows administrators to group users and attach groups of users to roles (groups of privileges).

Enterprise user provisioning systems normally manage users across a variety of target systems. In this context, a single role may convey to a user access to multiple privileges on multiple systems. This is sometimes called a meta-role.

To provision user rights entirely using roles, two things are required:

1. A sufficiently rich set of roles must be defined, so that every need of every user is captured in the role model.
2. Every user must be assigned one or more roles, such that all of their privileges can be derived from roles.

These requirements are hard to meet, especially where users are dynamic and/or diverse. Other formalisms, such as rules or a combination or organizational- and technical-roles are sometimes used to reduce the difficulty of meeting these requirements, but dynamic and diverse users are still difficult to manage using just a formal model -- it's hard for the model to keep up the fast pace at which user needs evolve.

In a large, complex or dynamic organization, managing user rights entirely using roles or other formalisms (e.g., roles and rules) may not be practical.

A key function of RBAC and of formal privilege models in general, is to remove privileges in a reliable and timely manner. This means that if a user had been assigned roles A, B and C and his job function changed so that he no longer requires role C, then an automatic process should identify privileges present in role C but not in roles A or B and remove those privileges from the user.

In practice, even this function -- automatic privilege reduction -- can be hard to implement:

1. The role model may not be complete and might omit some of a user's privileges or some of the details in a role's definition.
2. User classification into roles may be incomplete.
3. The timing for privilege removal may be impossible to predict, since the user may act in a backup capacity for his old job function for some period of time.

Request-Based User Provisioning

Because of the challenges in implementing a 100% role-based user management system, most organizations in practice use a request-based system.

Request based systems can be automated, typically using web-based change request forms and e-mail based invitations asking appropriate users to review and authorize proposed changes. Automated requests are also possible: a data feed from a system of record, such as an HR application, may automatically trigger change requests.

Use RBAC Where Appropriate

While it may be difficult to model every privilege of every user with roles and rules, this does not mean that role-based access control should be discarded. Rather, it means that RBAC should be used where appropriate and other techniques should supplement it where RBAC does not work well:

• Use roles inside individual applications.
• Use meta-roles to manage the security rights of users whose needs are relatively static, where many users have the same needs.
• Use roles to grant initial access to resources.
• Define few, coarse-grained roles rather than many, fine-grained roles.
• Do not attempt to classify all users into roles. Rather, use roles as starting points, typically in the context of automated user setup.

© Hitachi ID Systems, Inc. 2008. All rights reserved.