Within any organization, there may be a diverse range of job functions, each with its own specific tasks, responsibilities, and roles to play in the overall functioning of the enterprise.
With much of the work in contemporary businesses being conducted through the use of networked computers and software, there’s a need for enterprises to not only make these resources available to their workers, but to do so in a manner which doesn’t impact negatively on the smooth interaction of its various departments, or compromise its security.
Traditional methods of regulating and assigning access to enterprise resources operated on a case by case basis, with tools and privileges made available as each object (file, program, etc.) was called for, using the specified protocol or access code. Rigid systems like this can be notoriously difficult to administer and manage – which is part of the reason why role-based systems of access control are gaining traction.
What Is Role-Based Access Control?
Role-based access control (or RBAC) uses the roles played by individual users within an organization as the basis for governing their access to its network and resources. Rights and powers to perform job-related tasks such as viewing, creating or modifying documents and data files are granted in proportion to an individual’s level of competency, authority, and/or degree of responsibility within the enterprise.
It’s a more flexible system than the traditional model, with RBAC implementing dynamic controls enabling users to perform their authorized tasks even as their working conditions, regulations, company policies, and other conditions change. And as enterprises grow and develop over time, roles governed by RBAC may be created, altered, or removed, without having to update the privileges of every single user.
The first formalized model for role-based access control (which is sometimes also referred to as “role-based security”) was proposed in 1992 by David Ferraiolo and Rick Kuhn. The NIST (National Institute of Standards and Technology) model for role-based access control was adopted as American National Standard 359-2004 by the American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS) on February 11, 2004, with a revision to INCITS 359-2012 in 2012.
Securing Wireless Networks with Role-Based Access Control
For small and medium-sized businesses, the ad hoc approach of assigning network privileges and access to users on a piecemeal (and often arbitrary) basis becomes extremely difficult to manage, as the number of individuals involved increases beyond a certain point. The complexities of security administration continue to multiply, as enterprise networks have expanded beyond the single-site data center to the “extended campus” of multi-location businesses, remote sites, mobile working, cloud, and wireless.
Role-based access control had its origins in meeting the demand for securing and restricting access to the earliest wireless networks. The system was intended to determine who was accessing a network, the methods being used to gain access, and the locations from which it was being accessed – then applying policy-based rules to control those levels of access.
Understanding the User Base
The first step in developing a system of role-based access control is to get an overview of the network, and an inventory of the users, processes, and elements that make it up.
On the hardware and software side, this involves making a list of all network resources which require some form of access control. Examples might include file servers, email platforms, contact management systems, or customer databases.
In terms of human resources, this stage of the process requires an assessment of all stakeholders in the network – from workers within an organization to customers, subscribers, or supply chain partners.
Having identified the user base, these users must then be grouped into categories or “roles” with common access requirements. Classifications might range from a Basic User role (with access to communal resources like email or a company intranet) to Administrators of various kinds, with powers and oversight into a range of functions or business units of the enterprise.
With the roles established, the system may then be configured with policies and rules governing which roles are allowed access to which resources – and the conditions under which this access is granted.
Benefits of Role-Based Access Control
Once the initial inventory is made and the necessary criteria are decided upon, a RBAC system is able to assign access rights in a systematic and repeatable manner, requiring little in the way of human intervention. When action is required, it’s considerably easier to audit user rights or attend to any issues raised than it would be under a more traditional, “object-based” system.
By associating a given set of access privileges with each defined role, it’s easier to create a separation between different job types or divisions in an enterprise. In organizations where trade secrets, intellectual property, sensitive consumer data, or other such information are regularly handled on the network, this effectively creates “firewalls” between the roles, and enables “Eyes Only” or “Need to Know” type policies to be more effectively enforced.
Role-based access control allows managers and network administrators greater visibility and oversight into the enterprise while ensuring that authorized users and guests on the system are given access only to what they strictly need to fulfill their roles, and nothing more. By denying access to certain applications or processes, resources such as network bandwidth, memory, and storage may be conserved, or utilized more cost-effectively.
Commercial and Mainstream Applications
There are RBAC systems available from most of the leading IT vendors today, with applications ranging from mainstream commerce, to more specialized areas such as healthcare and defense. Research figures from RTI International suggest that the majority of organizations having 500 people or more have been using a role-based access control system, since 2010.
Best Practices for Role-Based Access Control
When analyzing the network’s user base and assigning roles, it’s important to keep those defined roles down to a manageable number. Roles should be clearly categorized, and easy to distinguish from each other.
Having established and assigned the roles, don’t give in to the temptation to create exceptions, in order to cater for special circumstances. If business or environmental conditions seem to demand a one-off change to a particular individual’s access rights, it’s a better policy to make changes to that particular role which apply to all people who’ve been assigned to it – or to create an entirely new role, which can then be populated with the relevant users.
It’s also a good idea to periodically review or audit all the roles on the system, to verify that they continue to be relevant and that the appropriate users are grouped under their most suitable roles.
Share this Post