What is Role-Based Access Control (RBAC)?Link to this section
As your team grows, it can become increasingly complex to know exactly who has access to company information and resources.
One common way of assigning permission levels is through Role-Based Access Control (RBAC). After authentication has taken place and a user’s identity has been verified, RBAC is the access management protocol responsible for assigning permissions.
If you’ve been considering this type of protocol you may have come across a few different ways to implement it. Let’s have a look at one particular type, RBAC, or role-based access control. This type of control is dependent on categorizing users into common groups based on shared responsibilities (that’s the ‘roles’ part). The roles then determine the level of access granted to each user.
If you’re not sure if RBAC or ABAC is right for you, it’s important to understand the advantages and disadvantages of each protocol to make an informed decision about which approach is right for your company.
Role-based access control (RBAC) definedLink to this section
RBAC (or role-based access control) is an authorization mechanism that managers users’ level of access. Resource permissions are assigned and regulated by the admin team, based on the user’s role within the organization.
Admins analyze the needs of the user and group them into ‘roles’. These roles ensure users are only granted access to relevant records and resources. Limiting levels of access and permissions helps to boost security, limiting any security concerns to a select set of resources rather than the entire platform.
How does RBAC work?Link to this section
It goes a little something like this: User > Role > Rights.
RBAC follows a two-step process, defining the user-role and role-permissions relationship. Access privileges relate to the role the individual plays in the organization, followed by the permissions assigned to their role. By assigning roles to users, rather than individualizing access, RBAC helps to reduce access and permission errors, too.
For example, access may be limited to creating, editing, or viewing a file, depending on the factors such as authority or competency. Someone in Accounts may be able to access and modify payroll information but only be allowed to view their own individual employee details.
On the flip side, someone in HR may only be able to view their own payroll information, but have access and the ability to modify other employees’ details (as it’s a core function of their job).
The general protocol is to operate RBAC under a ‘least privilege’ model. This helps to reduce the chances of the wrong resources being shared with the wrong people. If security breaches happen, this approach also makes it easier to pinpoint intruders and understand who had authorized access in the first place.
There’s a level of flexibility too, as it is possible to assign multiple roles to individual users.
How are roles defined?Link to this section
Roles generally share a common characteristic or responsibility. With RBAC you might group users into roles based on some of the following characteristics:
- The user’s department
- The location of the users
- Seniority or responsibility of the user
- The associated work duties of the user group
Permissions can then be granted based on those roles. Some questions you might use to assign permissions might be:
- What can the user access and for how long?
- What operations are available to this user, are the documents view-mode only, or can this user modify the resource?
- When does the user’s sign-in expire?
There are generally four subtypes of RBAC:
Flat - employees have at least one role assigned to them, and some users may have multiple roles.
Hierarchical - the definition of how roles work together is determined by seniority. Senior users have access to the same resources as any employee working under them, but also have their own roles.
Constrained - to increase security multiple users can work on one task together, with separate duties added to the role.
Symmetrical - access permissions are frequently reviewed and updated.
These subtypes are buildable and layering is possible, as well as adding in new security measures, too.
The benefits of RBACLink to this section
The ease of use with RBAC is a big drawcard. The policy doesn’t need to be updated when one employee leaves their position and moving an employee to a new role is relatively straightforward.
Privileges are easy to assign and any mistakes are quickly identified and corrected. These systems of permissions can also be systematically applied to all new users.
Admin and IT support work is reduced which can be beneficial from an economic standpoint. Assigning access via user accounts also helps reduce the need for password changes or resets. Further easing the workload on the backend.
RBAC also allows for easy integration of third-party users, by granting them clear and limited access to resources.
The use of the least privilege principle within RBAC helps mitigate the risk of corruption or resources falling into the wrong hands. Executives, working with the IT department, are able to grant and assign access to users, giving these parties extra control over how data is being distributed and accessed.
For companies in the healthcare and finance industries, this extra security around protecting sensitive data can help in meeting compliance obligations.
RBAC vs ABACLink to this section
What is ABAC?Link to this section
While attribute-based access control (ABAC) and RBAC sound similar, there are a few key differences. While these two protocols answer the question of what data a user can access, the mechanisms to get there are different.
While RBAC uses a more rigid user > role > permission approach, ABAC can be a little more flexible. Protocols determine what a user can access based on multiple attributes that may differ from sign-on to sign-on, even with one singular user. But what does this mean?
The user may be able to access different parts of the platform based on three key details:
- The user: access levels are determined by the typical daily tasks of the user, their seniority level, or job title.
- Resource attributes: access may be determined by who the original owner of the data is, the type of file it’s stored as, or the sensitivity of the data.
- The environment: access may change for the user depending on where the data is being accessed from, the time of day it’s being accessed, or the date.
The comparisonLink to this section
RBAC and ABAC are responsible for managing data distribution and access. The main difference is the control method of determining access. RBAC grants access based on roles, which ABAC grants access based on more flexible parameters.
The rigidity of RBAC makes it safer and easier to manage, particularly with smaller workspaces. However, the risk of RBAC is what’s called ‘role explosions.’ This term refers to an explosion of hundreds or even thousands of ‘roles’ in order to get the flexibility that can be offered by ABAC.
ABAC’s parameters are granular, making customization easier. However, any fixes to the system of set parameters are timely and costly. Mistakes are not as easily fixed as they are in RBAC. ABAC also requires more time and effort to get the specifics right, particularly at set-up.
For bigger teams looking for flexibility, a hybrid approach of RBAC and ABAC might be preferable. But for teams of 15 or fewer, RBAC is a relatively standardized approach.
Best practices for implementing RBACLink to this section
In order to make the transition as easy as possible, and reduce confusion within the team, here are some things to consider before making the jump to RBAC.
First, make sure you fully understand your current data situation. Consider what software, application, or platform is currently in use and the security protocols in place. Generally, this will be in the form of a username/email and password. Is physical security necessitated to keep your data safe - this might be a server room etc? Make a list of all users who require access to your programs
As RBAC’s security is based around roles, try to create an organized list of teams, responsibilities, and roles. This may not currently be in place. But it is important to think about how access would be granted based on common roles within your enterprise before jumping in.
Now that you’ve done some brainstorming it’s time to develop a possible policy. Any changes to access and security will need to be communicated clearly to your team. To avoid any confusion when implementing RBAC a set document of policies will help reduce any fiction.
You’ve got your policy drafted, now it’s time to implement the changes. Dive right in and update your security status.
No plan is incomplete without mentioning a review process. Security of digital data requires routine check-ins and changes, particularly in the early stages. Remember to consider how well the process is working within the team, and how security levels have changed.
Having a policy and protocol in place for securing data and implementing firm access rights can help increase the safety of digitalized resources and information.
While RBAC and ABAC both have their places, a streamlined combination of the two is often the most practical way to get the ease out of the former and the granularity out of the latter, creating a truly unique approach to data security and access control.