Role-Based Access Control (RBAC) Explained
RBAC is associated with the idea of least privilege, where each user or process is only allowed minimal access to the information, data and resources needed to carry out their role, nothing more.
When calling on role-based access controls, organizations must first determine what a particular user needs to do to carry out their job – and then create or assign the right role (access policies) that only permit them to perform the specific tasks related to their position. If at any point in the future they need more or additional permissions, only then are their permissions expanded. The opposite should be avoided in creating overly-broad permission and restricting them later.
Why is RBAC important?
RBAC controls that implement least privilege reduce data security risks and enhance data privacy so only those who must be given access to sensitive data are actually granted access. There are many instances in which RBAC controls are pertinent to your company. For example, these controls can help prevent an entry-level employee from stumbling across sensitive information that they might misinterpret. Controls can also keep employees from having access to a high-level task that they might attempt to work on and mess up.
RBAC controls can also be useful when a company shares information with contractors or third parties. RBAC can allow permissions to be limited to only the information needed for outside parties. With these controls you can be assured that sensitive company information is protected when sharing content.
RBAC controls come in handy especially during hiring. Traditionally, when hiring a new employee you go through the process of granting permission to access various levels of data. When replacing an old employee, you block the old employee on multiple channels and allow permission to change countless passwords for the new employee to gain access to and have control over the data.
However, RBAC controls allow the transition of onboarding new employees and replacing old employees to happen a lot more seamlessly. With RBAC you simply need to change your settings to no longer allow old employees access to data, and allow new employees access to data. This allows the transition of information and data access to happen a lot more smoothly.
What is more, organizations implement RBAC controls to meet the regulatory requirements for security and privacy since there is tight control over how data is accessed. This security can help build trust among clients and increase confidence that information shared with your company is kept private. Additionally, with RBAC in place, organizations can implement separation of duties with respect to access to and use of applications.
Roles, Permissions and Scopes
Let’s look at some of the relevant terms tied to RBAC.
The first is the idea of a role. Roles are created related to a user’s job, so a user will be assigned a role for specific levels of access, i.e., what they can or cannot do, defined by permissions.
Roles can range from admin or superuser, to user, editor, viewer, reader, etc. and each consists of a handful of permissions.
Once a role is created, permissions are then assigned to define what that particular role is allowed to do. Permissions can span from full privileges to edit and delete to partial permissions to draft a policy, for example, without being able to approve and provision it, to only being able to view resources. Least privilege is very relevant here in order to assign the least amount of access necessary for an employee to get their job done.
To further enhance the impact of least privilege we can add scopes to define or limit what resources access (via the right role with permissions) will be granted to.
Benefits of RBAC
There are a number of benefits of role-based access control, including:
- Rather than one-off, ad-hoc granting of permissions, the roles in RBAC make access management well-defined and repeatable.
- Letting organizations fulfill compliance obligations with respect to data privacy.
- Taking the mystery out of figuring out what users have what access permissions and privileges.
- Allows for clear separation of duties in enterprises.
RBAC with micro-segmentation example
Let’s look at an RBAC example for the creation and provisioning of micro-segmentation policy for an ERP application. The application owner knows the application best, so we’d like for them to create the policy, but we want administrators to review the policy and provision it.
For starters, the app owner is assigned a Limited Ruleset Manager role. That role has permissions of adding, editing, and deleting all segmentation rulesets. However, the scope of where they are able to operate is limited to the ERP application, wherever it may be in the development cycle and wherever the ERP app workloads may reside. In other words, they can only see and create policies for the ERP app.
Once the ERP owner has created the appropriate segmentation policies, a role with greater, “global” permissions will then review and provision (push live) the policy created by the application owner.
As you can see, RBAC allows for strong separation of duties between app owners and IT admins and organizations know precisely what someone assigned the role of ruleset manager can and cannot do.
The Difference between RBAC and ABAC
Role-based access control and attribute-based control (ABAC) have different approaches, but are both types of access control methods.
ABAC allows access control based on different combinations of attributes that a system can recognize and organize. Examples of attributes include characteristics, action types, role, ID, security clearance, resource attributes, and so on. In comparison, RBAC allows access depending on the roles of users.
RBAC methods are the best place to start for basic business control access. ABAC controls can get more technical, and therefore more confusing if you aren’t yet familiar with access control methods. However, both can be beneficial for any business or organization.
Best Practices for Implementing RBAC
Implementing RBAC can seem daunting at first. However, implementing and using RBAC will allow your organization to run more seamlessly and efficiently. Below we’ll list best-practices to keep in mind when implementing role-based access control into your company.
- Current Roles: It can be hard to differentiate between roles within your company. However, establishing roles is essential in role-based access control to make sure employees are only given access to the information they need. Begin by creating roles that have the same access needs. For example, you can create a basic access role that has access to email and the corporate intranet. Next, create roles that have to do with different positions within the organization, and then create roles that have to do with third party people that need access to information within your organization. Keep in mind that you want to avoid creating too many roles to keep the roles in line with role-based access control and not user-based access control.
- Role Assignments: Next, go through each role and assign resources that each person within that role would need access to. For example email, management systems, or specific databases.
- Write a User's Guide: It’s important to write down all of the roles and access available to each of these roles. This step will help you in the implementation process better analyze what is going well and what can be improved. A User’s Guide will also help you when assigning roles in the future to remember what access is granted to each person within that role.
- Implement Changes: Once you have roles written, applications assigned, and a user’s guide finished, assign employees to each role and go live. This can be the scariest part, but warn your employees beforehand and have all hands on deck ready to help in the adjustment during the first few weeks to help the process run more smoothly.
- Conduct Training: It’s likely that your employees may experience some frustration with changes within the company. This is to be expected with any changes, especially software transitions. To help things run more smoothly, conduct trainings for your employees before and after implementation to help them become more familiar with the changes, and feel more confident moving forward.
- Learn and Adapt: After implementation, remember to periodically conduct audits of your employees, their roles and security status. It’s likely that in the first few weeks and months of implementation that frequent changes will need to be made. After things start running more smoothly, continue to audit and adjust where necessary to ensure the best company security.
Illumio can provide you with the software needed to implement RBAC effectively into your company or organization.