All mid-size and large organizations consists of highly distributed
and dynamic work force, Requiring
constant provisioning of resources and managing the access and compliance. Taking
a strategic perspective and top-down review of companies Identity and access management
policies, implementation choices, process adherence and audits leads to
organizations success in ensuring security and compliance.
By managing resources reserved for select identities properly,
businesses can maintain protected resources and reconfigure user access within
the structure of a business in a simplified manner. This can be done through
Role-Based Access Control, Attribute-Based Access Control, and a hybrid of the
two.
What is Role-Based Access Control?
Role-Based Access
Control (RBAC), is a framework designed to allow organizations
to manage permissions across applications and protected IT resources
efficiently. RBAC mirrors real-world organizational structures by recognizing
that most employees perform tasks against resources related to their job title
or function. By organizing and assigning access based on “Role”, such access
can be attributed to job functions as opposed to individual users. As such, the
use of RBAC delegates protected resources and operations to Technology and Business
Roles in the organization.
In order to manipulate a Protected Resource within a
resource system, a person must have the permission to execute a Protected Operation
against the resource. Protected Operations are specific pieces of functionality
that automatically read, interpret, and honor the RBAC security assignments of
a Role.
Roles are a bundle of access rights to specific resources
that can be assigned as a single unit to users. Technology Roles are bundles of
permissions that grant access to users. The subset Resource Roles (Access
Levels) accumulate protected operations specific to a particular resource that
support a particular level of access to a resource type. The subset Management
Roles are bundles of Resource Roles that provide delegated access to resources of
multiple types within a scope of authority that supports a particular job
responsibility and its assignments.
A Business Role is a hierarchical container for the grouping
of a number of people. Business Roles can then have technology roles assigned
to them to provide access to resources for people assigned to the business
role. Business roles can be “mapped” from external authoritative systems such
as HR or personal systems into location-based and operational groupings such as
projects or applications to represent geographic and organizational structure
respectively. The combination of the Business Role (what a person can do) and
the Location (where the person can do it) define the technological environment
available to a person identity.
The use of RBAC manages protected resources through the
assignment of protected operations. Technology Roles such as Access Levels and
Management Roles provide a convenient method for bundling these operations
together for assignments. Delegation, which is the assignment of RBAC access
granted via the assignment of Roles, combines scope and target concepts to
provide a flexible mechanism for assigning privileges within the enterprise.
Advantages of Role-Based Access Control
• Rules are simple to set up and distribute
• It is easy to determine who has access to what at any
given time (though it can become tedious as the user base grows)
• Rules are static, direct and easy to visualize, allowing
security admins to directly see the users and resources that they will affect
when creating or modifying a policy
• The system is inherently auditable, as it is simple for
business owners to certify or attest to access granted with role based
assignments as the consequences of that access can be seen directly
What is Attribute-Based Access Control?
Attribute Based Access Control (ABAC) provides access to
users based on who they are rather than what they do i.e. the building they
work in and how they were hired. Attributes allow for an easier control structure
because permissions can be based on the user’s type, location, department and
so on, mirroring the physical aspects of the business. By looking at a user’s
attributes—information that is already known and often stored in an HR
system—ABAC permits you to express a rich, complex access control policy much
simpler in form.
Advantages of Attribute-Based Access Control
• Access can be provided automatically without having to
make requests or look through existing groups to find one that provides the
correct access
• It is easy to specify access rules through simple queries
• Rules can be extremely fine-grained and contextual
• Rules require less maintenance and overhead than RBAC
since a separate structure for roles and functions is not needed
• The structure for controlling access is based on the
physical aspects of the business
RBAC and ABAC Hybrid
Bridging the gap between RBAC and ABAC creates a hybrid. An identity and access management solution capable of designing and enforcing rules based on individual profiles and business environment parameters enforces mandatory access control based on certain attributes while still providing discretionary access control through supercharged roles known as ‘job functions’ that are profiled based on user employment types. To provide risk-adaptable access control, access permissions can be made mutually exclusive through rules pertaining to the segregation of duties. It is expected that, as time goes on, ABAC will become widely accepted as the authorization model of choice for businesses. A solution which can bridge the gap between RBAC and ABAC is therefore important—an indispensable, high-value software asset for a business-minded future!
Advantages of Hybrid solution (RBAC and ABAC combo)
• The directory store is kept clean
• It is easy access to the right resources to handle
specific job functions
• With the right tools, user provisioning can in large part
be handled directly by business decision makers, saving IT the hassle
• Rolling out and decommissioning systems can be sped up and
handled with fewer personnel, reducing cost
• Access control procedures are standardized
• Risk is reduced through automation and standard audit
trails
For further discussions, Please email us at info@srisys.net . One of our expert Identity and
Access management consultants will be in touch with you.