I have been on many different projects where clients say they want some sort of RBAC (Role
Based Access Control) solution but they don’t seem to be aware of the work involved or the
payoff it can bring an organization. Before going any further I quickly want to go over what
RBAC is. RBAC is a way of managing access within an organization. This is done by grouping
similar access into roles and assigning them to users which can be based on policies or
locations. When a company begins with RBAC one of the most important questions to ask is
‘What is your goal with using RBAC?’ There are many different answers to this but normally I
always structure these answers in four categories. They are Security, Compliance, Efficiency
and Agility. Each focus has a different approach to beginning and utilizing RBAC. I will be
discussing the two that I hear often and those are Security and Efficiency.
Let’s start with Security since I believe this is one of the most requested. Companies that
focus on RBAC from a security point of view have either found or had incidents where users
with rights have broken a security policy. This can be anything from toxic right assignment
(example: a user having the rights to create and approve their own expense report) or a
user who has left the company who can still access company assets. Whatever the reason
the most important thing, to begin with, is to get control over what you currently have now.
This can be done using Attestation or Certification for an organization. This process goes
through the current rights assignment and lets managers or application owners attest if
users should have access. While this process is going on its important to start role mining
(analyzing your user to access relationships) or building a role model to ensure control and
The second one is Efficiency. This one is very different for many organizations. It can begin
with automating onboarding and offboarding or can be as simple as the service desk is
overwhelmed with requests for access. These issues seem to be the bottleneck of an
organization as well as the most expensive. To ease the situation and begin to improve
functionality my approach would be to begin with role mining and start to identify the
locations or applications with a high overhead or costs. From there you can begin to develop
a role model in steps and start making changes immediately. This will improve the
organization’s processes and begin the role model creation.
As you can see there is no ‘one answer’ to beginning with Role Based Access Control. It is
important to determine what the business needs to determine which step works best for
the organization. For my next post, I will do more in-depth about beginning with role mining
and attestation or certification.