RBAC controls that implement least privilege reduce data security risks and enhance data privacy so only those who must be given access to sensitive data are actually granted access. What is more, organizations implement RBAC controls to meet the regulatory requirements for security and privacy since there is tight control over how data is accessed. Additionally, with RBAC in place, organizations can implement separation of duties with respect to access to and use of applications.
Roles, Permissions and Scopes
Let’s look at some of the relevant terms tied to RBAC.
The first is the idea of a role. Roles are created related to a user’s job, so a user will be assigned a role for specific levels of access, i.e., what they can or cannot do, defined by permissions.
Roles can range from admin or superuser, to user, editor, viewer, reader, etc. and each consists of a handful of permissions.
Once a role is created, permissions are then assigned to define what that particular role is allowed to do. Permissions can span from full privileges to edit and delete to partial permissions to draft a policy, for example, without being able to approve and provision it, to only being able to view resources. Least privilege is very relevant here in order to assign the least amount of access necessary for an employee to get their job done.
To further enhance the impact of least privilege we can add scopes to define or limit what resources access (via the right role with permissions) will be granted to.
Benefits of RBAC
There are a number of benefits of role-based access control, including:
- Rather than one-off, ad-hoc granting of permissions, the roles in RBAC make access management well-defined and repeatable.
- Letting organizations fulfill compliance obligations with respect to data privacy.
- Taking the mystery out of figuring out what users have what access permissions and privileges.
- Allows for clear separation of duties in enterprises.