Identity and Access Management Consulting

All mid-size and large organizations consists of highly distributed and dynamic work force,  Requiring constant provisioning of resources and managing the access and compliance. Taking a strategic perspective and top-down review of companies Identity and access management policies, implementation choices, process adherence and audits leads to organizations success in ensuring security and compliance.  

By managing resources reserved for select identities properly, businesses can maintain protected resources and reconfigure user access within the structure of a business in a simplified manner. This can be done through Role-Based Access Control, Attribute-Based Access Control, and a hybrid of the two.

What is Role-Based Access Control?  

Role-Based Access Control  (RBAC),  is a framework designed to allow organizations to manage permissions across applications and protected IT resources efficiently. RBAC mirrors real-world organizational structures by recognizing that most employees perform tasks against resources related to their job title or function. By organizing and assigning access based on “Role”, such access can be attributed to job functions as opposed to individual users. As such, the use of RBAC delegates protected resources and operations to Technology and Business Roles in the organization.

In order to manipulate a Protected Resource within a resource system, a person must have the permission to execute a Protected Operation against the resource. Protected Operations are specific pieces of functionality that automatically read, interpret, and honor the RBAC security assignments of a Role.

Roles are a bundle of access rights to specific resources that can be assigned as a single unit to users. Technology Roles are bundles of permissions that grant access to users. The subset Resource Roles (Access Levels) accumulate protected operations specific to a particular resource that support a particular level of access to a resource type. The subset Management Roles are bundles of Resource Roles that provide delegated access to resources of multiple types within a scope of authority that supports a particular job responsibility and its assignments.

A Business Role is a hierarchical container for the grouping of a number of people. Business Roles can then have technology roles assigned to them to provide access to resources for people assigned to the business role. Business roles can be “mapped” from external authoritative systems such as HR or personal systems into location-based and operational groupings such as projects or applications to represent geographic and organizational structure respectively. The combination of the Business Role (what a person can do) and the Location (where the person can do it) define the technological environment available to a person identity.

The use of RBAC manages protected resources through the assignment of protected operations. Technology Roles such as Access Levels and Management Roles provide a convenient method for bundling these operations together for assignments. Delegation, which is the assignment of RBAC access granted via the assignment of Roles, combines scope and target concepts to provide a flexible mechanism for assigning privileges within the enterprise.

Advantages of Role-Based Access Control

• Rules are simple to set up and distribute

• It is easy to determine who has access to what at any given time (though it can become tedious as the user base grows)

• Rules are static, direct and easy to visualize, allowing security admins to directly see the users and resources that they will affect when creating or modifying a policy

• The system is inherently auditable, as it is simple for business owners to certify or attest to access granted with role based assignments as the consequences of that access can be seen directly

What is Attribute-Based Access Control?

Attribute Based Access Control (ABAC) provides access to users based on who they are rather than what they do i.e. the building they work in and how they were hired. Attributes allow for an easier control structure because permissions can be based on the user’s type, location, department and so on, mirroring the physical aspects of the business. By looking at a user’s attributes—information that is already known and often stored in an HR system—ABAC permits you to express a rich, complex access control policy much simpler in form.

Advantages of Attribute-Based Access Control

• Access can be provided automatically without having to make requests or look through existing groups to find one that provides the correct access

• It is easy to specify access rules through simple queries

• Rules can be extremely fine-grained and contextual

• Rules require less maintenance and overhead than RBAC since a separate structure for roles and functions is not needed

• The structure for controlling access is based on the physical aspects of the business

RBAC and ABAC Hybrid

Bridging the gap between RBAC and ABAC creates a hybrid. An identity and access management solution capable of designing and enforcing rules based on individual profiles and business environment parameters enforces mandatory access control based on certain attributes while still providing discretionary access control through supercharged roles known as ‘job functions’ that are profiled based on user employment types. To provide risk-adaptable access control, access permissions can be made mutually exclusive through rules pertaining to the segregation of duties. It is expected that, as time goes on, ABAC will become widely accepted as the authorization model of choice for businesses. A solution which can bridge the gap between RBAC and ABAC is therefore important—an indispensable, high-value software asset for a business-minded future!

Advantages of Hybrid solution (RBAC and ABAC combo)

• The directory store is kept clean

• It is easy access to the right resources to handle specific job functions

• With the right tools, user provisioning can in large part be handled directly by business decision makers, saving IT the hassle

• Rolling out and decommissioning systems can be sped up and handled with fewer personnel, reducing cost

• Access control procedures are standardized

• Risk is reduced through automation and standard audit trails


For further discussions, Please email us at . One of our expert Identity and Access management consultants will be in touch with you.

Copyright © Srisys Inc.2024.